0
votes

I'm going to build micrservices using Laravel framework. I have users microservice that processes clients credentials and authenticates them (creates JWT for clients). Also, there are another microservices that require user authentication.

And the question is, how can i validate clients access tokens in microservices (except users microservice), if the secret access token key is only in users microservice? Or, should i keep the secret key in each microservice?

1

1 Answers

0
votes

Instead of handing out the secret key to each service you might want to consider signing JWTs with private/public key pair using RSA. That way only one service has the ability to create/modify tokens and the others can only verify them. Public key should be stored in the services or requested from the authentication service in the backend.

More thoughts on SSO in microservices can be found here.