Authentication vs authorization in HLD - Scaling Approaches Compared

The first bottleneck is usually the authentication service during peak login bursts. This is because it must verify credentials, generate tokens, and manage sessions, which are CPU and I/O intensive operations. Authorization checks are generally lighter and cached, so they become bottlenecks later as policies grow complex.

• Authentication: Use horizontal scaling with load balancers to handle login requests. Implement token-based authentication (e.g., JWT) to reduce session state. Use caching for session validation.
• Authorization: Cache permission data to reduce database hits. Use distributed caches like Redis. For complex policies, use policy evaluation engines that scale horizontally.
• General: Employ CDNs for static auth assets (e.g., login pages). Use rate limiting and throttling to protect auth endpoints.

Assuming 1 million users with 10% logging in daily:

• Login requests per second: ~1,000,000 * 10% / (24*3600) ≈ 1.2 QPS
• Authorization checks per second: ~1,000,000 * 10 / (24*3600) ≈ 116 QPS
• Storage: User credentials and tokens ~100MB - 1GB depending on retention
• Bandwidth: Login requests small (~1KB), authorization checks smaller (~0.5KB), total ~10-20 MB/s

Start by clearly defining authentication and authorization. Discuss their differences and dependencies. Then explain how each scales differently. Highlight bottlenecks and propose targeted solutions. Use real numbers and simple analogies like "authentication is like checking ID at a door, authorization is like checking if you can enter a room inside." Keep answers structured and focused.

Your authentication database handles 1000 QPS. Traffic grows 10x to 10,000 QPS. What do you do first?

Answer: Introduce horizontal scaling by adding more authentication servers behind a load balancer and implement token-based stateless authentication (e.g., JWT) to reduce database load. Also, add caching layers for session validation to reduce repeated DB hits.