#Way to secure spring boot micro services apis that will be consumed by a react native mobile app.

I am building a spring boot micro service applications (resource servers) and one spring cloud gateway which will act as the client that interfaces with the micro service applications and will be consumed by a reactive native mobile app.
I am currently considering running one of the micro service as an authorization server and also implement the gateway as a client. Works well with the gateway if authorization grant type is authorization code and the token relay also works well.

The problem I am facing now is that this same flow won't be seamless on mobile (if it is even possible) as there will be a couple of redirects that needs to happen to authenticate the user.

If it is possible, how can I achieve this, else how best can I secure the micro services without exposing the user's token?

⌛ This post has been reserved for your question.

Hey @olive rover! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

Are you using JWTs?

you'd probably want one (micro)service that hands out the JWTs (if you need to, you can still scale it but they should have the same keys)