I have a scenario like this. I have two microservices like A and B.
A is responsible for login and creating a JWT. When creating this JWT we generate a session and stored in the redis. and this session Id injected into the JWT payload.
B is responsible for validate JWT and get the session Id from the JWT and validate it as well.
In service B How to fetch session to validate? or is there any best way to do this?
Related
I am building an application using microservice architecture. I am using Eureka for service discovery with Spring Cloud Gateway for request routing. For authentication mechanism I am issuing JWT tokens (in auth service). What is the best practice when it comes to propagating Authentication so I can get logged user information in each service which is after the gateway?
So far I've came up/found couple of possible solutions:
In gateway add headers for relevant user information, and in each service create filter which would take said headers and create Authentication object and store it into SecurityContextHolder. The downside of this approach is I can't just plug and play services outside my application.
Pass the token coming from the client through the gateway to the each service, where I would have JWTFilter which would validate token and extract the user information. Downside I see with this approach is I have to have jwt secret shared between each service or stored on each service, and I would have to implement JWT logic, producing duplicate code.
Final solution is having something like oAuth token introspection endpoint in auth service which would be called from each service (filter) once the request reaches it.
I implemented the filter logic for validating the user token in the gateway service, but I would like to use role based authorization on each endpoint (service) differently (ie. user service has endpoint for creating users (ADMIN), and for fetching user information (ANY ROLE)).
I opted for something like your option 2 and use spring-boot to configure JWT decoder from an OIDC authorization-server (Keycloak).
Configuring OpenID resource-servers is super easy (more options in parent folder), and authorization-server JWT public signing key is retrieved automatically by spring JWT decoder.
All that is required is ensuring that Authorization header with JWT bearer is correctly propagated between services.
Looking for suggestions on how to go about with microservices authorisation.
I'm using the spring/spring boot for all them microservices
I'm able to authenticate via spring cloud gateway before reaching the actual microservices using JWT tokens however when it comes to authorisation i'm unsure on how to do it.
I would like handle the authorisation internally for each of the endpoints in the business microservice.
Is there a way to pass the JWT token to the microservice or do i need to call the authserver to get the roles within the user ?
Actually, both works.
You can put the roles in the token, when you need it, decode it. Or decode it in the gateway and pass it all the way.
If you don't want to put too much data in the token, you can call the auth server as needed.
In my app I'm using Spring Session (with redis). Now I need to add CSRF prevention.
I have to handle the frontend app + clients over REST.
If my understanding is correct, without the use of spring security etc. on login I need to create a token, store it in redis with session id association and return it to the client (as header for example).
And then on every request I need to check the token passed as the header if it's correct to prevent CSRF?
I am working on a module where we need to register different applications consuming our services as client and assign them unique client id and client secret.
I need to generate jwt tokens when client id and client secret is valid
I am not aware about the approach how to proceed with it. So, I need your suggestions for same.
I want to destroy jwt token from spring-boot application.
Architecture is the following :
front-end: react
back-end : sring boot
I have to implement logout function. Now I developed the logout function in front-end and it removes the jwt token in redux storage but when I use the same jwt token before it removed from the front-end redux storage then I can use that token form postman and I can access secured rest end points.
How to remove the jwt in spring boot back-end.
Technically, as your application is stateless, your Spring Boot app won't know when your client logout cause it never keep track of all the tokens it has issued/generated. (That's why it's called stateless :D)
The best practice here is to keep your JWT expire shortly. This way it become expired before someone try to reuse the token.
To make the user journey seamless, you can refresh JWT token in background to make sure user always stay login.