What are JSON Web Tokens? Why do they matter in the context of microservices architectural style? Glad you asked. There’s a lot to discuss when it comes to JSON Web Tokens, but let’s start with an overview of an API Gateway and then we’ll dive deep into JSON Web Tokens and how to get started (including a great new video tutorial). Intro: API Gateways are at the heart of microservices You’re probably wondering what is an API Gateway and why does it matter. TLDR: It’s kind of a big deal. Here’s a little secret on why: it straddles both the business side and technical side of your business. An API Gateway, by definition, is considered “middleware” because it sits between backend services, web and other external clients. The API Gateway executes this via a set of protocols and through a set of RESTful APIs. So, it moves almost all of the the required logic from the client into the gateway which makes it much simpler to develop, secure, manage, and scale endpoints. If you’re like Netflix or Google, the move to Microservices may not have been easy, but you can recognize the benefits of breaking down monolithic architecture into smaller, more manageable pieces. Your architecture would look a little something like this: As you may already notice, it’s already messy and (at least on paper) looks a lot less secure and more difficult to connect to external resources given so many different touchpoints and complicated information routing. Also, who wants to deal with all of that, when a major benefit of moving over to microservices was to make life easier and more flexible, yet secure at the same time? This question touches on a very important point about strategies for growth at enterprise scale. Having a mess of microservices connecting at every touchpoint doesn’t meet typical enterprise criteria of building in a secure way. More touchpoints, more to monitor. More to monitor, more resources spent doing duplicative work that should just be straight forward. So what now? By adding an API gateway, you can reorganize this relationship with external touchpoints, apps and APIs. Essentially, Secure your microservices in a way that allows you to build on your business logic at the same time as making life easier for engineers. This new relationship is underscored by a single touchpoint, that you can secure, monitor and extend. As a basic industry standard, API Gateways handle authentication and authorization from the external APIs. Scalable, efficient — what’s not to love about JSON Web Tokens (JWT) and OAuth? However; there is more than one way to orchestrate this. Another important aspect to JSON Web Tokens (JWT) is how you plan to initiate them. One side is to support JSON Web Tokens initiated by other identity servers, like Auth0.The other side is to actually initiate and manage the JWTs through our Identity Server. This is just as much about your security strategy as it is about your technical approach. While there is no silver bullet, there are some advantages to the integration approach. There’s an excellent . getting started story in setting up identity with Auth0 and plugging in to Express Gateway Why Managing your own identity server blows This is why we baked one into Express Gateway from the start. So, there’s more opportunity to get started right out of the box without having to sign up for extra services. Additionally, Express Gateway can interface with your existing JWT provider as well. Let’s just face some cold hard facts. Chiefly, no business requirements doc is going to say “set up an identity server that supports JWT.” The feedback we have gotten from the developer community is that most of the time, we all just imagine it already exists. So, if you’re working on a project and don’t have one…developers have to scramble to make some magic happen. Also, it’s worth noting that reading the OAuth2 spec is…hard. Which also means that getting all the right details is an amazing feat which is not insurmountable, but takes time. When speed and agility matter, slowing down can make it seem worse. It’s why there’s an entire product segment around this. No, seriously. There is an entire set of products and companies that will knock this out of the park for you such as , , and (our favorite) . Ping Identity Okta Auth0 Learn more about Auth0 and Express Gateway. Still not feeling it? We’ve had those in-between moments of realization where you just need to get it done. That’s where the internal support for JSON Web Tokens (JWT) will can come in handy. To help get you started, we’ve put together a video tutorial on setting up JSON Web Tokens initiated by other identity servers, like Auth0, and when you actually initiate and manage the JWTs through an Identity Server. Get started with JSON Web Token Support in Express Gateway with this easy-to-follow How-To Video: OR: You can also check out the more in the release post detailing the latest updates. technical getting started guide Originally published at www.express-gateway.io , but shared here with extra notes, diagrams and special Medium editorial commentary.
