<p>I'm building a React-native application. The authentication is handled by Google Firebase. I'm slowly adding microservices hosted on Google App Engine to the stack, and it all works well as of now :)</p>
<p>However - how would you secure a microservice? I imagine it could be done by the JWT generated by Firebase, but how does that work when the microservices are distributed?(naturally!)</p>
<p>I obviously only want authenticated, valid users of my react-native application to be able to call the endpoint. But short of storing the JWT in a database on Firebase, and calling/validating it from each microservice for each call, I'm not sure of how to solve it. </p>
<p>This solution seems horribly inefficient as well, so I'm pretty sure it's not a good approach.</p>
<p>Any advice? Thanks a lot in advance :) </p>
<hr/>**评论:**<br/><br/>beknowly: <pre><p><a href="https://firebase.google.com/docs/auth/admin/verify-id-tokens" rel="nofollow">https://firebase.google.com/docs/auth/admin/verify-id-tokens</a></p>
<p>The idea with JWT is that the token contains everything you need to validate it. It should be cryptographically signed, which means you can verify them & extract information without calling out to an external server. I've done exactly this before (go microservice w/ jwt), feel free to ping me if you have any questions.</p>
<p><a href="https://github.com/dgrijalva/jwt-go" rel="nofollow">https://github.com/dgrijalva/jwt-go</a> contains pretty much everything you'll need, pop in some of your own code for getting public keys and you should be set.</p></pre>cbll: <pre><p>So let me get this straight:</p>
<ol>
<li>The user logs in, Firebase returns a JWT</li>
<li>This JWT is stored in localStorage(or the equivalent, now that it's a mobile app) on the client</li>
<li>Upon calling the microservice endpoint, the user passes on the JWT from localStorage when doing the call</li>
<li>This is where I'm in doubt. What does the microservice do in this case? It receives the JWT, how does it know whether or not to return a http 200 + data, or a http 403 forbidden? Not sure how to handle this case?</li>
</ol>
<p>On the Firebase docs, should I use the Go example, then? Is that it?</p>
<p>Sorry if i'm repeating myself. It's an interesting subject :) </p></pre>jaekim: <pre><p>For #4, your microservice needs to validate the signature that was used to sign the JWT (you can't just trust it since it came from the front end, by validating the signature, you can feel comfortable that it was in fact generated by your login api) . </p>
<p>You will have to use some sort of secrets management to pass the key to your service on the backend.</p></pre>cbll: <pre><p>I was thinking something along those lines.. So I need the Firebase JWT to create some sort of secret key that I then validate on the microservice? How would that be done in practice? </p></pre>JustinCampbell: <pre><p>The JWT is signed with a key. Your microservice needs that same key in order to verify the payload has not been changed.</p>
<p><a href="https://godoc.org/github.com/dgrijalva/jwt-go#Parser.Parse" rel="nofollow">https://godoc.org/github.com/dgrijalva/jwt-go#Parser.Parse</a></p></pre>cbll: <pre><p>From the client how should the JWT be appended? In the header?</p></pre>JustinCampbell: <pre><p>Yes, you could put in the Authorization header prefixed with Bearer (eg <code>Authorization: Bearer TOKEN</code>), a custom header, or as a URL query parameter.</p></pre>cbll: <pre><p>Excellent, thank you so much. Gonna start cracking away at this :)</p></pre>bjwschaap: <pre><p>Here's an article that explains it better than I can: <a href="https://auth0.com/docs/api-auth/tutorials/verify-access-token" rel="nofollow">https://auth0.com/docs/api-auth/tutorials/verify-access-token</a>
HTH!</p></pre>
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889
0 回复
- 请尽量让自己的回复能够对别人有帮助
- 支持 Markdown 格式, **粗体**、~~删除线~~、
`单行代码`
- 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
- 图片支持拖拽、截图粘贴等方式上传