3

I'm currently setting up a API gateway for our services. The API gateway handles the Token Validation (via OpenID Connect). The request is only routed to the target backend service if the token is valid.

Should I then also validate token in the backend service itself? The service needs information from the token to modify the database query (only read resources that the user is permitted to). But this means that I have to validate the token again, right?

Is this best practice? Am I overlooking something? Does it make sense to validate the token at the API gateway in this case?

Raman
  • 548
  • 1
  • 7
  • 17
  • 2
    It makes sense as a general pattern to validate the JWT at the gateway, not at the services behind it. In other cases, the services might not need the JWT anyway. – Tim Biegeleisen Jul 26 '21 at 06:59
  • But the service needs to know which user is requesting a particular resource. Only the service can implement authorization (not authentication), right? How should the service implement this without a JWT? – Raman Jul 26 '21 at 07:33
  • 1
    I'm not saying don't pass the JWT beyond the gateway, I'm saying do the auth check at the gateway, to free the services behind the gateway from having to worry about this. – Tim Biegeleisen Jul 26 '21 at 07:36

1 Answers1

1

I faced the same question, and after some research I realized that it is reasonable to call IdP twice (once from API gateway, and once from API services behind it).

For the call from API gateway, it authenticates the caller to make sure the caller holds a valid token. This seems be necessary in API gateway pattern.

For the call from back-end API services, it is optional. If the token (e.g. JWT) itself contains enough user information for authorization or other user-related user cases, the call to IdP is unnecessary (because the gateway ensures the token is valid and therefore introspection is unnecessary). However, it may also call userinfo endpoint of IdP from back-end API services with the token to retrieve other requirement information, or other calls to IdP based on your own use cases.

In conclusion, it is unnecessary to validate token twice in api gateway pattern but it is not prohibited to call IdP twice with the same token.

Tonny Tc
  • 852
  • 1
  • 12
  • 37