Microservicessystem_design~25 mins

Authentication at gateway level in Microservices - System Design Exercise

Choose your learning style9 modes available

Learn Why Deep Arch Practice Challenge Design Recall Scale

Design: Authentication at Gateway Level in Microservices

Design focuses on authentication at the API gateway level in a microservices architecture. Authorization inside microservices and user management systems are out of scope.

Functional Requirements

FR1: Authenticate all incoming client requests before routing to microservices

FR2: Support token-based authentication (e.g., JWT)

FR3: Validate tokens efficiently to minimize latency

FR4: Allow unauthenticated access to public endpoints

FR5: Provide detailed error responses for authentication failures

FR6: Support role-based access control (RBAC) for downstream services

FR7: Log authentication attempts for auditing

FR8: Handle 10,000 concurrent requests with p99 latency under 150ms

FR9: Ensure 99.9% uptime for the authentication gateway

Non-Functional Requirements

NFR1: Authentication must happen only once at the gateway to reduce load on microservices

NFR2: Gateway should not become a single point of failure

NFR3: Token validation should be stateless to support horizontal scaling

NFR4: Latency added by authentication should be minimal

NFR5: System must be secure against common attacks (replay, token forgery)

Think Before You Design

Questions to Ask

❓ Question 1

❓ Question 2

❓ Question 3

❓ Question 4

❓ Question 5

❓ Question 6

Key Components

API Gateway

Authentication Service or Identity Provider

Token Validation Module

Cache for token validation results

Logging and Monitoring System

Load Balancer

Microservices behind the gateway

Design Patterns

API Gateway Pattern

Token-based Authentication (JWT)

Stateless Authentication

Circuit Breaker for downstream services

Caching for token validation

Fail-fast authentication

Reference Architecture

Client
  |
  v
API Gateway (Auth Layer)
  |-- Token Validation (JWT)
  |-- Public Endpoint Bypass
  |-- Logging
  |
  v
Load Balancer
  |
  v
Microservices
  |
  v
Database / Identity Provider

Components

API Gateway

Nginx with Lua scripts or Kong Gateway

Entry point for all client requests; performs authentication and routes requests

Token Validation Module

Stateless JWT validation library

Validate token signature, expiry, and claims without external calls

Cache

Redis or in-memory cache

Cache token validation results to reduce repeated computation

Logging System

ELK Stack (Elasticsearch, Logstash, Kibana)

Store and analyze authentication logs for auditing and monitoring

Load Balancer

HAProxy or cloud provider load balancer

Distribute requests to multiple gateway instances for high availability

Microservices

Various (e.g., Spring Boot, Node.js)

Business logic services that trust gateway authentication

Identity Provider

OAuth2 / OpenID Connect server (e.g., Keycloak)

Issue tokens and manage user authentication

Request Flow

1. Client sends request with token to API Gateway

2. API Gateway checks if endpoint is public; if yes, forwards request without authentication

3. If authentication required, Gateway extracts token from request header

4. Gateway checks cache for token validation result to speed up processing

5. Gateway validates token signature and expiry locally using Token Validation Module

6. If token is invalid or expired, Gateway returns 401 Unauthorized response

7. If token is valid, Gateway logs authentication success

8. Gateway forwards authenticated request to appropriate microservice

9. Microservice processes request assuming authentication is done

10. Response flows back through Gateway to Client

Database Schema

Entities: - User (id, username, password_hash, roles) - Token (token_id, user_id, issued_at, expires_at, revoked) - Role (role_id, role_name) - Permission (permission_id, permission_name) Relationships: - User has many Roles (many-to-many) - Role has many Permissions (many-to-many) - Token belongs to User Note: Token storage is optional if using stateless JWT; revocation can be handled via blacklist or short expiry.

Scaling Discussion

Bottlenecks

API Gateway becoming a single point of failure under high load

Token validation CPU overhead if done synchronously for every request

Cache consistency for token revocation or expiry

Logging system overload with high authentication traffic

Solutions

Deploy multiple API Gateway instances behind a load balancer for redundancy and load distribution

Use stateless JWT validation to avoid external calls and reduce latency

Implement short token expiry and use cache with TTL to balance performance and revocation accuracy

Use asynchronous logging and log aggregation tools to handle high volume efficiently

Interview Tips

Time: Spend 10 minutes understanding requirements and clarifying scope, 20 minutes designing the architecture and data flow, 10 minutes discussing scaling and trade-offs, 5 minutes summarizing.

Explain why authentication at the gateway reduces load on microservices

Discuss stateless JWT validation benefits and challenges

Highlight importance of caching token validation results

Mention handling of public endpoints and error responses

Address scaling strategies and fault tolerance

Show awareness of security concerns like token revocation and replay attacks