0

We are trying to set up a scheduled job based on NodeJS which will call an API via an API gateway. The API calls another API. There is no user or browser involved. The call must be authenticated and have a valid OAuth token from our IdP. How should it look like to have a more secure approach?

How the flow should look like? Which one the API Gateway or the second API should validate the token? or both? Thanks

user217648
  • 3,338
  • 9
  • 37
  • 61

1 Answers1

1

A key point is that JWT access token validation is designed to scale. In older architectures it was common to use perimeter security (eg API gateway validates token) but this is no longer recommended.

Instead validate the JWT in each API using a library. Here is some example code and for other technologies see Curity API Guides.

Here are a couple of related articles if you are interested in API security trends:

Finally, this article discusses that JWTs can often be forwarded between microservices, to keep your code simple.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Thanks, in the example code, the first method does validation in api gateway? And second one in the api itself? How the architecture flow should be? – user217648 Nov 30 '21 at 21:09
  • 1
    The example code shoild run within each API. The gateway can be involved in security in an introspection role, but the future direction is for each API to validate a JWT before allowing requests. – Gary Archer Nov 30 '21 at 21:12