I'm working on a Spring-based micro service project and considering different approaches for handling authentication and authorisation. Instead of setting up a dedicated authorisation server, I’m thinking of implementing JWT validation directly within each micro service.
Proposed Approach
Each microservice will contain a JWT decoder bean to validate tokens locally. The public key for verifying JWT signatures will be retrieved from AWS Secrets Manager, allowing dynamic key rotation without service disruption. I plan to expose two authentication endpoints in my resource server:
- User authentication → Accepts a username and password to return a JWT access token and a refresh token.
- Service-to-service authentication → Issues a short-lived JWT to microservices. This could be implemented using either:
- A service name and secret pair.
- Mutual TLS (mTLS) for stronger security.
Reasons for This Approach
- Cost efficiency – Avoids hosting a standalone authorization server just for issuing tokens.
- Improved availability – No single point of failure; each microservice can validate JWTs independently.
- Performance benefits – JWT validation is stateless, eliminating network calls to an external authorization server.
- Secure key management – Fetching the public key from AWS Secrets Manager enables dynamic key rotation.
- OAuth2 might be unnecessary – My system has no third-party applications, only: Internal microservices communicating with each other. A dashboard that retrieves user data using JWT authentication.
Question
Is this a valid approach? What are the potential pitfalls or improvements I should consider?
Edit
I forgot to mention that the user never communicates with the micro services. The user only communicates with the resource server. The micro services are purely machine to machine communication.