Should I create a JWT on one server, and verify it on a different server?

Question

So lets say I have 2 microservices:

1). A serverless / lambda function, triggered by some hardware event

2). A websocket server, to handle some data

I want to ensure that only authenticated connections can connect to the websocket server. But the lambda function has no identifying data to authenticate itself with.

I'm considering creating a JWT on the lambda function, with a secret key, (and short expiration), and use that to auth with the websocket server.

The websocket server will also know this secret key, and can verify the token before it allows the connection.

So my question: Should I be doing this for identity free server to server auth? Providing I am keeping my secret safe.

Answer 1

What you want to achieve is authenticated machine-to-machine communication between the Lambda function and the websocket server.

There are different mechanisms to achieve that. Using a JWT token is one possibility, but there are even easier approaches, if you want to keep it as simple as possible.

Based on your question, you want your authentication based on a pre-shared secret scheme. The simplest solution would be using basic auth (or something equivalent, if you are not using HTTPS as your transport protocol). Whatever protocol you are using, make sure it is encrypted, otherwise your secret may leak.

The websocket server will first evaluate the basic auth credentials and decide, if the sender is valid and the request gets processed further. The credentials can be as simple as a sufficient long random string (e.g. 128 bit).

If there's no additional value for you using JWTs (e.g. you want to limit the lifetime of the token or transport additional information in the body of the token), I would recommend to keep it as simple as possible, as complexity may introduce hidden risks and vulnerabilities.