Microservicessystem_design~7 mins

Authentication at gateway level in Microservices - System Design Guide

Choose your learning style9 modes available

Learn Why Deep Arch Practice Challenge Design Recall Scale

Problem Statement

When each microservice handles authentication independently, it leads to duplicated code, inconsistent security policies, and increased latency. This scattered approach also makes it harder to update authentication mechanisms and increases the risk of security gaps across services.

Solution

Authentication at the gateway level centralizes the verification of user identity before requests reach any microservice. The gateway checks credentials or tokens once, then forwards authenticated requests downstream, reducing duplication and ensuring consistent security enforcement across all services.

Architecture

Client

→API Gateway

↓

Authentication

This diagram shows the client sending requests to the API Gateway, which performs authentication checks before forwarding requests to microservices.

Trade-offs

✓ Pros

→

Centralizes authentication logic, reducing code duplication across microservices.

→

Ensures consistent security policies and easier updates to authentication mechanisms.

→

Improves performance by authenticating once at the gateway instead of multiple times.

→

Simplifies microservices, allowing them to focus on business logic.

✗ Cons

→

Introduces a single point of failure if the gateway is down or misconfigured.

→

Can become a performance bottleneck under very high traffic if not scaled properly.

→

Limits microservices' ability to perform fine-grained or service-specific authentication.

Use when you have multiple microservices requiring consistent authentication and want to reduce duplicated security code. Suitable for systems with moderate to high traffic where centralized control improves security management.

Avoid when microservices require highly customized or independent authentication logic, or when the gateway cannot be scaled to handle peak loads without latency.

Real World Examples

Netflix

Netflix uses an API gateway to authenticate user tokens centrally before routing requests to various microservices, ensuring consistent access control across their streaming platform.

Uber

Uber employs gateway-level authentication to validate user sessions once, reducing overhead and maintaining uniform security policies across their ride-hailing microservices.

Amazon

Amazon's API Gateway authenticates requests centrally, allowing their diverse microservices to trust the gateway's verification and focus on processing business logic.

Code Example

The before code shows each microservice checking the token, causing duplication. The after code moves authentication to the gateway, which checks the token once before forwarding requests. Microservices trust the gateway and do not perform authentication themselves.

Microservices

### Before: Authentication inside each microservice (naive)
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route('/data')
def data():
    token = request.headers.get('Authorization')
    if not token or token != 'valid-token':
        return jsonify({'error': 'Unauthorized'}), 401
    return jsonify({'data': 'secret data'})


### After: Authentication at API Gateway (centralized)
# Gateway code
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.before_request
def authenticate():
    token = request.headers.get('Authorization')
    if not token or token != 'valid-token':
        return jsonify({'error': 'Unauthorized'}), 401

@app.route('/proxy/<path:path>')
def proxy(path):
    # Forward request to microservice without auth check
    # (simplified example)
    return jsonify({'data': 'secret data from microservice'})

# Microservice code (no auth needed)
from flask import Flask, jsonify

microservice = Flask(__name__)

@microservice.route('/data')
def data():
    return jsonify({'data': 'secret data'})

OutputSuccess

Alternatives

Authentication at each microservice

Each microservice independently verifies user credentials or tokens, duplicating authentication logic.

Use when: Choose when microservices require distinct authentication rules or operate in highly isolated environments.

Service mesh with mutual TLS

Authentication is handled at the network layer between services using mutual TLS, focusing on service-to-service trust rather than user authentication.

Use when: Choose when securing service-to-service communication is the priority, alongside or instead of user authentication.

Summary

Authentication at the gateway centralizes user verification to avoid duplicated logic in microservices.

This approach ensures consistent security policies and simplifies microservice design.

However, it introduces a single point of failure and may limit service-specific authentication needs.