Question Details

No question body available.

Tags

java microservices security authentication spring

Answers (2)

Accepted Answer Available
Accepted Answer
April 3, 2025 Score: 3 Rep: 79,397 Quality: Expert Completeness: 30%

Is this a valid approach?

Yes, what you propose is a valid approach. Because authorization data is encoded into the JWT, decentralized authorization checks is a use-case that JWTs are specifically designed for.

What are the potential pitfalls or improvements I should consider?

One thing to consider is that the decentralized checking makes it impossible to revoke individual tokens before their expiry. This can be a major problem or of no consequence at all, but you have to take it into account. Especially when deciding on the lifetime of a token.

Another thing to consider is that even when a human user will never directly access a micro-service, you might want to use the end-user's JWT when the gateway makes a request on behalf of the user or if two micro-services communicate in the context of such a request. The reasoning here is that the permissions that are active might depend on who initiated the request.

Micro-service A might respond differently if it gets a request from an automated process (e.g. service B) or from a non-privileged user (by way of the gateway service) or from a user with administrative rights (by way of the gateway service).

April 3, 2025 Score: 1 Rep: 140,596 Quality: Medium Completeness: 30%

One potential drawback of this approach is that when there is a security patch in the library that handles JWT tokens, you have to update each and every service on each and every server.

For a simple application, that may not be an issue. For a large application with dozens or hundreds of interdependent services, this could quickly become quite a burden.

If, additionally, the different services use different programming languages, you may have an additional organizational nightmare. If the libraries in those respective languages are patched at different dates, system administrators might have to scratch their heads, trying to understand what exactly should be updated when.

Add to this that the patch could have to be applied to both the service and the client (such as with the support of successive TLS versions). Now you have a gargantuan task of determining the exact correct order in which you have to update things. Or a circular dependency that is impossible to solve. Say service A, in Java, uses service B, in Ruby, which in turn uses service C, in Java. Ruby's gem that deals with JWT gets patched the next day the exploit is made public, but there is no news from Maven library. What do you do?