Nice article!
There are 2 questions concerning solution 4 (Client token with API gateway):
1- Since the API gateway contributes to the authentication process by keeping the JWTs and issuing opaque tokens, why not just merge the API gateway and the authentication server?
Separation of concerns might be the motive to separate the API gateway from the auth server, since the primary goal of the gateway is not to authenticate the requests but to redirect them to their proper services. But once the gateway starts participating in the authentication process, it makes a lot of sense for me to merge the 2 into 1 server. All requests are sent to this server, and it is responsible for both authenticating the requests and redirecting them to their proper services.
2- If we merged the API gateway and the auth server into 1 server, then all requests going from this server to all microservices are guaranteed to be authenticated. In this case, is it necessary to re-verify the request JWT at every microservice, assuming that the microservcies are connected on a private network and not exposed to the internet?
I can see that JWT verification at every microservice provides an extra layer of security in case the system ever got breached. But in normal circumstances, is there any reason why the microservice should verify the JWT of the request that has been previously verified by the gateway?
Thank you!
