Best practices

Do not expose the JWKs endpoint to the open world. Keep it and access it internally.

If you are using the default JWKs endpoint, then it is always a good idea to add a basic auth token middleware.

The token can be stored in .env file or somewhere that you feel safe. Then share the token to the microservices.

For authorization purposes, it is recommended to add the custom claims into your JWT token, e.g.:

The JWKs won't likely change real frequent, thus we can cache the JWKs response in-memory and use it for days or months.

Last updated 1 year ago