Stateless authentication with microservices

Hi all, I’m creating a website that interfaces with our existing backend APIs for an application. I would love to use hilla for it but as I’ve been researching it I’m seeing a hurdle with authentication that I can’t tell if I can jump or not.

Some Context
Our application is a set of microservices that sit behind a gateway. Every request to a service (other than the auth service) will be authenticated by validating a jwt supplied via either the authorization header or a cookie.

The auth service has traditional username and password but also has support for signing in with Azure AD.

My plan for the auth flow with the hills app is the following:

  • user supplies username and presses sign in with SSO button
  • hilla endpoint makes a call to the auth service
  • auth service responds with a redirect to the correct AD url (we are using accounts across multiple tenants which is why the auth service needs to supply the SSO link)
  • user signs in and AD calls the auth service’s callback endpoint
  • auth service creates a jwt and returns a redirect back to the hilla app with the cookie attached

My main concern which I couldn’t really find an answer to online is once the jwt is stored as a cookie how can I access it from the hilla endpoints? It’s the endpoints that will be making calls to the other services so they need to supply this cookie with every request.

Additionally if you see anything wrong with this plan I’d welcome feedback on how to improve it :slightly_smiling_face:

Thanks

This is an area where our current docs are still lacking (it’s on our todo-list!)

I have some thoughts on the matter, but let me double-check with the team before accidentally sending you down the wrong path :slightly_smiling_face:

Awesome, thank you

@yummy-rhino, also advised that

There is a generic info here: https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/bearer-tokens.html#_bearer_token_propagation

This looks good, thank you for that

From what I’ve read it looks viable that I can use this for collecting the jwt from the browser and dealing with including it in requests to the APIs with webflux