Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What if token is expired between services?

Tags:

authentication

soa

jwt

microservices

I've been reading up on communication between services/microservices.

The API Gateway authenticates the request and passes an access token (e.g. JSON Web Token) that securely identifies the requestor in each request to the services. A service can include the access token in requests it makes to other services.

via http://microservices.io

And I'm passing access-token of a user to downstream services, So it looks more or less like this:

enter image description here

But what if a token is expired between microservices?

There are plenty of ways to solve this problem, those seem reasonable:

  • Validate access-token of a user and create short-lived JWT in API Gateway (kind of internal tokens)

  • Each microservice validates the JWT and generates its own JWT to communicates with other microservices according to scope rules

enter image description here

So we would have Auth service to validate or request tokens.

The questing is:

In order to be sure if token will be not expired during the journey through services we can just make a check in API Gateway layer: if a token is expired in n(~1) minutes reject it, so user have to use refresh token to obtain a new access token. It means token always will be valid for the time necessary to complete the request. What are pros and cons of this approach?

like image 372
Igor Avatar asked Apr 04 '18 09:04

Igor

1 Answers

I have the same question, so Google lead me to here. I hope it's not too late to response this question after half year.

I cant say this is an "Answer", but I hope my idea may inspire anyone something. So it's a kind of "idea sharing".

I think there are two ways to deal with this issue:

  1. if the token will expire in 10 minutes, refresh it at 6 minutes (just an example). So make sure the situation you said will never happen by adjusting expire time and refresh time.

  2. Another way is adjust the system architecture. Split APIs into internal and external. All external's token will be check at API Gateway, then there is no token within internal services.

I think we have a lot of methods to avoid the issue mentioned by this question. Based on different particular project requirement, we should consider to use different security design. So there is no "silver bullet".

like image 197
Lang Avatar answered Sep 28 '22 12:09

Lang
Sign in to Comment

Related questions

iOS sporadically sends old cookies
Issues with implementing Office 365 API on Android (Xamarin)
"No current user": Isn't it even possible to make unauth calls to AWS AppSync through Amplify with authentication type AMAZON_COGNITO_USER_POOLS?
.NET MVC Authentication - Forms + Windows Authentication
Custom OWIN CookieAuthenticationProvider fails on 1st/cold boot
How do I securely store JWTs with Next.js and a Rails backend?
How to implement multiple passport jwt authentication strategies in Nestjs
How to use Shiro for authenticating cookie based or facebook user?
Is it possible to call native ios Facebook login dialog from just a web page (not a web app)?
Run code after openid connect sign-in in Asp.net Core
How to use token authentication in laravel web page
integrate azure AD authentication with asp.net core identity individual accounts
Would authentication settings on SQL server 2008 R2 make any performance difference?
Error when using PrincipalContext.ValidateCredentials to authenticate against a Local Machine?
how can I use a Microsoft Account to authenticate to my website
Authenticate and sign HTTP request
React-redux client-side tokens
Heroku: Login system - authentication loop failure
App client authentication (login) and CQRS
SQL AAD Token Based Authentication - Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!