10Ara
Zero trust across micro-services using JWT
I am planning to implement JWT authentication on my micro-services to achieve zero trust architecture. User will generate a JWT token through front end micro-service. Each subsequent request will contain this JWT which will be forwarded to backend services so the service can authenticate the user on it's own instead of taking a simple user id from front-end service. The scenario fails in two conditions
- User initiates a call on front end service which generates a long list of steps to be performed on backend services sequentially. The JWt token will eventually expire and the sequence of steps will stop as backend services will not authenticate further requests from frontend with an expried token
- A backend service starts some process on user resource through an internal process. e.g. Delete user server if the invoice is unpaid.
In both of the scenarios user will not be available to generate a new JWT token through login credentials. Should I implement one time and purpose specific tokens in addition to JWT to resolve these issues or is there a better alternative?
