https://www.odux.uk/2026-02-05T19:37:20+00:00Bo Xu2026-02-05T19:37:20+00:002026-02-05T19:37:20+00:00https://odux.com/2026/Feb/5/auth-problem-looked-bigger-than-it-was/#atom-tag

I spent most of this afternoon deep in the weeds designing an auth bridge between an existing cluster of servers and a new service used by the same clients base across the servers. The initial conversations went straight to the “big” answers—Cognito, full OAuth flows, external identity plumbing everywhere—and for a while it felt like the only responsible path was also the most complex one. <br/><br/> Then, after nearly two hours, I realized what we really needed was a trusted issuer and a trusted verifier. We can use the existing platform to issue JWT bearer tokens from our user/client model, sign them with private keys we control, and let the new service verify them with public keys while enforcing claims like issuer, audience, scope, subject, and expiry. <br/><br/> Suddenly the design felt natural: no per-request callback to the issuer, no unnecessary moving parts, and clean attribution of every service call to a known user and client for metering and audit. <br/><br/> A good reminder that “production-grade” doesn’t always mean “maximal complexity”—sometimes the strongest design is the one that makes trust boundaries explicit and keeps the system understandable. <p>Tags: <a href="https://odux.com/tags/programming">programming</a>, <a href="https://odux.com/tags/architecture">architecture</a>, <a href="https://odux.com/tags/authentication">authentication</a></p>