使用 JWT 和 OpenID Connect 在微服务中进行客户端身份验证

我对微服务架构中的身份验证有一些疑问.我现在有一个单体应用程序，我的目标是将应用程序拆分为小型微服务.

I've some questions regarding authentication in a microservices architecture. I've right now a monolithic application and my goal is to split the application in small microservices.

我最大的问题是身份验证(目前).在阅读了大量文档后，似乎最好的解决方案是使用 OpenID Connect 对用户进行身份验证以检索可以通过请求传递给微服务的 JWT.

My bigest problem is for authentication (for now). After reading a LOT a documentation, It seems that the best solution is to use OpenID Connect to authenticate an user to retrieve a JWT that can by passed with the request to the microservices.

此外，为了避免有多个端点，您可以部署 API Gateway 以便最终用户只有一个端点.好的，现在我对这个架构有两个问题.

Also, to avoid having multiple endpoints, you can deploy and API Gateway to have only one endpoint for the end user. Ok, so now I've two questions with this architecture.

身份验证的标准流程是:

The standard flow for authentication will be :

用户通过隐式流在 OpenID Connect 中联系我的身份服务器并获取 id_token (JWT) 和 access_token.用户现在可以使用此 access_token 联系我的 API.API 网关将使用身份服务器验证 access_token，并检索 JWT 以将其添加到微服务 API 的子请求中.

An user contact my identity server in OpenID Connect with the implicit flow and get the id_token (JWT) and also the access_token. The user can now contact my API with this access_token. The API Gateway will valide the access_token with the identity server and also retrieve the JWT to add it to the sub request to the microservice API.

1/API Gateway 如何从 access_token 中获取 JWT?从我从文档(http://openid.net/specs/openid-connect-core-1_0.html)，它可以联系/userinfo"端点，但它只会得到JSON格式而不是JWT...

1/ How the API Gateway can get the JWT from the access_token? From what I red from the documentation (http://openid.net/specs/openid-connect-core-1_0.html), It can contact the "/userinfo" endpoint but It will get just the JSON format not the JWT...

2/我想允许在我的微服务之间进行经过身份验证的调用.所以每个微服务都需要能够生成一个 JWT 来直接联系其他微服务.我的第一个想法是联系身份服务器.但是使用 OAuth2 客户端凭据流，我不会检索 id_token 或 JWT.只是一个没有 JWT 的经典 OAuth2 访问令牌.我的第二个想法是，微服务可以使用与身份服务器使用的 PKI 相同的 PKI 颁发的证书直接签署自己的 JWT.这意味着 JWT 可以由多个证书签名，但来自同一个私有 PKI.当微服务收到 JWT 时，它需要能够识别用于签署 JWT 的女巫证书.我在 RFC 上没有找到关于这个问题的任何内容.我可以在令牌中添加我自己的私人声明以获得证书，但是在浏览网页几天后没有看到这种解决方案，我想知道我是否没有走错路......总而言之，如何我可以在 JWT 中执行用户到服务"身份验证和服务到服务"身份验证吗?

2/ I want to allow authenticated calls between my microservices. So each microservice needs to be able to generate a JWT to contact other microservices directly. My first thought was to contact the identity server. But with the OAuth2 Client Credentials flow, I don't retrieve a id_token or a JWT. Just a classic OAuth2 access token without JWT. My second thought was that the microservice can directly sign its own JWT with a certificate issued by the same PKI as the one used by the identity server. That mean that a JWT can be sign by several certificats but from the same private PKI. When a microservice receives a JWT, It needs to be able to identify witch certificat was used to sign the JWT. I don't find anything on the RFC regarding this problem. I can add my own private claim in the token to have the certificate but after several days of browsing the web without seeing this kind of solution, I'm wondering if I'm not on the wrong path... To sum up, how can i perfom "User to service" authentication AND alors "service to service" authentication in JWT?

非常感谢！