0
0
Microservicessystem_design~7 mins

Centralized vs distributed auth in Microservices - Architecture Trade-offs

Choose your learning style9 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale
Problem Statement
When each microservice manages its own user authentication, inconsistencies arise, leading to security gaps and poor user experience. Without a unified approach, users may need to log in multiple times, and managing permissions becomes error-prone and complex.
Solution
Centralized authentication delegates all user login and token issuance to a single trusted service, which microservices then verify. Distributed authentication embeds user identity and permissions within tokens that microservices validate independently, reducing dependency on a central service.
Architecture
Client App
Client App
Auth Service
Auth Service
Microservice
Microservice
Client App
Client App
Auth Service
Auth Service
Microservice1
Microservice1
Microservice2
Microservice2

The diagram shows two approaches: centralized auth where microservices rely on a single auth service for token validation, and distributed auth where microservices independently validate signed tokens without contacting the auth service.

Trade-offs
✓ Pros
Centralized auth simplifies user session management and revocation by having a single source of truth.
Distributed auth reduces latency and dependency on the auth service during token validation.
Distributed auth scales better as microservices validate tokens locally without network calls.
✗ Cons
Centralized auth creates a single point of failure and potential bottleneck if the auth service is down or slow.
Distributed auth complicates token revocation and requires secure token signing and verification.
Centralized auth can increase latency due to network calls for each token validation.
Use centralized auth when you need strict control over sessions, easy revocation, and simpler auditing, especially if your system has moderate scale and low tolerance for stale permissions.
Avoid centralized auth when your system has very high request rates or requires low latency, as the auth service can become a bottleneck or single point of failure.
Real World Examples
Netflix
Uses centralized authentication with a dedicated auth service to manage user sessions and permissions across many microservices.
Uber
Implements distributed authentication using signed tokens (JWT) so microservices can independently verify user identity without contacting a central service.
Amazon
Employs a hybrid approach where tokens are issued centrally but microservices validate them locally to balance control and scalability.
Code Example
The before code shows centralized auth where each token validation requires a network call to the auth service, causing latency and dependency. The after code uses distributed auth by locally verifying the JWT token signature and expiry, eliminating network calls and improving scalability.
Microservices
Before (Centralized Auth - naive token check with network call):

import requests

def is_token_valid(token):
    response = requests.post('https://auth.service/validate', json={'token': token})
    return response.status_code == 200

After (Distributed Auth - local JWT verification):

import jwt

SECRET_KEY = 'secret'

def is_token_valid(token):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
        return True
    except jwt.ExpiredSignatureError:
        return False
    except jwt.InvalidTokenError:
        return False
OutputSuccess
Alternatives
API Gateway Authentication
Authentication is handled at the gateway layer before requests reach microservices, offloading auth logic from services.
Use when: Use when you want to centralize auth checks at the edge and keep microservices simpler.
Session-based Authentication
Uses server-stored sessions instead of tokens, requiring stateful session management.
Use when: Choose when you need tight control over sessions and can afford stateful infrastructure.
Summary
Centralized authentication relies on a single service to validate user tokens, simplifying session control but risking bottlenecks.
Distributed authentication lets microservices verify signed tokens locally, improving scalability and reducing latency.
Choosing between them depends on system scale, latency needs, and how tightly you must control user sessions.