DEV Community

Discussion on: How I Fixed JWT Security Flaws in 3 Steps

byrro profile image
Renato Byrro Author • Edited on

That's a good question!

What I would do is:

  • The public endpoint extracts the JWT from the cookie (sent with the HTTP request)
  • Process the JWT to extract the User object
  • When invoking other microservices internally, pass the User object with the requests
  • If I'm implementing an event-driven architecture, I would maybe include only the User ID (to avoid bloating the messages too much), and each microservice can retrieve the entire User object from a database storage

That's actually the same thing if the JWT was coming as a header or in the request body payload. The public endpoint would need to extract and pass around to internal services anyway...

Does that make sense? ๐Ÿ˜‰

kvsm profile image
Kevin Smith ๐Ÿด๓ ง๓ ข๓ ณ๓ ฃ๓ ด๓ ฟ

So you're suggesting to have a single public service which proxies requests to other backend services? This is actually how we have just implemented this at my work. ๐Ÿ™‚

However, my question was how you would approach it if you had multiple services your frontend could communicate with directly. One of the advantages of JWT is that any service with access to the signing secret can verify the token and trust the claims within. So, in theory, if an auth service issues the token to the frontend, then another service can receive and decode the token without involving the auth service again. But how can we secure the token on the frontend in this case?

Thread Thread
byrro profile image
Renato Byrro Author • Edited on

In that case, I can see two options:

  1. Each public endpoint has the secret and can decode the JWT by itself
  2. A single internal service is dedicated to decoding the JWT, which would serve multiple public endpoints whenever they need
Implementation Pros Cons
Distributed secret Reduced complexity and latency Secret is more exposed, repeated functionality across different services reduces maintainabilityยน
Dedicated JWT decoder Reduces attack surface, more maintainable May increase services coupling, increased latency

ยน Some architectures have resources to mitigate that. The JWT decoding could be implemented as a Layer, if you're using AWS Lambda, for example.

Side comment: I would be very interested in reading more about the implementation you and your team are using! Do you have any plans to write about it? I see pros and cons about proxying requests from a single endpoint.