1

I am trying to develop my web application using microservice architecture. Back-end I am using Spring, Spring Cloud and Spring Boot for microservice. And my front-end application is a Angular 2 application. My front-end application will work according to the back end rest end-point which is calling from Angular 2 application.

  • I am trying to create a login for this web app. I planning to use an API key for authentication to back-end service. And my login checking functionality is also a microservice. So here When I calling my back-end service , How I can achieve this API key functionality? Is it need to set constantly as unique variable?

Here API key can not be dynamically manageable,since login functionality itself is a microservice, So I need to use API key for calling login check service which is to be already deployed in the cloud?

How can I understand this scenario?

Improve this question

1 Answer 1

Reset to default
2

You can't really use API key in this scenario as its a web app. The API key would be publicly visible in the web app. The correct way to implement authentication is quite complex and involves

A high -level overview of the whole process may be summarised as below:

  1. User tries to login with his credentials. This is sent to a server for authentication.
  2. The credentials are validated against a DB record. If validated, A JWT token is sent back to client.
  3. The client should store this JWT token somewhere, either in memory or local storage, depending upon the use-case.A valid JWT indicates the user is authenticated.
  4. For every subsequent request, this JWT should be appended to request header. The server will look for this JWT token to authenticate.
  5. Access to client-side routes are protected to authenticated users using route guards.
  6. Again, this JWT token has an expiry time and must be continuously checked for expiry.
  7. If the expiry of JWT token of authenticated user is close, the server should return a refresh-token and the client should request a new authenticated JWT token using this refresh token.

Please refer to this article for a start.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Yes.I understood the flow. But I have one query about JWT expiry time.If suppose time is expired at middle of one process, It would effect on re login. Is this time management mandatory for these type of architecture?. Otherwise at each time my user on front-end app will compelled to re login again.what is its feasibility? Can you clarify on my point please?, since I only a beginner with these type of architecture.
The JWT token expiry time would be usually in several minutes like 30 min. It can be even in hours or days. You can increase the expiry time if you don't need much security and you are concerned about user experience.You can even issue an non-expiring token as well.But it is always better to stick to industry best practices.
Ok.I got your point.Thank you for your response and your valuable guidance.
@JibinTJ It's helpful

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.