In the previous blog, we discussed the API Gateway in the microservice architecture and come to a point where we need to focus our attention on security management between sets of microservices. Now in a monolithic architecture, security is managed by the application server. Since all the services are deployed on one application server Since there is a centralized authentication service which uses the session management features of the application server. Once a user logs in, a session is maintained and it's not necessary for all services to authenticate the user.



But in a microservice architecture, authentication/authorization becomes more challenging. Since each microservice may be deployed remotely (and not locally) and all communication happening mostly through HTTP calls, it is not clear how to authenticate the user and pass that information to all microservices.

Here we will discuss a method based on JWT to secure communication between microservices.

JWT stands for JSON Web Token. It exists in the form of either JWS (JSON Web Signature) or JWE (JSON Web Encryption). JWS and JWE are concrete implementations of JWT - which is like an abstract class. Now the whole process of generating JWT is depicted in the picture below. When a request is made by the client, it first communicates with the Authorization server and gets an access-token. The request along with the access-token is sent to the API Gateway. At this point, access-token is decrypted and send back to the Authorization server to get the JWT (after validation). The JWT token contains the user identity along with the microservices. Each microservice validates the JWT and generates its own JWT to communicates with other microservices according to scope rules. This is possible only if we have the mechanism to decrypt these JWT tokens at each microservice. Sometimes nested JWT is also used in which previous JWT is sent along with the new JWT.

One must also be vary about the cost involved in JWT validation at microservice level.