Skip to content

re: How I Fixed JWT Security Flaws in 3 Steps VIEW POST

re: So you're suggesting to have a single public service which proxies requests to other backend services? This is actually how we have just implemente...

In that case, I can see two options:

  1. Each public endpoint has the secret and can decode the JWT by itself
  2. A single internal service is dedicated to decoding the JWT, which would serve multiple public endpoints whenever they need
Implementation Pros Cons
Distributed secret Reduced complexity and latency Secret is more exposed, repeated functionality across different services reduces maintainability¹
Dedicated JWT decoder Reduces attack surface, more maintainable May increase services coupling, increased latency

¹ Some architectures have resources to mitigate that. The JWT decoding could be implemented as a Layer, if you're using AWS Lambda, for example.

Side comment: I would be very interested in reading more about the implementation you and your team are using! Do you have any plans to write about it? I see pros and cons about proxying requests from a single endpoint.

code of conduct - report abuse