What if token is expired between services?

Question

I've been reading up on communication between services/microservices.

The API Gateway authenticates the request and passes an access token (e.g. JSON Web Token) that securely identifies the requestor in each request to the services. A service can include the access token in requests it makes to other services.

via http://microservices.io

And I'm passing access-token of a user to downstream services, So it looks more or less like this:

But what if a token is expired between microservices?

There are plenty of ways to solve this problem, those seem reasonable:

• Validate access-token of a user and create short-lived JWT in API Gateway (kind of internal tokens)

• Each microservice validates the JWT and generates its own JWT to communicates with other microservices according to scope rules

So we would have Auth service to validate or request tokens.

The questing is:

In order to be sure if token will be not expired during the journey through services we can just make a check in API Gateway layer: if a token is expired in n(~1) minutes reject it, so user have to use refresh token to obtain a new access token. It means token always will be valid for the time necessary to complete the request. What are pros and cons of this approach?

Answer 1

I have the same question, so Google lead me to here. I hope it's not too late to response this question after half year.

I cant say this is an "Answer", but I hope my idea may inspire anyone something. So it's a kind of "idea sharing".

I think there are two ways to deal with this issue:

1. if the token will expire in 10 minutes, refresh it at 6 minutes (just an example). So make sure the situation you said will never happen by adjusting expire time and refresh time.

2. Another way is adjust the system architecture. Split APIs into internal and external. All external's token will be check at API Gateway, then there is no token within internal services.

I think we have a lot of methods to avoid the issue mentioned by this question. Based on different particular project requirement, we should consider to use different security design. So there is no "silver bullet".