Session management in api gateway

Suppose there’s a situation when microservices are written in two language (elixir, python) and both connected through api gateway.
Here when a user give username and password then api gateway use python(oauth2) to check if it is right or not. If it is correct then it will provide token, upto here i understand
And now the question arise,

  1. If elixir required session_id for further process, then we can use token as session_id?
  2. If we use token as session_id, it will work because token is generate by python?
  3. If I want to store session in ets table then I need session_id?

Hey @Erynn, welcome!

If you’re using JWTs as the token that the API gateway stores in an header to send downstream, then you’ll have a few choices, but they ultimately also depend on what the API gateway stores in the JWT itself. In general, the JWT should include iat and exp fields that tell you when the token was issued and when it expires. In the Elixir service, you could

  1. Verify the signature of the JWT to make sure it comes from the API gateway
  2. Verify that the token is currently valid, that is, it has been issued in the past and it’s not expired yet
  3. At this point, you can use whatever’s in the JWT to store a session in your Elixir service. For example, the JWT could contain a session ID, a user ID, or something along those lines.

For question #3, you can store anything in an ETS table :upside_down_face:

With the info provided, I’m not sure I can give a better answer, but happy further to help if you need anything else.

1 Like