Do we need to authenticate for Internal Microservice?
I have a spa app and three APIs (A, B, C)
A, B are public microservices and C is internal microservice.
Which way is best for that?
1. First way
SpaClient
Scope = A, B, C
Spa App gets a token of SpaClient from Identity Provider.
Call A api, B api from Spa App using token, and A api calls C api using same token.
2. Second way
SpaClient
Scope = A, B
CClient
Scope = C
Spa App gets a token of SpaClient from Identity Provider.
Call A api, B api, and A api calls additional to Identity Provider to fetch a token of CClient and call C Api using token of CClient.
This case, Identity Provider needs to generate new token on every request in order to call C Api from A Api.
3. Third way
SpaClient
Scope = A, B
Spa App gets a token of SpaClient from Identity Provider.
Call A api, B api from Spa App using token, and A api calls C api without token (no authentication in C Api).
Do we need to authenticate for Internal Microservice ?
C Api is a resource which needs to be protected. You can do this on a global level, which may all be fine. But what I think can be a problem is how to access the resource in the flow?
If the resource has user depended information then how are you going to pass this information? A Api can send any sub, claiming it is on behalf of this user. There is no way C Api can tell. And how do you prevent B Api from accessing the resource?
For maintainability and security reasons I would implement the same security on all api's. And in this case the problem can be solved by using delegation.
That way no other resources or clients can access C Api. The resource knows which client made the call and knows for sure it is on behalf of the user they say, as this is part of the access token and can be verified (introspection) by IdentityServer.
- NestJS JWT Strategy requires a secret or key
- How to create a Json Web Token (JWT) using OpenSSL shell commands?
- Is it safe to keep access token in NextAuth session?
- Verifying JWT signed with the RS256 algorithm using public key in C#
- JWT generate token with algorithm ES256
- Generating JWT token with JwtUtil class in Spring Boot resulting in NullPointerException
- MSAL AcquireSilent gets always new token
- In Identity Server 4, I have a User's identity but 0 Claims
- Google Cloud Functions - ImportError: cannot import name 'InvalidKeyError' from 'jwt.exceptions'
- I'm trying to create a Pydantic extension that allows me to deserialize jwt strings into pydantic models
- Is setting Roles in JWT a best practice?
- Get email claim from identity after upgrading to .NET 8 not working
- How to decode jwt token in POSTMAN?
- Firebase "getIdToken(true)" in Java Backend
- AWS cognito: What's the difference between Access and Identity tokens?
- Receiving attempted import error for JWT in Next.js
- How do I solve audience (aud) invalid claim error for downstream api service?
- Header sent error express.js with cookie-parser
- [NestJs]: JwtModule.register() not working
- Does Azure's EntraID support dynamic custom claims?
- Token handler unable to convert the token to jwt token
- JWT: to sign the claims with public key or private key, which way to go?
- Testing API with ninja_jwt
- User's password update via WordPress REST API
- Encryption with public key in Jose-JWT
- Web api core returns 404 when adding Authorize attribute
- How to change the response messages in Tymon JWT package laravel
- Trouble setting cookies in Express backend for Next.js frontend use
- Illegal base64url character: ' ' when getting claims/decode from token Java JWT Spring Boot
- ServiceStack JWT Refresh token uses Session identifier when used with OAuth AuthProvider