Menu
I have various microservices. I have implemented security using JWT. Each service validates the JWT token by the key which is being shared across all the services.
Is it fine to share same signature key for JWT across all the microservices?
I can't implement this at the API gateway as I have to use certain libraries which requires spring security to be triggered in every microservice.
411
Yes you will need to share a key in order for JWT to function securely/correctly.
What I would recommend is using a public-private key signing method and pass by value JWT. This will then mean you get a private signing key which only your gateway needs to know and a public verification key.
You can then distribute your verification key to all your microservices. This can either be something you do via deployment, or your microservices can use some kind of refresh cycle and publish your signing key along with the gateway. The former is more secure, the later better at self healing.
This might be useful: JWK.
179
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
