du90093662774150 2016-02-25 22:41
浏览 408
已采纳

微服务架构中的JWT身份验证

Question

Question how is it possible to create an authentication service within a micro-service application and have other services check against that token (JWT) and retrieve a user?

Possible Solution

My current thinking is based around the auth service inserting { token, user } into Redis once a user is authenticated. All other service can check against the user's Authorization: Bearer kdI8$dj$nD&... header token within Redis.

  • If token is present in Redis, user is authenticated.
  • If token is not present in Redis, user is not authenticated.

enter image description here

  1. User sends { username, password } to auth service
  2. Auth service authenticates credentials and retrieves { token, user }
  3. Auth service inserts { token, user } into Redis
  4. User makes request to Service-1 with { token }
  5. Service-1 loooks for { token } in Redis and retrieves { token, user }
  6. Service-1 does its thing and sends back { data }

Are there any possible security, logic or architectural problems with this approach?

  • 写回答

2条回答 默认 最新

  • douxingti9307 2016-02-26 01:58
    关注

    It's not really clear why you would want to store tokens in Redis. The security token typically contains information about the user (claims data) already. If you need information about the user that is not stored in the token, you should be able to look that up by a simple database query on the user id claim.

    Each service can validate the incoming token by checking its digital signature (only needs the public key of the signing certificate for this), lifetime (when does the token expire), audience (who is the token for) etc. If the caller presents a valid token, the user is authenticated.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?