Designing User Authentication in a Microservice Architecture Using JWT and Gateway Strategies

In microservice environments, designing a robust user authentication solution is essential; this article covers three main topics: traditional authentication methods, JWT and the JJWT library, and gateway‑based unified authentication.

Traditional monolithic authentication stores user sessions in Tomcat memory, which fails under load when requests are distributed across multiple nodes; the solution is to use a distributed session store like Redis, but Redis can become a bottleneck at internet scale, prompting a shift to client‑side storage of user data protected by JWT.

JSON Web Token (JWT) is a compact, signed token consisting of a Base64‑encoded header, payload, and signature. The header specifies the token type and signing algorithm (e.g., HS256), the payload carries user claims, and the signature is generated with the chosen algorithm and a secret key.

The JJWT library simplifies JWT creation and validation in Java. Add the following Maven dependencies:

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-api</artifactId>
    <version>0.11.2</version>
</dependency>

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-impl</artifactId>
    <version>0.11.2</version>
    <scope>runtime</scope>
</dependency>

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-jackson</artifactId>
    <!-- or jjwt-gson if Gson is preferred -->
    <version>0.11.2</version>
    <scope>runtime</scope>
</dependency>

Creating a JWT:

@SpringBootTest
public class JwtTestor {
    /**
     * Create Token
     */
    @Test
    public void createJwt() {
        // private key string
        String key = "1234567890_1234567890_1234567890";
        // 1. Base64‑encode the key
        String base64 = new BASE64Encoder().encode(key.getBytes());
        // 2. Generate SecretKey (algorithm chosen automatically)
        SecretKey secretKey = Keys.hmacShaKeyFor(base64.getBytes());
        // 3. Payload data
        String data = "{\"userId\":123}";
        String jwt = Jwts.builder().setSubject(data).signWith(secretKey).compact();
        System.out.println(jwt);
    }
}

Verifying a JWT:

/**
 * Validate and extract JWT data
 */
@Test
public void checkJwt() {
    String jwt = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ7XCJ1c2VySWRcIjoxMjN9In0.1p_VTN46sukRJTYFxUg93CmfR3nJZRBm99ZK0e3d9Hw";
    String key = "1234567890_1234567890_1234567890";
    String base64 = new BASE64Encoder().encode(key.getBytes());
    SecretKey secretKey = Keys.hmacShaKeyFor(base64.getBytes());
    try {
        JwtParser parser = Jwts.parserBuilder().setSigningKey(secretKey).build();
        Jws
claimsJws = parser.parseClaimsJws(jwt);
        String subject = claimsJws.getBody().getSubject();
        System.out.println(subject);
    } catch (JwtException e) {
        System.out.println("Jwt validation failed");
        e.printStackTrace();
    }
}

Two microservice authentication patterns are presented. In the server‑side verification scheme, the client logs in, receives a JWT from the authentication service, stores it (cookie or local cache), and includes it in subsequent requests; each microservice forwards the token back to the authentication service for verification and permission lookup before executing business logic.

In the API‑gateway unified verification scheme, the gateway itself validates the JWT against the authentication service and injects the user and permission data into the request before routing to downstream services, reducing coupling but adding extra network overhead for every request containing a token.

Choosing between the two depends on trade‑offs: server‑side verification offers fine‑grained control suitable for low‑latency, high‑concurrency scenarios, while gateway verification simplifies development for traditional enterprise applications at the cost of potential performance impact.

Practical challenges include fixed JWT expiration, token renewal, immediate revocation, and making JWT effectively stateful by storing token identifiers in Redis with expiration. Caching user/permission data after the first verification can improve performance but introduces consistency considerations.

In summary, the article revisits session‑based authentication, demonstrates JWT creation and validation with JJWT, and outlines two microservice authentication architectures, highlighting their advantages, drawbacks, and the inevitable trade‑offs architects must balance.