2

I'm attempting to implement a security solution for a micro-services architecture. My authentication server supports OAuth2 and OIDC.

I'm trying to figure out if I can pass a JWT token between my micro-services to avoid having to repeatedly exchange an opaque token to get the user's claims. There's nothing (practical) that stops me doing that. I can:

  • Use the JWT (ID token) I get from the auth server as a bearer token when making the calls.
  • Each service can validate that token against the auth server's (cached) JWKS to make sure it's valid
  • Each service can include the token on it's calls to other services

I've read that it's ok for an access token to be a JWT.

Great, but:

should I?

My (moral?) issue is this:

A JWT is intended for a specific audience. In fact the spec basically says that if it's not for you, you should reject it.

A Bearer token is intended to be non-audience specific. So if I issue a token that says that the bearer can read my mail, it can get passed through half a dozen different services, any one of which should be able to read my mail.

So my question is simply, how can a JWT be a bearer token?

Bonus points for links to any nice articles/videos/examples of an effective distributed authentication solution!

Community
  • 1
  • 1
Andy N
  • 1,238
  • 1
  • 12
  • 30
  • You can take a look here: https://stackoverflow.com/questions/40375508/whats-the-difference-between-jwts-and-bearer-token *JWT can be used for many things, among those are bearer tokens, i.e. a piece of information that you can present to some service that by virtue of you having it (you being the "bearer") grants you access to something.* – Renan Apr 30 '19 at 19:10
  • Hence the contradiction! I call service X with a token. Service X calls service Y with the token. If it's an opaque token, fine. If it's a JWT then one of those services just broke the rules (since they can't both be the intended audience). – Andy N Apr 30 '19 at 19:41
  • I asked a similar question some time back https://stackoverflow.com/questions/29710783/may-an-oauth-2-0-access-token-be-a-jwt – bjmc Aug 30 '23 at 10:26

1 Answers1

1

A JWT is intended for a specific audience. In fact the spec basically says that if it's not for you, you should reject it.

This is the case also for a bearer token. It can be passed on by anyone, but only the audience should act on its validity.

So, service X can get a JWT bearer token with intended audience service Y. It will not give the calling client any authorization based on that, but calling service Y with it does not violate the audience claim. What would violate the audience claim is if service X validates the JWT, seeing the mismatching audience and says "Well, since the client has a JWT stating that it is user Fubar, I can return some info about user Fubar.".

The difference for an opaque non-JWT bearer token is that service X would have no way to misuse it...

fiddur
  • 1,768
  • 15
  • 11
  • Ahhh. Of course. I misread the spec. It doesn't matter who a token comes _from_ but it is important who it _goes to_. Thanks! – Andy N May 02 '19 at 11:03