I am working on a spring-boot microservice application, user management module and The AuditTrail service module to be specific and I am tasked to create and Secure endpoints with jwt and other microservices (which can be .net, Django etc) are to use this token to secure endpoints. i have finished building the user management system but now i'm stuck cause I don't know how to go about validating jwt on other microservice systems and i have been instructed not to use the Api gateway architecture.
I am thinking to expose maybe an api/vi/auth/authenticate endpoint that other microservices can call but I'm not sure if there is a better way. maybe share the jwt secret and algo used to create token with the other microservices and every microservice just validates a token by it self. the later approach involves writing boilerplate code as far as I can see but I don't know if these are my only options and what flaws they might have to see if it is something I am able to manage.
To manage authentication in the microservice ecosystem you need an independent microservice authentication which could be SSO (single sign-on). The best practice and most secure way is using Oath and OpenId for this approach and To not invent the wheel from scratch, you can use some standard production like IdentityServer4 (more complicated but full-featured) of OpenIdDict(more simple) and lots of other, which provide both of authentication and authorization in a secure and standard way for you.
They provide an Access token which is JWT with lots of claims to handle your scenarios easily. Also, they have a standard URL address that exposes their URLs (for example URL/.well-known/openid-configuration which you can see here to see real result ) .
I suggest to implement a serious project following the standards of the industry.