Challenges of JWT Authentication in Microservices

 What “Token Relay” Actually Means Token Relay is the process where a service receives an OAuth2/JWT access token and passes the same token to downstream services during internal API calls. This ensures the user’s identity and permissions travel across the entire request chain. Why it matters Without token relay, downstream services only know that another service called them—not which user initiated the request. This breaks RBAC, auditing, and multi‑tenant isolation. 🧠 How Token Relay Works (Step-by-Step) User authenticates via OAuth2/OpenID Connect → receives a signed JWT. Client sends request to API Gateway with Authorization: Bearer <token>. Gateway validates the token (signature, expiry, issuer, scopes). Gateway forwards the same token to internal microservices. Each microservice validates the token independently and applies authorization. This pattern is often summarized as: Authenticate once. Validate everywhere. 🏗️ Token Relay in Spring Cloud (Java Ecosystem) Spring Cloud Gateway supports Token Relay natively: It extracts the OAuth2 access token from the authenticated user. It forwards the token to downstream services by adding it to the request header. It works with OAuth2 clients configured via spring.security.oauth2.client.* properties. Example (YAML): yaml spring: cloud: gateway: routes: - id: resource uri: http://localhost:9000 predicates: - Path=/resource filters: - TokenRelay This ensures the gateway forwards the user’s token to /resource. 🧩 Where Token Relay Is Used ✔ Microservices To propagate identity across services (Order → Payment → Inventory). ✔ API Gateways Spring Cloud Gateway, Zuul, or custom gateways forward tokens. ✔ OAuth2 / OpenID Connect Used to avoid re-authenticating at each hop. 🚀 When You Should Use Token Relay Use it when you have: Microservices needing user-level authorization API Gateway validating tokens Stateless, cloud-native architecture Need for secure identity propagation #SpringBoot #SpringSecurity #Java #BackendDevelopment #SoftwareEngineering #ApplicationSecurity #APISecurity #ProgrammingTips #DevelopersCommunity

🔐 How JWT (JSON Web Token) Works JWT is one of the most widely used approaches for securing APIs in modern backend systems, especially in microservices. Here’s a simple way to understand it 👇 ✅ JWT Structure A JWT consists of 3 parts: Header → Algorithm & token type Payload (Claims) → User data, roles, permissions Signature → Ensures integrity using secret/private key ⚠️ Important: JWT is encoded (Base64Url), NOT encrypted by default (Encryption is done using JWE, not standard JWT) 🚀 Authentication Flow User logs in with credentials Authorization server generates & signs JWT Client stores token (HttpOnly cookie / LocalStorage) Client sends token in Authorization: Bearer <JWT> Resource server validates signature & claims Access to protected APIs is granted 💡 Why JWT is powerful Stateless → No server-side session storage Scalable → Ideal for distributed systems Fast → Reduced DB lookups Flexible → Works across services & domains 🎯 Real-world usage (my experience) Used JWT-based authentication in a high-throughput microservices system to secure APIs and reduce session dependency, improving performance and scalability. #JWT #BackendDevelopment #SpringBoot #Microservices #APISecurity #Java

Folks, Today’s focus: OAuth2.0 Flow in real-world backend systems Ever wondered how secure authorization actually happens in modern microservices? Here’s a simple breakdown: 1️⃣ User logs in via Authorization Server 2️⃣ Access Token is generated 3️⃣ Client uses token to access APIs 4️⃣ Resource Server validates token before granting access 💡 Key Idea: OAuth2.0 does NOT handle authentication directly — it focuses on authorization using access tokens, making systems secure, scalable, and stateless. This approach is widely used in: 🔐 Spring Security implementations ☁️ Microservices architectures 🚪 API Gateway security layers Understanding this flow is essential if you're building production-grade backend systems. — Asad | Java Backend Developer #Java #SpringBoot #OAuth2 #Security #Microservices #SystemDesign #BackendDevelopment #LearningSeries

