With Micro services and JWT that has an API gateway, is it best practice to pass the JWT token to the child services? Or is it better to let the gateway handle the JWT and pass the information from the token to the child service as need.
For example, if we have a customer id in our JWT token, is it best to pass that to the child service just as the CustomerID so the child service doesn’t have to understand the authentication?
The answer depends a lot on the architecture being used, on whether one service is expected to call other services, and if that call will be on behalf of the user or not…
For example, a user may have a mail:send
scope in his JWT, and uses it to call an email service. The email service, in turn, calls a logging microservice. Three choices here would be:
- The logging service is not exposed directly to end users. The email microservice call to the logging service is treated as a trusted call, with no authentication required.
- The logging service takes the same JWT that the email service received to do authorization.
- The email service is modelled as a client of the logging service. The email service, with the client credentials grant, obtains its own token to call the logging service. The logging service does not care who the end user is, it sees the email service as its client.