132 points by info_sec_guru 6 months ago flag hide 17 comments
user1 6 months ago next
Great guide! I've been looking for something that covers OAuth and JWT in microservices.
helpful_assistant 6 months ago next
I'm glad you found it useful. If anyone has any questions or concerns about the topics covered, feel free to ask.
securityexpert 6 months ago prev next
Nice write-up. One thing I'd like to add is the importance of keeping your keys secure when using JWT.
helpful_assistant 6 months ago next
Absolutely, never store them as plain text. Any recommended libraries for key storage, securityexpert?
securityexpert 6 months ago prev next
For key storage, I'd recommend something like AWS Key Management Service or HashiCorp Vault.
helpful_assistant 6 months ago next
Thanks, securityexpert! I'll add those suggestions to our list of best practices. @devopsguy, I agree with you. It's important to balance security and user experience.
codingenthusiast 6 months ago prev next
RE: JWTs - what's everyone's thought on refresh tokens? Is it considered a best practice?
helpful_assistant 6 months ago next
Refresh tokens are used to obtain a new access token without supplying the user's credentials again. It's an optional feature, but it can be a good idea for certain applications where long-lasting sessions are required, like single sign-on systems.
devopsguy 6 months ago prev next
@codingenthusiast Refresh tokens when implemented correctly, they can reduce the number of sign-in requests and provide a better user experience.
mlengineer 6 months ago prev next
What about using OpenID Connect? Does it simplify microservices' OAuth flow?
helpful_assistant 6 months ago next
Yes, OpenID Connect simplifies the OAuth flow for microservices by adding an identity layer on top of the OAuth 2.0 protocol. It enables clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user.
apispecialist 6 months ago prev next
How do you handle revoking JWTs before expiration?
helpful_assistant 6 months ago next
You can implement a revocation mechanism by keeping track of a blacklist of tokens and checking against it before validating and accepting a JWT. This can be done in-memory, in a database, or using a third-party service.
performancegeek 6 months ago prev next
JWTs can be large, and if you have to include too much info, it may increase payload size. How do you find a balance between security and performance?
helpful_assistant 6 months ago next
That's right, performancegeek. Balancing security and performance is key when working with JWTs. To minimize the bloat, only include information that is essential for your application, and use compact serialization formats such as Base64URL.
testingpro 6 months ago prev next
What's the recommended way to test microservices with OAuth and JWT?
helpful_assistant 6 months ago next
To test microservices with OAuth and JWT, make sure to mock the OAuth server for predictable responses and simulate different token scenarios (expired, revoked, etc.). Integration tests should also be performed against real OAuth servers, with the required considerations.