Using JWTs to authenticate services unravels API gateways

Click for: original source

The API gateway component in a cloud native architecture is critical because it offloads critical API security and policy functionality to a common place, allowing the backend APIs and services to focus on business logic. API authentication, authorization, audit, throttling and similar tasks can be complex and difficult to get right, so many organizations choose an API gateway to handle them. By Christian Posta and Peter Jausovec.

Further in the article:

  • How to use JWTs to authenticate S2S communication
    • Option 1: Use an STS to issue tokens
    • Option 2: Have the service sign its own tokens
  • Where things can go wrong with JWT
  • JWT Complexity is where service mesh simplifies things

We’ve covered some ways JWTs can be used to represent service identity and suggested areas of concern. There are several areas to closely watch in your services architecture to avoid security holes. If these are not bulletproof, you will give attackers opportunities to compromise your system.

To guard against replaying the bearer token, you must limit exposure by setting brief expiration times, ideally just a couple of minutes. This puts more onus on the services to refresh their JWTs for their requests. Setting the expiration for hours, days, or months happens too often. This is a big security hole. Nice one!

[Read More]

Tags apis infosec java web-development app-development