MICROSERVICES | JWT
JWT Authentication process in API Gateway on Microservice Architecture
In Microservice Architecture, an application is split into several multiple microservices. For example, the amazon application might be split into Order, Catalog, User info, Rating, Review, Category, Cart, and other different several microservices.
And. most of the time these services are behind a security wall and the user is authenticated using security logic. What does it mean?
Suppose we need to add a certain product into the cart, but we can not do that without going through the login(authentication) process. This security logic needs to be implemented every time in each service when we want to invoke a microservice to process client requests. But it is inefficient to have every microservices take on the overhead of authenticating the user every time we invoke the microservices.
To solve this problem, the client request is authenticated into API Gateway using token-based authentication.
We will discuss the token-based authentication process step-by-step. Use the following image for better understanding. Though Step 7 is not illustrated in this image.
- The user submits his credentials to the Identity Server / Authorization Server to get a reference access token.
- The identity server/authorization server validates the user credentials. For the valid user, the server stores the contents of the token and generates a reference access token and the server sends this token to the client. This token is random and encrypted.
- The client receives the access token and sends the request + reference access token to the API Gateway.
- The API Gateway receives the token from the client and again sends the access token received to the identity server/authorization server.
- The Identity server / Authorization Server validates the access token and returns a JSON Web Token (JWT) to the API Gateway. Now this JWT contains both user and permission information.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. — https://jwt.io/
6. The API Gateway sends the client request to the respective microservice which can process the client request along with the JWT.
7. Now the microservices check for authentication and authorization by using the contents of JWT. JWT has three parts separated by a dot(.) i.e header, payload, and signature.
eyJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiSm9lIENvZGVyIn0.5dlp7GmziL2QS06sZgK4mtaqv0_xX4oFUuTDh1zHK4U #JWT (header.payload.signature)# ------------------------# header (hashing algorithm and type of token)
# payload (authorization information and expiry of token)
# signature (refers to the header & payload, which is digitally signed with the server's key)
Now microservices extracts header and payload and computes the hash of this two Base64-URL encoded JSON. Now microservices decrypt the cryptographic signature part with the key of the server, the signature is actually a hash of the header and payload. Now, microservices check for the equality of both hashes, if both the hash value is the same then the service will conclude that client is authenticated client.
What is the advantage of token-based authentication in Microservices?
The main advantage is to reduce the overhead of authenticating users each and every time when any microservices are invoked. Because JWT contains user identity information in its payload. Microservices uses JWT to perform authentication and authorization which prevents performing additional operations such as database queries to check user authentication.
Is this post is helpful to you? Do not forget to clap for this post and give us some inspiration back!
Are YOU interested in Fullstack Development?
I write about step-by-step coding tutorials on fullstack Development REST API, Microservices, architecture in LinkedIn, and Medium. Here is My Linkedin profile.
