Geek Answers Handbook

Microservices Authentication of Best Practices and Security (OAuth 2.0 and OpenIdConnect)

There are several ways to create authentication in microservices. However, the use of JWT tokens and the OAuth protocol along with the OpenID Connect authentication level is very popular.

There is one piece of advice in this tutorial explaining how to do this:

Pass the link when the tokens should leave your network, and then convert them to tokens as they arrive. Make this conversion in your API gateway.

However, I do not understand why it costs. I suspect that this may be due to some security benefits (to prevent the client from reading any specific information). Because in the JWT token itself, this may be role / resolution information. But for this purpose, the token can also be encrypted.

Another reason may be that the JWT token is too large to not carry this token every time this approach can be used. (or if the JWT token is stored in a cookie, it has size limits).

I have not seen any information that the authentication of the JWT token has been compromised, and it is bad practice to keep it on the client (in the browser).

On the other hand, I see that Ping Identity also uses the pass by reference approach. Can you help me understand the reasons for this?

+7
security oauth microservices openid-connect
source share
2 answers

Both of them are valid parameters, and, as always, this is the exact scenario in which you want to apply them, which will determine the most suitable . As usual, each option will have its pros and cons, and you have already mentioned a few, so I will try to do something new for discussion.

The main difference is the content, the value will contain the actual values, while the link is just a random sequence of bits. If you want to present confidential information in a token, this can upscale in favor of reference tokens.

It is true that if you use JWT, you can encrypt them to ensure confidentiality, but this adds a significant level of complexity, and the support for JWT encryption in available libraries is most likely not as good as support for signing, given that encryption is not has such widespread use.

As for the size, I do not think that this should be a decisive factor. Yes, if you come with tokens with a useful value, you need to keep them small enough so as not to impose significant overhead on the channel, but you should not choose one against the other just because of this restriction.

One thing that you did not mention, but I consider it important that the reference tokens look more suitable for situations where the authorization server and resource server belong to the same object . It is true that a standard already exists to cover the introspection of tokens so that the external resource server can request information about the reference token in the interaction. However, it is still true that when both participants are on the same security boundary, reference tokens should be easier to scale and implement.

The suggestions for this article are also interesting, you reduce overhead costs on the external network and do not have any problems with information disclosure, and then update the default tokens in one central place, which means that all other services located behind it can all from the simplicity of having the required information already inside the token itself.

Thus, if disclosing information is a problem for you, you probably want to use link tokens so as not to take the cost of JWT encryption; otherwise, you could make life simple for you and go with signs of value.

+2
source share

I believe that the main advantage (which the article wanted to convey, in addition to information disclosure) of using a reference token (opaque tokens) compared to its value (JWT) is its ability to control access tokens when it is distributed outside the network.

In other words, if we issue access tokens as JWT outside the network, then it is difficult to refuse access during emergency assistance (when the user is disconnected or logged out, lost mobile phones, etc.). But link tokens can be easily canceled since this is a pointer within the AS bounds.

A more detailed explanation is available here .

+1
source share

More articles:


All Articles