Ask HN: How do you handle authentication and authorization between microservices

Take a look at the Microprofile JWT specifications. It provides a standard set of jwt claims: <a href="https:&#x2F;&#x2F;www.eclipse.org&#x2F;community&#x2F;eclipse_newsletter&#x2F;2017&#x2F;september&#x2F;article2.php" rel="nofollow">https:&#x2F;&#x2F;www.eclipse.org&#x2F;community&#x2F;eclipse_newsletter&#x2F;2017&#x2F;se...</a>

<a href="https:&#x2F;&#x2F;istio.io" rel="nofollow">https:&#x2F;&#x2F;istio.io</a>

A central server which maintain all authorization information. The client can request token to access a particular service. The service verifies the token by calling the central server and gets in response the permissions available for that token. Also, a TTLed cache on the servers.

System user permissions with public&#x2F;private keys for lower level APIs (SSH tunnels, basically).<p>Centralized token services for ReST APIs

I used to work for a company that has a solution for this exact problem: <a href="http:&#x2F;&#x2F;www.tribestream.io" rel="nofollow">http:&#x2F;&#x2F;www.tribestream.io</a> Great product and the people couldn&#x27;t be a more diverse and all around good group of people.

Client certs for service to service communication.<p>Auth tokens validated by a central entity (a bunch of servers really) for user (mobile apps, etc) to service communication.

JWTs are a good approach. I&#x27;ve also seen folks using mTLS with gRPC.

JWT tokens are a decent approach

Vaulted API keys with lifecycle management.

Docker secrets.

API keys typically

keycloak