szerhusenBC/jwt-spring-security-demo

Integrating into microservices architecture (Question)

Closed this issue · 1 comments

Hello,

We want to integrate this demo into Spring Cloud microservices architecture.

We have few questions.

1

Do we need to have JwtUser model in authentication service?
We are not going to return any User details from service, but tokens.
Although, it is used in JwtTokenUtil validateToken() method, that seems to be important.

2

We need to validate a token for secured end-points in other services.
How we see it at the moment, our gateway service have to route to authentication service
for every secure request to other service to validate token and if token is correct, direct to appropriate service.
Any suggestion on what authentication service could return to gateway if token is valid/invalid?

3

Is there any other suggestions how to implement Cloud Security?
So far, tutorials we looked at seems to be very confusing, but this demo is pretty straightforward.

Sorry for this late response, but I was too busy in the past.

1

No, you don't need to take JwtUser. I just wanted to be able to put more information in the user object than it is possible with the common Spring Security User. You have to adapt this sections for your needs.

2 and 3

I wouldn't use this apporach in a microservice architecture where I'd have multiple apps. I've done this project because I just wanted to secure a single app with a JS client without setting up a "fat" SSO environment. Take a look here for an approach with OAuth2: http://www.baeldung.com/spring-security-oauth-jwt or take a look at the keycloak server at http://www.keycloak.org/