7 Securing service-to-service communication with JWT

In chapter 6, we discussed securing service-to-service communication in a microservices deployment with mutual Transport Layer Security (mTLS). mTLS is in fact the most popular option for authenticating one microservice to another, in building a zero-trust network. JWT too plays a key role in securing service-to-service communication. It can be used to carry the identity of the calling microservice, or the identity of the end user or the system that initiated the request. The JWT can also be used to propagate identity attributes between multiple trust domains. We explore in this chapter the role that JWT plays in securing service-to-service communication in a microservices deployment. If you are not familiar with JWT, we recommend you first go through appendix H. Appendix H provides a comprehensive overview of JWT.

7.1   Use cases for securing microservices with JWT

7.1.1   Securing service-to-service communications and sharing user context between microservices (with the same JWT)

7.1.2   Securing service-to-service communication and sharing user context with a new JWT for each service to service interaction

7.1.3   Cross-domain authentication and sharing user context between microservices in different trust domains

7.1.4   Self-issued JWTs

7.1.5   Nested JWTs

7.2   Setting up an STS to issue JWTs

7.3   Securing microservices with JWT

7.4   Using JWT as a data source to do access control

7.5   Securing service-to-service communication with JWT

7.6   Exchanging a JWT for a new one with a new audience

7.7   Summary