2

What I have understood so far is that managing session across microservices can be implemented using JWT which can be verifies at the API gateway level.

To some extend this microservices session managing and Session management using json web tokens in microservices clears the doubts

However, do one needs to propagate the JWT across microservices to maintain the session. I mean let's say microservice A handles profiles and microservice B handles payments(or some other functionality). Does the token need to be propagated explicitly from A to B?

How is the session maintained across microservices?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Rahul
  • 91
  • 1
  • 11
  • 1
    Actually, the JWT pattern is intended to largely eliminate the need to maintain any sort of session state. As a simplification, you may view the JWT as a passport which exists independent of any microservice. – Tim Biegeleisen May 15 '22 at 08:09
  • 1
    If all your microservices are running in only one server or running in a private network you could just manage the JWT token in one gateway or inside user mangement micro service and use the user id in other micorservices rest endpoint or events messages to react to loggedin user actions that's what we have done in the company i'm working for. If your micro services are reachable from the outside you could use a micro service to generate and check the validity and sources of the JWT and on each request on microservice you could check the validity of the JWT but it would decrease your perfs – ScorprocS May 15 '22 at 09:22
  • There is an other way that will not decrease performance is to share the JWT secret on each micro services and each micro service will be able to check the token but only one could be able to generate one. The issue with that approche is to spread the JWT secret everywhere. – ScorprocS May 15 '22 at 09:27
  • @ScorprocS does that mean if manage the JWT token in one gateway, we need to pass the userId to the other microservices as one of the request parameters? – Rahul May 15 '22 at 09:42
  • Yes you could pass the user id in request param, url param or body param that's up to you. – ScorprocS May 15 '22 at 09:46
  • Yes as per the links you mentioned, you can see that JWT tokens are nothing but a result of an authenticated entity (in simple terms a user) , Hence, authentication can be done at a central level and for API authorization, you must pass JWT token ( Which is divided in 3 parts) in the header of API request. Non secure APIs can omit this functionality ! – Harsh May 27 '22 at 05:52

0 Answers0