We are refactoring our web app system to a micro-services architecture.
We decided to authenticate our users with JWT and save some authorization data in it. For example, from the payload of the token one can infer if the user can access a certain resource.
We consider two options:
- Each micro-service will ask the signing service (API gateway for instance) if the token is valid.
- Every micro-service will hold the public key and validate the token itself.
In the case of managing public keys, how could the gateway service publish its public key to all the other micro-services?
It seems to have lots of information out there about how to design the system but not how actually to implement those things.
I would advise against option 1 as it adds a lot of unnecessary burden on the signing service.
The signing service can share its public key. The services that need that key can simply fetch it on startup and use it to validate JWTs. That being said, you need to make sure that the signing service is who it says it is by using HTTPS for instance.