Do I understand correctly the use of jwt in microservice architecture:

During authentication, the user creates Access token and Refresh token. Refresh token stores the id Access token. Access token is sent to the user in header-e and stored in WebStorage or Cookies, and Access token is stored somewhere (bd or file). In a subsequent client request, the user on the Access token server is sent to the server, where its validity is checked, then, if successful, the lifetime is checked, if a new Access token is issued.

  • one
    The main advantage of using jwt is the ability to authorize a user only once and give him a set of permissions. Further, jwt is used to access other services that do not need to contact the database or authorization service, since The jwt token already contains all the necessary information (including to verify its authenticity in the form of a signature). - Vladimir Gamalyan
  • @VladimirGamalyan, this is just an explanation of what jwt is and what it can, it has nothing to do with the question. Interested in the scheme of use. - bsuart

1 answer 1

Good day.

As far as I can judge about JWT, this mechanism exists "by itself", apart from the micro or macro-service architecture, it (the mechanism) needs only a client and a server.

If you believe the site jwt.io , then this process consists of the following steps:

1) Client requests authorization

2) Server creates and returns a token.

3) The client, when requested, indicates this token in the request header.

4) The server authorizes the client by token and sends the content to the client.

It seems to me that your algorithm with two tokens, in principle, fits into the above process.

Personally, it seems to me that the second token is superfluous, it was possible to do with one. In addition, writing a token to the database is not always a good idea, since it will be necessary to perform a query to the database each time the token is received, even without payload.

Below I will describe an example of using JWT in my own services:

1) Client requests authorization by passing user and password

2) The server searches the user's database, checks the password, and if everything is good, it creates a token by coding the user ID using the SH256 algorithm using the server's internal secret key.

3) The token is sent to the client, and the token is NOT written to the database.

4) The client makes a request for the content indicating the received token in the request header

5) The server "on-the-fly" decodes the token and if it receives the payload (payload) of the correct structure, it searches the client in the database by identifier

6) If the user is found, the content is returned.

I hope answered your question.

  • one
    If you refuse to refreshToken, then you have to force the user to enter the login password every time after the token expires, this is not always good - Jbyh
  • It seems to me that any token should have a valid time and be updated periodically by entering a password. If you do not do this, then once you receive someone else's token, you can always get access, even if the password is changed. - Nik
  • On the other hand, the more often you send the password, the easier it is to get it ... + the refresh token is also rotting, it also has an action time, and with each re - request you get a new pair - Jbyh
  • By and large, this is already a feature of a specific implementation and lies outside jwt - Nik
  • 2
    refreshToken - has a large TTL and a one-time, to generate a new pair (analogue cookies). accessToken - has a small TTL and reusable, for identification (analog session). If the attacker takes advantage of the refreshToken, it will log out the user. And as soon as the user logs in again, the pair of attacker tokens will no longer be valid - Ninazu