Stateless authentication for Microservices

Marcus Cavalcanti
Nov 8, 2018 · 9 min read

Resource access restriction

Designing an authentication layer

Sidecar proxy

Sidecar proxy pattern (source: Microsoft)

API Gateway

API Gateway pattern (source: Nginx)

Shared library

Breaking down the shared library approach

JWT and stateless authentications

Anatomy of a token: encoded and decode (source: jwt.io)
Flowchart for creating a new user session with JWT. (Source: Toptal)

Shared library, also known as the security module

Intercepting an API request made by a consumer

Renewing the validity of the token

Lessons learned

Protect your domain layer

Application layers: business rules protected by the proxy pattern

Don't include your JWT secret key in the library code

Stateless authentication also means you don't have control to revoke tokens

The more information your token has, the larger it will be

Marcus Cavalcanti

Written by

Currently @OLX. Previously @Amazon Web Services and @B2W Digital.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade