0
0
Microservicessystem_design~25 mins

Centralized vs distributed auth in Microservices - Design Approaches Compared

Choose your learning style9 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale
Design: Authentication System for Microservices
Design covers authentication and authorization mechanisms for microservices. Does not cover user registration, password reset flows, or external identity providers integration.
Functional Requirements
FR1: Users must be able to log in and receive access tokens.
FR2: Microservices must verify user identity before granting access.
FR3: Support role-based access control (RBAC) across services.
FR4: Allow token revocation and session management.
FR5: Support scaling to 10,000 concurrent users.
FR6: Ensure low latency for authentication checks (p99 < 100ms).
FR7: Maintain 99.9% system availability.
Non-Functional Requirements
NFR1: Must work in a microservices environment with multiple independent services.
NFR2: Authentication data consistency must be maintained.
NFR3: Minimize network overhead for auth checks.
NFR4: Secure handling of credentials and tokens.
NFR5: Support both centralized and distributed authentication approaches.
Think Before You Design
Questions to Ask
❓ Question 1
❓ Question 2
❓ Question 3
❓ Question 4
❓ Question 5
❓ Question 6
Key Components
Authentication service (centralized or per service)
Token issuer and validator
API gateway or service mesh for auth enforcement
User database or directory
Cache for token validation
Logging and monitoring for auth events
Design Patterns
Centralized authentication with a dedicated auth service
Distributed authentication with local token validation
Token-based authentication (JWT)
Session management and token revocation
API gateway enforcing authentication
Service mesh with mutual TLS for service-to-service auth
Reference Architecture
                +---------------------+
                |   User / Client App  |
                +----------+----------+
                           |
                           | Login Request (username/password)
                           v
                +---------------------+          +---------------------+
                | Centralized Auth     |          | User Database       |
                | Service (OAuth2, JWT)|<-------->| (e.g., PostgreSQL)  |
                +----------+----------+          +---------------------+
                           |
           Issue JWT Token  |
                           v
                +---------------------+
                | API Gateway /        |
                | Service Mesh         |
                +----------+----------+
                           |
          Forward requests with JWT token
                           v
                +---------------------+
                | Microservices        |
                | (Validate JWT locally|
                | or via Auth Service) |
                +---------------------+
Components
Centralized Auth Service
OAuth2 server with JWT tokens
Handles user login, issues signed JWT tokens, manages token revocation and session state.
User Database
Relational DB (PostgreSQL)
Stores user credentials, roles, and permissions.
API Gateway / Service Mesh
Kong, Istio, or Envoy
Enforces authentication by validating tokens before forwarding requests to microservices.
Microservices
Various (Node.js, Java, etc.)
Perform business logic; validate JWT tokens locally or call Auth Service for validation.
Cache
Redis
Cache token validation results to reduce latency and load on Auth Service.
Request Flow
1. User sends login request with credentials to Centralized Auth Service.
2. Auth Service validates credentials against User Database.
3. If valid, Auth Service issues a signed JWT token with user roles and expiry.
4. User includes JWT token in Authorization header for API requests.
5. API Gateway or Service Mesh validates JWT token signature and expiry.
6. If valid, request is forwarded to target microservice.
7. Microservice optionally validates token locally or queries Auth Service for token status.
8. Microservice enforces role-based access control based on token claims.
9. For token revocation, Auth Service maintains a blacklist or uses short-lived tokens with refresh.
Database Schema
Entities: - User: id (PK), username, password_hash, email - Role: id (PK), name - UserRole: user_id (FK), role_id (FK) - TokenBlacklist: token_id, expiry Relationships: - User to Role is many-to-many via UserRole - TokenBlacklist stores revoked tokens to prevent reuse
Scaling Discussion
Bottlenecks
Centralized Auth Service can become a single point of failure and bottleneck under high load.
Database can be overwhelmed by frequent credential checks and role queries.
Token validation latency can add overhead to every API request.
Token revocation requires synchronization and can be complex with distributed caches.
Solutions
Scale Auth Service horizontally behind a load balancer with stateless JWT tokens to reduce state dependency.
Use caching (Redis) for user roles and token validation results to reduce DB load.
Adopt short-lived JWT tokens with refresh tokens to minimize revocation complexity.
Implement distributed token validation by embedding claims in JWT and validating signature locally in microservices.
Use API Gateway or service mesh to offload token validation from microservices.
Use database read replicas and connection pooling to handle increased DB load.
Interview Tips
Time: Spend 10 minutes understanding requirements and clarifying scope, 20 minutes designing architecture and data flow, 10 minutes discussing scaling and trade-offs, 5 minutes summarizing.
Explain difference between centralized and distributed authentication.
Discuss pros and cons of JWT tokens and token revocation strategies.
Highlight importance of caching and stateless tokens for scalability.
Mention security considerations like token signing and expiry.
Describe how API Gateway or service mesh can enforce auth.
Discuss how microservices validate tokens locally to reduce latency.