Could you please share a sample code implementation of the example of external IDP and token exchange?

Just those of us watching this now. Monolithic Architecture is not old school. It’s in fact should be the de-facto standard to start writing your application using a “Modular”approach until you find the need to migrate to “Microservices”.

Def great vid. Thanks for the clear and clean explanations.

JWT is one of the best choices for Microservice AuthZ per my dev experience so far.

How does each microservice verify the JWT token it receives is the valid one. Even if it verifies that it is valid by calculating decoding and decrypting how it identify this user request is authorized one.

@Quester82

2 жыл бұрын

Each service has mechanism to decode JWT token addressed to it and after extracting roles contained within JWT decides what to do with the request. Basically - every service has it's authorisation mechanism.

Where can I find some example of your gateway api? Did you use and authorization code for the first token and client credentials for the second?

I'd like to get more information, on how access token between FE and gateway acts. What if IDP doesn't support that?

Hi! Why do we need to forward JWT token to microservices? Is it used to provide user information?

@valour.se47

4 жыл бұрын

I can be wrong but what i understand is that Jwt token have three parts in it, one is to hold user information so when you have roles set to users that role information will be in the token so that services can decide if they allow or deny the request.

@alexisgc19

4 жыл бұрын

In short, yes.. It provides user information (id, roles..) to the services behind gateway

@alexisgc19

4 жыл бұрын

At 24:40 "All the information needed to complete a particular request is sent along with JWT in the Authorization header"

@mikedqin

4 жыл бұрын

My understanding: 1) JWT token self-contained and it's signed, when Resource Server receives it, it can verify the JWT token is valid, and no need to contact Authorization Server. 2) JWT token can contains claims for authorization purpose and not limited to UserInfo claim, so in a scenario where Authorization Server receives the JWT token (not in this video), it can make decision if the request should be granted or not. 3) Token Exchange in the video above, the main purpose I guess is for point 1), Resource Server gets what it needs, it can validate the token, and no need to validate it with Authorization Server - no additional call is needed. 4) API Gateway acts as the Authorization Client - such as OAuth2 Client. 5) Alternatively Authentication Server can generates a JWT token with UserInfo claim. The client can pass the token to Authorization Server for authorizing the request. In this case, there is no Token Exchange.

@myobpro8516

4 жыл бұрын

But how do you want to protect you microservices from unauthorized access ?

please share sample code

Also 29:01 FYI Signing is not the same as encryption

FWIW JWT tokens standard says Encryption is optional

Can some one post Github link for this

How will microservices verify that jwt is valid or not?

@andresmtz98

3 жыл бұрын

It's the IDP's responsability, I think

It could have been great if there was a practical example of the implementation. That could have really helped

Code example?

Aggregating Data on the Gateway can be problematic, would not recommend that. Don't put business logic on the gateway.

Why offload something as important as identity to a third party? That seems like a security issue...

@kellyfj

4 жыл бұрын

Why offload your infrastructure to the cloud? Wouldn't that be a security issue too.

@kenmagg

4 жыл бұрын

@@kellyfj there's on prem or Colo vs cloud... Different levels of security for different things.. Login/auth you'd think would be high security..

@shubitoxX

3 жыл бұрын

Whether it is a 3rd party or not is completely up to you