How to make a stateless architecture design so that if a user(A) is loggedIn and the Json web token is generated by Server(X1) and returned to user-A. And again user-A sends the request to server and the purpose is served by Server(X2) without making the user re-authenticate. So that the architecture is highly scalable horizontally.
Asked
Active
Viewed 38 times
2 Answers
0
Normally you would have a service that would do all the work related to authentication. Basically that means that X1 and X2 will call that service to authenticate user or verify existing authentication. The only thing that should be performed on X1 and X2 is validation of the token. Token could be valid, valid and expired or not valid. In case of it is valid, you just perform necessary work, regardless of particular server. If it is not valid, you reject request and if it is expired, you redirect user to reauthentication.
But if you are asking about particular environment-specific details and your problem is that X2 does not have some specific cryptography keys that X1 has or something like this, then you forgot to mention what frameworks you are using to obtain JWT.
cassandrad
- 3,412
- 26
- 50
0
There are few requirements to make it work:
As mentioned above, X1 and X2 would use internal service A for credential verification.
there will be salts in user/api client records bound to the A's datasource.
X1 and X2 encryption keys should be shared, and they should use same structure of JWT's
subobject.issobject should also be checked (normally bound to the api client to which user requesting authentication is bound). The logic of verefication should be shared between X1 and X2.
The token have data forged into it - and if it provided by same service A, and then hashed, and structured and then checked by X1 and X2 in same way.
BlackStork
- 7,603
- 1
- 16
- 18