hope you are doing well. I am learning about microservices using Spring Boot, and currently, I’m investigating security in microservices with JWT tokens.
I have an authorization service (which handles user creation, login, sign-up, etc.), a main service (which contains some business logic), and an API gateway. As I understand, we should use the API gateway to check if the token exists and if it is valid.
However, I have some questions:
How can I get the authenticated user in the main service? In a monolithic application, I would save it in the SecurityContextHolder in a "one-per-request" filter.
What if there is an endpoint in the main service that needs to be secured not only by a valid JWT (which I currently check in the API gateway) but also by the roles that the authenticated user has?
What is the best practice to implement this? Should I add a "one-per-request" filter to the main service (and, in the future, to all other services) to call the authorization service, check the JWT, and get user information from it? Is it a good idea to make a call to the authorization service for every request?
Additionally, for role-based security, should I also configure secured endpoints for each service?
You need to sign in to view this answers
