Why do I need an authorisation server if my micro services can validate JWTs directly?
I'm working on a Spring-based micro service project and considering different approaches for handling authentication and authorisation. Instead of setting up a dedicated authorisation server, I’m thinking of implementing JWT validation directly within each micro service. Proposed Approach Each microservice will contain a JWT decoder bean to validate tokens locally. The public key for verifying JWT signatures will be retrieved from AWS Secrets Manager, allowing dynamic key rotation without service disruption. I plan to expose two authentication endpoints in my resource server: User authentication → Accepts a username and password to return a JWT access token and a refresh token. Service-to-service authentication → Issues a short-lived JWT to microservices. This could be implemented using either: A service name and secret pair. Mutual TLS (mTLS) for stronger security. Reasons for This Approach Cost efficiency – Avoids hosting a standalone authorization server just for issuing tokens. Improved availability – No single point of failure; each microservice can validate JWTs independently. Performance benefits – JWT validation is stateless, eliminating network calls to an external authorization server. Secure key management – Fetching the public key from AWS Secrets Manager enables dynamic key rotation. OAuth2 might be unnecessary – My system has no third-party applications, only: Internal microservices communicating with each other. A dashboard that retrieves user data using JWT authentication. Question Is this a valid approach? What are the potential pitfalls or improvements I should consider? Edit I forgot to mention that the user never communicates with the micro services. The user only communicates with the resource server. The micro services are purely machine to machine communication.
I'm working on a Spring-based micro service project and considering different approaches for handling authentication and authorisation. Instead of setting up a dedicated authorisation server, I’m thinking of implementing JWT validation directly within each micro service.
Proposed Approach
Each microservice will contain a JWT decoder bean to validate tokens locally. The public key for verifying JWT signatures will be retrieved from AWS Secrets Manager, allowing dynamic key rotation without service disruption. I plan to expose two authentication endpoints in my resource server:
- User authentication → Accepts a username and password to return a JWT access token and a refresh token.
- Service-to-service authentication → Issues a short-lived JWT to microservices. This could be implemented using either:
- A service name and secret pair.
- Mutual TLS (mTLS) for stronger security.
Reasons for This Approach
- Cost efficiency – Avoids hosting a standalone authorization server just for issuing tokens.
- Improved availability – No single point of failure; each microservice can validate JWTs independently.
- Performance benefits – JWT validation is stateless, eliminating network calls to an external authorization server.
- Secure key management – Fetching the public key from AWS Secrets Manager enables dynamic key rotation.
- OAuth2 might be unnecessary – My system has no third-party applications, only: Internal microservices communicating with each other. A dashboard that retrieves user data using JWT authentication.
Question
Is this a valid approach? What are the potential pitfalls or improvements I should consider?
Edit
I forgot to mention that the user never communicates with the micro services. The user only communicates with the resource server. The micro services are purely machine to machine communication.
