Tips for architecture for authentication in microservice driven application.

All ms contain the code to authenticate? (Breaks single responsibly principle)

Edge level authorization?(gateway)
Service level?

FE - Gateway: session token

Gateway - Microservices: JWT/PASETO

We are currently building something along these lines. Gateway intercepts request, replaces session-token in auth-header with JWT (redis). Requests to /login and /refresh are redirected to auth-service and parsed accordingly; JWT stays on the BE. /logout just drops the key.

(Auth-service creates JWT with private key, all other services validate with public key.)

If you can live with the downsides of storing JWT/PASETO in cookie, drop the gateway. Biggest problem: there is no actual logout by design; needs blocklist which means you 100% need DB for validating JWT.

- Vercel Edge Middleware
- Next-Auth
- Netlify
- Auth0

Check out their edge Auth solutions.

ms behind service mesh?