Adarsh Autho Forge

A plug-and-play, secure, scalable authentication server + Spring Boot starter for distributed microservices

  • Java 21
  • Spring Boot 4
  • GraalVM Native
  • JWT
  • JWK
  • Spring Security
  • Cloud Run
GitHub Repository

Adarsh Autho Forge is a fully self-contained authentication platform designed to be plugged into any Java microservice with almost zero configuration.
It combines a central authentication server with a Spring Boot Starter, enabling microservices to validate JWTs, fetch JWKs, enforce roles, and stay perfectly in sync — without rewriting authentication logic in every service.

The goal behind this project is simple:

Build authentication once — use it in every backend I ever create.

This project reflects modern patterns used by production systems (Google OAuth, AWS Cognito, Okta), but built lightweight, developer-friendly, and completely open.

🚀 Goals & Motivation

As I started building more microservices, I noticed the same problem:

  • Every service needed authentication
  • Every service needed JWT verification
  • Every service needed role checks
  • Every service needed error handling and filters
  • Every service needed public keys for validation

And every time, I was rewriting the same boilerplate.

Adarsh Autho Forge solves that permanently.

What I wanted:

  • A central auth service I can deploy anywhere
  • A plug-and-play client starter for any Spring Boot microservice
  • Fast startup (GraalVM native images) for serverless deployments
  • Production-grade JWT generation with RSA signing keys
  • Secure JWK publishing so microservices verify tokens without coupling
  • A system I can trust for personal projects, side apps, and future SaaS ideas

This project also helped me dive deeper into:

  • Authentication & identity system design
  • JWT architecture, claims, and key rotation
  • Auto-configuration patterns in Spring Boot Starters
  • Native image optimization and Cloud Run deployment

🏗️ Architecture

The system is a multi-module Maven project with two core components:

🔐 1. autho-forge-service (Central Auth Server)

This is the heart of the system. It handles everything related to identity:

  • User Registration
  • Login
  • JWT generation (Access + Refresh)
  • Refresh token rotation
  • RSA key management
  • JWK publishing at /.well-known/jwks.json
  • Role handling & user storage

Essentially, it works like a private version of Okta/Auth0 — but simpler and tailored for microservices.

🧰 2. autho-forge-starter (Microservice Starter)

Every microservice just adds:

<dependency>
    <groupId>com.adarsh.autho</groupId>
    <artifactId>autho-forge-starter</artifactId>
</dependency>

…and instantly gets:

  • Automatic JWT validation
  • JWK fetching + caching
  • Authentication filter chain
  • Role-based authorization
  • Exception handling
  • Zero security boilerplate

All services stay decoupled — no shared secrets, no hardcoded keys.

🔑 JWT & JWK Design

The auth service issues:

✔ Access Token

  • Short-lived
  • RS256 signed
  • Contains sub, roles, iat, exp, kid, iss
  • Used by microservices for authorization

✔ Refresh Token

  • Long-lived
  • Stored hashed in DB
  • Rotated on each refresh
  • Revocable (session-like behavior)

JWK Endpoint

The auth service exposes:

GET /.well-known/jwks.json

Microservices use the starter to automatically fetch, cache, and rotate keys — enabling decentralized verification and centralized signing.

🧩 Key Features

🔐 Central Authentication Server

Registration, login, JWT issuance, and refresh token flow.

🔄 Key Rotation Support

RSA signing keys with JWK publication for distributed verification.

📦 Spring Boot Starter for Microservices

Plug-and-play JWT validation with zero configuration required.

🛡️ Spring Security Integration

Role-based access, automatic security filters, and consistent exception handling.

⚙️ Native Image Fast Startup

GraalVM native builds optimized for serverless and Cloud Run.

🧱 Clean, Layered Architecture

DTOs, service layer, entity mapping, custom exceptions, and global handlers.

🗂️ Multi-module Maven Design

Clear separation between the core auth service and the microservice starter.

🧪 Unit & Integration Test Friendly

Modular design enables independent testing of auth logic, filters, and token flows.

🔧 Development and Setup

  • Java 21
  • Spring Boot 4.0.0-RC2
  • Hibernate / JPA
  • H2 / PostgreSQL
  • Maven multi-module project
  • Nimbus JOSE JWT for JWT/JWK generation
  • Spring Boot Starter for plug-and-play validation in microservices

🧠 Lessons Learned

  • JWT/JWK architecture: Designing a secure, scalable token ecosystem.
  • Spring Boot AutoConfiguration: Understanding how custom starters wire themselves.
  • Native image constraints: Reflection configuration and classpath handling in GraalVM.
  • Cloud Run performance tuning: Making native apps scale-to-zero efficiently.
  • Domain-driven design: Separation of DTO, service, entity, and repository layers.
  • Security mindset: Hashing practices, key handling, exception design, and safe defaults.