When JWT becomes a security problem for your services

If you’ve used JWTs for user authentication, you might have thought, “It might be a good idea to use JWTs for service to service (S2S) authentication”, only to discover how complex the JWTs for S2S in dynamic environments can get.

Drawing on insights from working with large customers, we’ll show the pitfalls of forcing S2S traffic through traditional API gateways (aka “hair pinning”) - a process that increases latency and decreases efficiency.

We’ll highlight the security risks when bypassing API gateways for direct service calls and relying on JWTs. As enticing as it seems, this method often leads to code duplication and puts most of the burden on developers who must maintain them.

We propose a pivot to service mesh and mTLS. The approach simplifies S2S authentication, automates security best practices, and mitigates the downsides of JWTs. We’ll delve into how service meshes use mTLS to manage traffic encryption, validate tokens effectively, and ensure seamless key rotation, offering a more robust security framework for S2S communication.



Christian Posta

Christian Posta is VP, Global Field CTO at Solo.io. He is the author of Istio in Action as well as many other books on cloud-native architecture and is well known in the cloud-native community for ...