Recently I worked on a microservices project where I had to implement JWT based authentication with RBAC. Implementing this in a monolith is not the challenge. Doing it across multiple microservices without repeated user checks is where things get real. Here is the approach I used: • API Gateway validates JWT and routes requests • No loadUserByUsername call on every request • Token carries userId and roles But we do not trust the gateway alone. Each microservice follows zero trust: • Validates JWT again locally • No database or auth service call • Uses roles from token for authorization RBAC is handled in layers: • Gateway for coarse access control • Microservices for fine grained checks using @PreAuthorize Result: Stateless authentication across services with strong security and no performance bottlenecks. Check out the full blog : https://lnkd.in/g3kehZp9 Source code : https://lnkd.in/gCGGYjKF You can explore the API Gateway, User Service, and Product Service modules in the repository. #Java #SpringBoot #Microservices #JWT #Security #BackendDevelopment

I built my own OAuth2 Identity Provider from scratch using Spring Authorization Server. The goal: a reusable authentication backbone for my personal microservices projects. Instead of reinventing auth in every new service, I now have a single IdP that issues JWT tokens, supports a custom password grant, and persists everything in PostgreSQL via JDBC. Next step is integrating it with my existing projects - which will almost certainly reveal some design flaws along the way. If you're into code review and want to dig into Spring Security internals together, I'd really appreciate a fresh pair of eyes. Drop a comment or reach out! 🙌 🔗 GitHub: https://lnkd.in/dXnnZe26 #Java #SpringBoot #SpringSecurity #OAuth2 #JWT #Microservices #JuniorDeveloper

The Silent Hero of Microservices: Why Every System Needs an API Gateway API Gateway acts as the front door of microservices , Handles routing, aggregation, and security in one place. Makes distributed systems easier to manage. It acts as a single entry point, managing routing, security, authentication, and performance—so your services stay clean and focused. #Microservices #APIGateway #SystemDesign #BackendDevelopment #Java #SpringBoot Read Full Story - https://lnkd.in/gSxCydw9

🔐 𝕁𝕎𝕋 𝕚𝕟 𝕄𝕚𝕔𝕣𝕠𝕤𝕖𝕣𝕧𝕚𝕔𝕖𝕤 — ℕ𝕠𝕥 𝕁𝕦𝕤𝕥 “𝔸𝕦𝕥𝕙𝕖𝕟𝕥𝕚𝕔𝕒𝕥𝕚𝕠𝕟”, 𝔹𝕦𝕥 𝔸𝕣𝕔𝕙𝕚𝕥𝕖𝕔𝕥𝕦𝕣𝕖 I often see this sentence: “We use JWT for authentication.” But what really matters is how it actually flows inside a microservices system. Because JWT is not just a token… it’s a design decision. 🚀 𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗜 𝘁𝗵𝗶𝗻𝗸 𝗮𝗯𝗼𝘂𝘁 𝗶𝘁 𝗶𝗻 𝗮 𝗦𝗽𝗿𝗶𝗻𝗴 𝗕𝗼𝗼𝘁 𝘀𝗲𝘁𝘂𝗽 : 1️⃣ 𝐋𝐨𝐠𝐢𝐧 𝐩𝐡𝐚𝐬𝐞 A request hits the Auth Service with user credentials. 2️⃣ 𝐕𝐚𝐥𝐢𝐝𝐚𝐭𝐢𝐨𝐧 Spring Security handles authentication: → user details → password check → roles / authorities 3️⃣ 𝐓𝐨𝐤𝐞𝐧 𝐜𝐫𝐞𝐚𝐭𝐢𝐨𝐧 If everything is valid, we generate a JWT that contains: → user identity → roles / permissions → issued & expiration time Then it’s signed (secret key or private key). 4️⃣ 𝐓𝐨𝐤𝐞𝐧 𝐢𝐧 𝐞𝐯𝐞𝐫𝐲 𝐫𝐞𝐪𝐮𝐞𝐬𝐭 The client sends: Authorization: Bearer <token> No session. No state. 5️⃣ 𝐕𝐚𝐥𝐢𝐝𝐚𝐭𝐢𝐨𝐧 𝐚𝐭 𝐭𝐡𝐞 𝐞𝐝𝐠𝐞 (𝐆𝐚𝐭𝐞𝐰𝐚𝐲 / 𝐒𝐞𝐫𝐯𝐢𝐜𝐞𝐬) Each request is verified independently: → signature validity → expiration → claims / roles 6️⃣ 𝐀𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐚𝐭𝐢𝐨𝐧 𝐝𝐞𝐜𝐢𝐬𝐢𝐨𝐧 Access is granted (or denied) based on what’s inside the token. 💡 𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗺𝗮𝘁𝘁𝗲𝗿𝘀 𝗶𝗻 𝗺𝗶𝗰𝗿𝗼𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 ? JWT enables stateless security: ✔ No shared session storage ✔ Each service can validate requests independently ✔ Works naturally with API Gateway ✔ Scales cleanly in distributed systems ⚙️ 𝗜𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝗻𝘂𝗮𝗻𝗰𝗲 (𝗼𝗳𝘁𝗲𝗻 𝗼𝘃𝗲𝗿𝗹𝗼𝗼𝗸𝗲𝗱) : Spring Security gives you the framework → filters → security context → authentication flow But you still design the JWT logic yourself → token generation → validation → custom filters 🧠 𝗠𝘆 𝗺𝗲𝗻𝘁𝗮𝗹 𝗺𝗼𝗱𝗲𝗹 : Login → Validate → Generate → Attach → Verify → Authorize Simple flow… but critical to get right. ⚠️ 𝗪𝗵𝗮𝘁 𝗿𝗲𝗮𝗹𝗹𝘆 𝗺𝗮𝘁𝘁𝗲𝗿𝘀 𝗶𝗻 𝗽𝗿𝗼𝗱𝘂𝗰𝘁𝗶𝗼𝗻 ? Keep access tokens short-lived. Always use HTTPS. Never expose signing keys. Avoid sensitive data inside the payload. Design refresh token & revocation strategy carefully. 🎯 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆 : JWT is not just about logging users in. It’s about building secure, scalable, stateless systems. And in microservices… that makes all the difference. #SpringBoot #Java #SpringSecurity #JWT #Microservices #APISecurity #BackendDevelopment #SystemDesign #SoftwareArchitecture

