In a monolith an HTTP session cookie was enough. In microservices you need stateless authentication — every request carries its own token. OAuth 2.0 for authorization, JWT for tokens. Standards that solve 80% of security needs.
OAuth 2.0 flows¶
Authorization Code: For web applications with a backend. Most secure. Implicit: For SPAs without a backend. Token directly in the URL (less secure). Client Credentials: For service-to-service communication. No user involved. Resource Owner Password: Direct credential submission. Only for trusted applications.
JWT: JSON Web Token¶
// JWT structure: header.payload.signature
{
"sub": "user123",
"name": "Jan Novák",
"roles": ["ADMIN", "USER"],
"iat": 1457600000,
"exp": 1457603600
}
JWT is self-contained — it contains information about the user, signed by the server. A service can verify it without querying the auth server. Stateless = scalable.
Implementation with Spring Security¶
Spring Security OAuth2 + spring-security-jwt. The auth server issues tokens, resource servers verify them. Shared signing key or asymmetric keys (RSA).
Best practices¶
- Short access token expiration (15–60 min)
- Refresh token for renewal without re-login
- HTTPS mandatory — a token over HTTP is like a password in plaintext
- Do not store sensitive data in the JWT payload (it is only base64 encoded)
- Revocation: blacklist or short expiration
OAuth 2.0 + JWT is the standard¶
Stateless authentication is a necessity for microservices. OAuth 2.0 with JWT tokens is the industry standard with excellent support in all languages and frameworks.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us