Exchange reference token for JWT - downstream microservices authorization

3
votes

I am currently creating a new application based on a Microservices architecture, with authentication provided by Identity Server 4.

Following lots of research and also setting up proof of concepts, I have Identity Server setup to secure the API's and a native application successfully accessing these services using tokens.

Initially the client was issued an access token which was used to access the API's, I have however now switched this out to use reference tokens. Now, onto the issue!

The approach I would like to take here is to adopt a Microservices gateway, which receives a reference token and then turns this into a JWT for inclusion in any requests to the downstream microservices. Within the Gateway, how can I "exchange" the inbound reference token for a JWT? Is there something within Identity Server that can assist here? Or do I need to use the introspection endpoint, sending in the reference token and retrieving the claims to construct a JWT within the gateway service for passing in the Authorization header to all downstream services?

If there is any further information that I can provide to help with understanding the goal of the architecture, please just let me know.

2
jwtmicroservicesidentityserver4

2 Answers

5
votes

I thought I would follow up with some details on my implementation here, in case it was useful for anybody else looking to secure an API Gateway using Reference Tokens, with downstream services that require a JWT.

I have implemented an ASP.Net Core middleware that runs in the API Gateway. The middleware runs in the pipeline after the Identity Server Authentication middleware and before the MVC middleware. The purpose of the middleware is to take the inbound reference token and exchange this with Identity Server (using Extension Grants) for a JWT that can be used in the Authorization header when making calls to the downstream microservices.

The middleware is available on GitHub and also as a NuGet package. Further detail on the use case of the middleware can be seen in the GitHub ReadMe and there is also full detail on installing and configuring the middleware available in the GitHub Wiki.

In addition to performing the exchange of a Reference Token for an Access Token the middleware also has built in support for caching, reducing the number of round trips to the Identity Server to perform token exchange.

If anybody wants to use the middleware and has questions regarding the installation and configuration that are not covered by the documentation, please add an issue in the GitHub repository tagged as Question.