JSON Web Token (JWT)
JSON Web Token (JWT) is a standard for the information that is contained in an access token. JSON serves as data structure. For the validation of the access token a digital signature with JWS (JSON Web Signature) can be used. Likewise, the access token can be encrypted with JSON Web Encryption (JWE). The access token can contain information about the issuer of the access token, the resource owner, the validity interval, or the addressee of the access token. Individual data can also be contained in the access token. The access token is optimized for use as HTTP header by an encoding of the JSON with BASE64. These headers are normally subject to size restrictions.
OAuth2, JWT, and Microservices
In a microservice-based architecture the user can initially authenticate via one of the OAuth2 approaches. Afterwards the user can use the web page of a microservice or call a microservice via REST. With each further call every microservice can hand over the access token to other microservices. Based on the access token the microservices can decide whether a certain access is granted or not. For that the validity of the token can first be checked. In case of JWT the token only has to be decrypted, and the signature of the authorization server has to be checked. Subsequently, whether the user may use the microservice as he/she intends can be decided based on the information of the token. Information from the token can be used for that. For instance, it is possible to store the affiliation with certain user groups directly in the token.
It is important that it is not defined in the access token which access to which microservice is allowed. The access token is issued by the authorization server. If the information about the access was available in the authorization server, every modification of the access rights would have to occur in the authorization server—and not in the microservices. This limits the changeability of the microservices since modifications to the access rights would require changes of the authorization server as central component. The authorization server should only administer the assignment to user groups, and the microservices should then allow or prohibit access based on such information from the token.