In a microservice environment, should any producer be able to verify JWT tokens?

Question

I'm trying to figuring out how to manage authorization in a microservice environment.

This is my hypothetical scenario.

I have a service which provides authentication (using devise gem) and authorization via oauth2 (using doorkeeper gem). Once logged in, the service returns a JWT token to the user.

Now let's suppose I have two API servers. The user must provide the JWT token to these API servers in order to access to private resources.

Is it ok to share the JWT secret key I used to sign JWT token with my two API servers so they can decode the token and verify its validity? Or should my API servers forward the JWT token to the authorization service and ask it to verify it?

Pros of sharing JWT secret key with API servers:

• no round trip to the authorization service

Cons of sharing JWT secret key with API servers:

• if someone breaks in any of my API server, he/she have access to my JWT secret key

I am stuck. I don't even know if there is a third solution I didn't consider :)

Thanks!

Answer 1

You can use a PKI signing/verification system. In this approach, your authorization service will sign the JWT using a private key and all the consuming services will need the public key to use the JWT. The public key can be distributed easily - maybe through a config server if you have that in your architecture. Even if someone breaks into one of your services then he will only have a public key and not the private key.