7 Securing service-to-service communication with JWT

This chapter covers

  • The role of JSON Web Token (JWT) in securing service-to-service communication among microservices
  • Using JWT to carry user context between microservices
  • Using JWT for cross-domain authentication
  • Using JWT for message level encryption and signature

In chapter 6, we discussed securing service-to-service communication in a microservices deployment with mutual Transport Layer Security (mTLS). mTLS is in fact the most popular option for authenticating one microservice to another, in building a zero-trust network. JWT too plays a key role in securing service-to-service communication. It can be used to carry the identity of the calling microservice, or the identity of the end user or the system that initiated the request. The JWT can also be used to propagate identity attributes between multiple trust domains. We explore in this chapter the role that JWT plays in securing service-to-service communication in a microservices deployment. If you are not familiar with JWT, we recommend you first go through appendix H. Appendix H provides a comprehensive overview of JWT.

7.1   Use cases for securing microservices with JWT

7.1.1   Securing service-to-service communications and sharing user context between microservices (with the same JWT)

7.1.2   Securing service-to-service communication and sharing user context with a new JWT for each service to service interaction

7.1.3   Cross-domain authentication and sharing user context between microservices in different trust domains

7.1.4   Self-issued JWTs

7.1.5   Nested JWTs

7.2   Setting up an STS to issue JWTs

7.3   Securing microservices with JWT

7.4   Using JWT as a data source to do access control

7.5   Securing service-to-service communication with JWT

7.6   Exchanging a JWT for a new one with a new audience

7.7   Summary

sitemap