Solution Design: /token Endpoint

Central entry point for issuing JWTs

Solution Design: /token Endpoint

Purpose

The /token endpoint is the central entry point for issuing JWTs within the microservices ecosystem. It ensures secure, claim-based authentication between services (e.g., careergpt-backendlogging-service).

  • Issue short-lived JWTs for other microservices.
  • Embed claims (e.g., issuer, audience, subject) that downstream services can validate.
  • Provide a trust boundary: Identity-Backend is the single source of truth for authentication.

    • Responsibility

    Responsible for issuing signed JSON Web Tokens (JWTs) to other services within the architecture. These tokens are used for secure service-to-service communication, ensuring each request can be authenticated and authorized without relying on static API keys.

    Endpoint

    Method: POST
    URL: https://aurorahours.com/identity-backend/token

    Request Payload

    {
  "sub": "careergpt-backend",
  "aud": "logging-service"
}

    • sub (Subject):
      The microservice requesting the token (e.g., careergpt-backend).

    • aud (Audience):
      The intended recipient microservice the token will be used with (e.g., logging-service).

    Processing Logic

    1. Input Validation

      • Verify both sub and aud are provided.

      • Log error and return 400 Bad Request if missing.

    2. Token Generation

      • Construct JWT payload with:

        • iss: Identity service name (identity-backend)

        • sub: Requesting microservice name

        • aud: Target service name

        • iat: Issued-at timestamp

        • exp: Expiration timestamp (default 15 minutes, configurable)

    3. Signing

      • Sign JWT using HS256 and the JWT_SECRET_KEY (shared secret).

    4. Response

      • Return signed JWT to the caller.

    Response Example

    {
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJpZGVudGl0eS1iYWNrZW5kIiwic3ViIjoiY2FyZWVyZ3B0LWJhY2tlbmQiLCJhdWQiOiJsb2dnaW5nLXNlcnZpY2UiLCJpYXQiOjE3NTM4MzUwNzksImV4cCI6MTc1MzgzNTk3OX0.s2ryI5Tc3O312NvfVs1bpoCiUpsX4igX1EA1duvwMmI"
}

    The returned token is a JWT signed with the Identity-Backend’s secret key. This token must be included in the Authorization: Bearer <token> header for calls to other microservices.

    Design Considerations

    1. Security

      • Tokens are HMAC-signed using JWT_SECRET_KEY (shared only between Identity-Backend and other services).

      • Tokens are short-lived (default 15 minutes) to reduce impact if leaked.

      • Audience and issuer are validated by consuming services.

    2. Scalability

      • Stateless authentication: no session storage required.

      • Token validation only requires the signing secret (no database lookups).

    3. Extensibility

      • Future migration to asymmetric signing (RSA) for external clients is possible.

      • Claims can be expanded (e.g., roles, permissions) without breaking existing consumers.

    Key Design Principles

    • Centralized Trust
      Only identity-backend issues JWTs, ensuring all microservices validate against a single source of truth.

    • Least Privilege via Audience Claim
      Tokens are valid only for the intended service (aud), preventing cross-service misuse.

    • Short-Lived Tokens
      Expiration is enforced (e.g., 15 min) to reduce blast radius of compromised tokens.

    • Stateless Authentication
      JWTs remove the need for a central session store; each service can independently verify tokens.

    Integration Flow

    1. Service A (e.g., CareerGPT-Backend) requests a token from /token.

    2. Identity-Backend signs and returns the token with the proper claims.

    3. Service A calls Service B (e.g., Logging-Backend) with the token in the Authorization header.

    4. Service B validates:

      • Signature

      • aud (audience matches its service name)

      • iss (issuer = identity-backend)

      • Expiry time (exp)

    Comments

    Post a Comment

    Popular posts from this blog

    Feature: Audit log for one login, and identity service

    Image
    Customer (Product) Page High-Level System Design Diagram (PlantUML) Sequence Diagram: Audit Event Ingestion Sequence Diagram: Orchestration Event For a High-Level System (Component) Diagram The queue is implemented as message_queue (generic), and the audit log service consumes from it, writing to a dedicated audit_log table. The logging service also consumes from the same message_queue and writes to log_store. Orchestration/other services use the same queue. Summary Table: What Writes Where Event Type Goes Into Consumed By Final Storage audit message_queue Audit Log Service audit_log table log message_queue Logging Service log_store table doc_uploaded message_queue Orchestration Worker (business DB, or triggers next event) ocr_ready message_queue Notification Worker, etc. (notification log, etc.)  Core Tables message_queue – universal event bus (temp buffer) audit_log – immutable audit/compliance events log_store – application logs (op...
    Read more

    Getting started - Build your data science lab environment

    This guide explains how to set up a complete data science environment for the udemy program. A proper setup ensures compatibility and avoids recurring environment issues.  1. Overview Goal : Create a full-featured environment with sufficient resources for all course exercises. Recommendation : Use Anaconda for the most reliable setup. Alternative : Use a Python virtual environment with pip if Anaconda isn’t working. 2. Setup Options Primary (Recommended) Create a dedicated Anaconda environment (isolated, compatible). Alternative Use a standard Python virtualenv + pip (faster but less reliable). 3. Windows Setup Steps Clone Course Repository git clone https://github.com/ed-donner/llm_engineering/ Follow the repository’s README.md instructions for additional setup details. Create Anaconda Environment Inside the llm_engineering folder: conda env create -f environment.yml ⏳ This may take several minutes. Activate the environment: conda activate llms Deactivat...
    Read more

    QA - Run #1 - Results

    Image
    # QA Report for Tag QA_July2025_A - **Tag/Commit:** QA_July2025_A (`f32abc1`) - **Date:** 2025-08-01 - **QA Outcomes:** All tests passed except for file upload (see below)... - **Environment:** Windows 10, Python 3.12, requirements.txt as of tag - **Notes:** See log for detailed results. ## Issue Found - **Step:** - **Bug:** - **Log excerpt:** - **Screenshot:** For this QA run, we begin with pristine state by: Stop all services Delete logs.db, and jobs.db Delete all files in doc_store folder Start all services Test, you should see no data on index page, and query should result in no data found error Next, go ahead and upload new1.txt, and after that new2.txt Issue the query: "can you summarize all of the todo items you can find, seperating each one on a single line, with due date first, then title, and description with any details you can augment" Expected Answer: - August 1, 2025: Respond to Amira and discuss weekend plans - August 3, 2025: Go to Somesh class and finish ta...
    Read more