Securing Service-to-Service Communication with JWT

The interaction between services must be efficient and robust. With the rise of micro-service aka “correct way of SOA” there are may micro/mini/uber services existed to help and solve the business problems.

Most of the inter-service communication secured by SSL/TSL. However, There is a need of having to authorize and securing a “SERVICE” access in the enterprise to streamline the authorization.

Above given use-case is typical order flow where multiple services communicate to achieve a single business functionality to complete the order. However, as it illustrates, given user get authenticated every-time access the order API rest of the APIs will also need the identity of the call origination and owner. Therefore, subsequent calls also can reuse the same authorization token to validate the call. For the high transaction system and use-cases, these additional calls from Gateway to key managers/IDP may be costly. Therefore, making use of JWT and signature verification in the gateway itself allows reducing the number of transactions against IDP.

Below diagram illustrate the simple sequence flow that helps to understand the interaction of obtaining the JWT and making use that for further inter-service communication.

As illustrated in the above image, Client makes a request to API1 in WSO2 API Manager Gateway with the access token, Once the token validated in the WSO2 API Manager’s Key Manager profile; it generates JWT assertion and passed to the API1 Service via Gateway. API1 Service needs to access another API2 in WSO2 API Manager Gateway but at the given time there will be no access token but only the JWT assertion. When the API1 Service invokes API2 with JWT assertion, JWT Authentication handler validates the signature and allow to invoke the API2 Service.

Above implementation code available in https://github.com/vanjikumaran/JWTAuthenticationHandler