I have an application server that is running an SPA and its associated NodeJs backend (API). On this server there are a couple other services that are accessed by the API and require authentication. Up to this step all is clear, the local services use the same authorization mechanism as the API - JWT. Basically the client logs in, receives a token, then uses that token to make requests to the API which forwards the token to the requests it makes on the behalf of the client to the local services.
However - this is where I'm having trouble - these services need to communicate with other services from a backend server. The client's JWT is no longer valid in this case, because the client may have logged in using SSO or other external identity providers to which the backend server does not have access.
I need a way to authenticate the requests made by the services on the application server to the backend server.
How can I achieve this? What are the go-to solutions for such situations?
The application server cannot be fully trusted since it may be deployed on-premise on the client's network.
Based on the previous answer and some private discussions, I thought about the next solution:
For each client generate a private-public key pair and store the public key on the backend server. The private key will be sent in an encrypted archive via email to the client, so that the client will copy paste the private key into the application UI, which then stores it onto the application server.
The application server uses this private key to generate an access token which will be used to sign all requests made to the backend.
The backend uses the paired key to decrypt and validate the token and thus validate the authenticity of the requests.
If I want to remove access for one client, all I have to do is delete its associated key from the backend server.