I've been working on a login system that works with JWT. Nothing special, you send a valid pair of users + password and then get a signed token to identify yourself in future requests. It is built in Java. To sign the tokens, the application generates a public / private key pair at run time and exposes the public key to a specific URL. This was done in this way because there are a lot of services that need to validate the tokens and facilitates the distribution of the public key.
The problem that I face now is that this application will be implemented in more than a single node, for redundancy and the prevention of downtime. In this context, if each instance of the application generates a pair of keys, then the entire system is separated. So I need to make sure that one node generates a pair and then shares it with the others.
So far, my ideas had been saved somewhere in the database, or using the shared values in a Zookeeper group, but I'm not sure it's the right approach.
To summarize … the context:
- JWT signature with private / public key pairs generated at runtime
- Multiple nodes, you need to be aware of the same pair
- Is there something in the idea seriously wrong that makes this unfeasible?
- Is there a standard way to do this?
- Are there better ideas than using the database?
Thanks in advance!