🔐 𝕁𝕎𝕋 𝕚𝕟 𝕄𝕚𝕔𝕣𝕠𝕤𝕖𝕣𝕧𝕚𝕔𝕖𝕤 — ℕ𝕠𝕥 𝕁𝕦𝕤𝕥 “𝔸𝕦𝕥𝕙𝕖𝕟𝕥𝕚𝕔𝕒𝕥𝕚𝕠𝕟”, 𝔹𝕦𝕥 𝔸𝕣𝕔𝕙𝕚𝕥𝕖𝕔𝕥𝕦𝕣𝕖 I often see this sentence: “We use JWT for authentication.” But what really matters is how it actually flows inside a microservices system. Because JWT is not just a token… it’s a design decision. 🚀 𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗜 𝘁𝗵𝗶𝗻𝗸 𝗮𝗯𝗼𝘂𝘁 𝗶𝘁 𝗶𝗻 𝗮 𝗦𝗽𝗿𝗶𝗻𝗴 𝗕𝗼𝗼𝘁 𝘀𝗲𝘁𝘂𝗽 : 1️⃣ 𝐋𝐨𝐠𝐢𝐧 𝐩𝐡𝐚𝐬𝐞 A request hits the Auth Service with user credentials. 2️⃣ 𝐕𝐚𝐥𝐢𝐝𝐚𝐭𝐢𝐨𝐧 Spring Security handles authentication: → user details → password check → roles / authorities 3️⃣ 𝐓𝐨𝐤𝐞𝐧 𝐜𝐫𝐞𝐚𝐭𝐢𝐨𝐧 If everything is valid, we generate a JWT that contains the following: → user identity → roles / permissions → issued & expiration time Then it’s signed (secret key or private key). 4️⃣ 𝐓𝐨𝐤𝐞𝐧 𝐢𝐧 𝐞𝐯𝐞𝐫𝐲 𝐫𝐞𝐪𝐮𝐞𝐬𝐭 The client sends: Authorization: Bearer <token> No session. No state. 5️⃣ 𝐕𝐚𝐥𝐢𝐝𝐚𝐭𝐢𝐨𝐧 𝐚𝐭 𝐭𝐡𝐞 𝐞𝐝𝐠𝐞 (𝐆𝐚𝐭𝐞𝐰𝐚𝐲 / 𝐒𝐞𝐫𝐯𝐢𝐜𝐞𝐬) Each request is verified independently: → signature validity → expiration → claims / roles 6️⃣ 𝐀𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐚𝐭𝐢𝐨𝐧 𝐝𝐞𝐜𝐢𝐬𝐢𝐨𝐧 Access is granted (or denied) based on what’s inside the token. 💡 𝗪𝗵𝘆 𝗱𝗼𝗲𝘀 𝘁𝗵𝗶𝘀 𝗺𝗮𝘁𝘁𝗲𝗿 𝗶𝗻 𝗺𝗶𝗰𝗿𝗼𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀? JWT enables stateless security: ✔ No shared session storage ✔ Each service can validate requests independently ✔ Works naturally with API Gateway ✔ Scales cleanly in distributed systems ⚙️ 𝗜𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝗻𝘂𝗮𝗻𝗰𝗲 (𝗼𝗳𝘁𝗲𝗻 𝗼𝘃𝗲𝗿𝗹𝗼𝗼𝗸𝗲𝗱) : Spring Security gives you the framework → filters → security context → authentication flow But you still design the JWT logic yourself → token generation → validation → custom filters 🧠 𝗠𝘆 𝗺𝗲𝗻𝘁𝗮𝗹 𝗺𝗼𝗱𝗲𝗹 : Login → Validate → Generate → Attach → Verify → Authorize Simple flow… but critical to get right. ⚠️ 𝗪𝗵𝗮𝘁 𝗿𝗲𝗮𝗹𝗹𝘆 𝗺𝗮𝘁𝘁𝗲𝗿𝘀 𝗶𝗻 𝗽𝗿𝗼𝗱𝘂𝗰𝘁𝗶𝗼𝗻 ? Keep access tokens short-lived. Always use HTTPS. Never expose signing keys. Avoid sensitive data inside the payload. Design refresh token & revocation strategy carefully. 🎯 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆 : JWT is not just about logging users in. It’s about building secure, scalable, stateless systems. And in microservices… that makes all the difference. #SpringBoot #Java #SpringSecurity #JWT #Microservices #APISecurity #BackendDevelopment #SystemDesign #SoftwareArchitecture

