3

I'm talking about the case when these two are separate apps. I'm not interested in merging them in one app. So, in a authorization server we extend AuthorizationServerConfigurerAdapter class and in resource server ResourceServerConfigurerAdapter and in both we create exactly the same beans like JwtAccessTokenConverter, DefaultTokenServices etc. but mostly I don't get why do we need TokenStore in both.

Does this mean that we store for example in memory the same token in different applications?

What's the best approach to remove this code duplication? Create a library for common classes? Make request to auth server to validate the token? But how are we going to extract more info from JWT token if we don't have the decoding logic in resource server?

A5300
  • 409
  • 4
  • 18

2 Answers2

1

Does this mean that we store for example in memory the same token in different applications?

https://auth0.com/learn/json-web-tokens/

This is a stateless authentication mechanism as the user state is never saved in the server memory. The server’s protected routes will check for a valid JWT in the Authorization header, and if there is, the user will be allowed. As JWTs are self-contained, all the necessary information is there, reducing the need of going back and forward to the database.

What's the best approach to remove this code duplication? Create a library for common classes?

If you use a symmetric key:

@Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey("123");
        return converter;
    }

JwtAccessTokenConverter, DefaultTokenServices etc will be identical beans in both resource server and authentication server, so you could have a common project for both with the declarations of these beans, and add them as a dependency in both projects.

But, if you use an asymmetric KeyPair, the beans declaration changes completely and they couldn't be the same.

You can see more information about this difference here:

https://www.baeldung.com/spring-security-oauth-jwt

Make request to auth server to validate the token?

JWT's main advantage is not having to do that.

But how are we going to extract more info from JWT token if we don't have the decoding logic in resource server?

If you use a symmetric key, you can decoding logic in resource server.

Francesc Recio
  • 2,187
  • 2
  • 13
  • 26
0

The best way to resolve this case in the microservice system - is to create some entities: API composer, authorization service and business services.

enter image description here

Base mechanism of this scheme is:

Firstly, you separate your requests with unauthorized and authorized with a token header. Usually, it's named something like "X-AUTHORIZATION-HEADER" or anything like this. In this header, you put your JWT-token and send it on the server's gateway, which role is performing 'API Composer' - It's some kind of router, which accept requests, and delivery them to the appropriate recipients.

In particular, API composer accepting a response, parsing headers, finding the appropriate header with a token, and sending it to Auth Service and receiving a response with user or error. And in this scheme, you need entities like JwtAccessTokenConverter and else only in Auth Service

Then, aggregated response payload will be complete, your API will send the response to the client.

I use this scheme when I developing my microservice systems, for me it's working fine.

Hope, I correctly understood your question and my answer is will help you) Best Regards.

Scrobot
  • 1,911
  • 3
  • 19
  • 36