4
votes

I have various microservices. I have implemented security using JWT. Each service validates the JWT token by the key which is being shared across all the services.

Is it fine to share same signature key for JWT across all the microservices?

I can't implement this at the API gateway as I have to use certain libraries which requires spring security to be triggered in every microservice.

1
What happens when you invalidate the key?Constantin Galbenu
@ConstantinGALBENU I am using a config service. In case if I invalidate the key, I update the new key in configuration which is over git. All other services gets the latest key to continue the process.Nitish Bhardwaj
Are you using spring-security-oauth if so, then you can use the /oauth/token_key endpoint exposed by the auth serverNeil DCruz
I am using spring security but I am not using OAuth. I have to use JWT.Nitish Bhardwaj

1 Answers

7
votes

Yes you will need to share a key in order for JWT to function securely/correctly.

What I would recommend is using a public-private key signing method and pass by value JWT. This will then mean you get a private signing key which only your gateway needs to know and a public verification key.

You can then distribute your verification key to all your microservices. This can either be something you do via deployment, or your microservices can use some kind of refresh cycle and publish your signing key along with the gateway. The former is more secure, the later better at self healing.

This might be useful: JWK.