I'm working on a application which is implemented using microservice architecture. There is an authentication service (A) which uses jwt standard, and there are other services in the application like S1, S2, S3 and so on.
Now for example S1 receives a request, it should validate the token to see if the user is authorized or not. The validation can be achieved by:
- Sending the token from S1 to A, then A validates the token and sends the result to S1 (which is a kind of overhead)
- Validating the token inside S1 (which is a duplicate action inside every service, also requires secret key or public/private keys inside each service, for signing/verification)
I'm not asking about how these approaches work exactly. The questions is, which one of them is better? Or what is the best practice in this situation?
Best Answer
Validate the token in the service by checking the signature.
The whole point of sending a jwt with claims is so you DON'T have to hit the auth service again.
Doing so introduces a bottleneck to your architecture and defeats some of the reasons for going with microservices