🔐 Spring Security + Keycloak: Securing Microservices End-to-End In many Spring Boot projects, we start by handling authentication manually (JWT, login, password…). But once you move to a microservices architecture, things quickly get messy 😵 👉 That’s where Keycloak comes in. 🚀 The idea Instead of managing security in every service: ✅ Keycloak becomes the authentication brain ✅ Spring Boot becomes a Resource Server that validates tokens 🔄 Real production flow 1️⃣ User logs in (email + password) 2️⃣ Keycloak validates credentials 3️⃣ Keycloak generates a JWT (access_token) 4️⃣ The frontend sends this token with every request: Authorization: Bearer <token> 5️⃣ Spring Boot: validates the token signature checks expiration extracts roles 6️⃣ Access control is enforced using: @PreAuthorize("hasRole('ADMIN')") 🧠 Why this is powerful 🔥 Centralized security 🔥 Built-in SSO (Single Sign-On) 🔥 Easy role & permission management 🔥 Perfect for microservices + API Gateway 🔥 Based on OAuth2 / OpenID Connect standards ⚙️ Spring Boot side (simple & clean) spring: security: oauth2: resourceserver: jwt: issuer-uri: http://localhost:8080/realms/my-realm That’s it 🎯 ⚠️ Important note Keycloak returns roles like: "realm_access": { "roles": ["USER", "ADMIN"] } 👉 You need to map them to: ROLE_USER / ROLE_ADMIN so Spring Security can understand them. 💡 Summary Authentication → Keycloak Authorization → Spring Security 👉 Result: scalable, clean, and standardized security If you're working with Spring Boot + microservices, 👉 don’t reinvent authentication 💬 Let me know in the comments: Do you use custom JWT or Keycloak in your projects? #SpringBoot #SpringSecurity #Keycloak #Microservices #Java #Backend #OAuth2 #JWT #SoftwareArchitecture #APISecurity #Cloud #Tech