Tips for architecture for authentication in microservice driven application.

All ms contain the code to authenticate? (Breaks single responsibly principle)

Edge level authorization?(gateway)
Service level?

  • 6
    FE - Gateway: session token

    Gateway - Microservices: JWT/PASETO

    We are currently building something along these lines. Gateway intercepts request, replaces session-token in auth-header with JWT (redis). Requests to /login and /refresh are redirected to auth-service and parsed accordingly; JWT stays on the BE. /logout just drops the key.

    (Auth-service creates JWT with private key, all other services validate with public key.)

    If you can live with the downsides of storing JWT/PASETO in cookie, drop the gateway. Biggest problem: there is no actual logout by design; needs blocklist which means you 100% need DB for validating JWT.
  • 4
    - Vercel Edge Middleware
    - Next-Auth
    - Netlify
    - Auth0

    Check out their edge Auth solutions.
  • 1
    ms behind service mesh?
Add Comment