Microservicessystem_design~25 mins

OAuth 2.0 for microservices - System Design Exercise

Choose your learning style9 modes available

Learn Why Deep Arch Practice Challenge Design Recall Scale

Design: OAuth 2.0 Authorization for Microservices

Design covers OAuth 2.0 authorization server, token issuance, validation, and integration with microservices. Out of scope: user interface design, detailed user management, and third-party identity providers.

Functional Requirements

FR1: Allow users to authenticate and authorize access to multiple microservices securely.

FR2: Support token-based authentication using OAuth 2.0 standard.

FR3: Enable microservices to validate access tokens efficiently without contacting the authorization server on every request.

FR4: Support scopes and roles to restrict access to specific microservice APIs.

FR5: Allow token refresh without requiring user re-login.

FR6: Ensure secure communication between microservices and the authorization server.

FR7: Handle token revocation and expiration properly.

Non-Functional Requirements

NFR1: System must handle 10,000 concurrent users with low latency (p99 < 150ms for token validation).

NFR2: Authorization server availability must be 99.9% uptime.

NFR3: Microservices should not become bottlenecks due to authentication overhead.

NFR4: Tokens should have a limited lifetime (e.g., 1 hour) with refresh tokens valid for 7 days.

NFR5: Use industry-standard OAuth 2.0 flows suitable for microservices architecture.

Think Before You Design

Questions to Ask

❓ Question 1

❓ Question 2

❓ Question 3

❓ Question 4

❓ Question 5

❓ Question 6

Key Components

Authorization Server (OAuth 2.0 compliant)

Resource Servers (microservices)

API Gateway or Authentication Proxy

Token Store or Introspection Endpoint

User Authentication Service

Refresh Token Mechanism

Design Patterns

JWT (JSON Web Token) for stateless token validation

Token Introspection for opaque tokens

API Gateway as centralized authentication enforcement

Refresh Token rotation for security

Scope-based and role-based access control

Reference Architecture

  +-------------+       +-------------------+       +----------------+
  |             |       |                   |       |                |
  |   Client    +------>+ Authorization     +------>+ Token Store or  |
  |  (User App) |       | Server (AuthN/AuthZ)|     | Introspection   |
  +-------------+       +-------------------+       +----------------+
         |                        |                          |
         |                        |                          |
         |                        |                          |
         v                        v                          v
  +-------------+         +----------------+         +----------------+
  |             |         |                |         |                |
  | API Gateway +-------->+ Microservices  +<------->+ User Service   |
  | (Auth Proxy)|         | (Resource      |         |                |
  +-------------+         | Servers)       |         +----------------+
                          +----------------+

Components

Authorization Server

OAuth 2.0 compliant server (e.g., Keycloak, Auth0, custom)

Handles user authentication, issues access and refresh tokens, manages scopes and roles.

API Gateway

Nginx, Kong, or custom gateway

Central entry point that validates tokens before forwarding requests to microservices.

Microservices (Resource Servers)

Any microservice framework (Spring Boot, Node.js, etc.)

Provide business functionality and enforce authorization based on token scopes.

Token Store / Introspection Endpoint

In-memory cache or database for opaque tokens; introspection API

Allows microservices or gateway to validate opaque tokens by querying authorization server.

User Service

User database and authentication backend

Manages user credentials and profile data.

Request Flow

1. 1. Client requests authorization from Authorization Server using OAuth 2.0 flow (e.g., Authorization Code).

2. 2. Authorization Server authenticates user and issues access token (JWT or opaque) and refresh token.

3. 3. Client sends access token with API requests to API Gateway.

4. 4. API Gateway validates token locally if JWT or calls introspection endpoint if opaque.

5. 5. If token is valid and scopes allow, API Gateway forwards request to appropriate microservice.

6. 6. Microservice optionally validates token claims and enforces fine-grained access control.

7. 7. If access token expires, client uses refresh token to get a new access token from Authorization Server.

8. 8. Authorization Server supports token revocation and expiration to maintain security.

Database Schema

Entities: - User: id (PK), username, password_hash, email - ClientApp: id (PK), client_id, client_secret, redirect_uris - AccessToken: token_id (PK), user_id (FK), client_id (FK), scopes, expiry, token_type (JWT/opaque) - RefreshToken: token_id (PK), user_id (FK), client_id (FK), expiry - Scope: scope_name (PK), description - Role: role_name (PK), description Relationships: - User has many AccessTokens and RefreshTokens - ClientApp issues tokens to Users - AccessTokens have many Scopes - Users have Roles that map to Scopes for authorization

Scaling Discussion

Bottlenecks

Authorization Server becomes a bottleneck under high token issuance or introspection requests.

API Gateway latency increases due to token validation overhead.

Token revocation and refresh token management complexity grows with user base.

Microservices may face overhead if they validate tokens on every request.

Solutions

Use JWT tokens to enable stateless token validation at API Gateway and microservices, reducing calls to Authorization Server.

Cache token introspection results with short TTL to reduce load on Authorization Server.

Scale Authorization Server horizontally with load balancers.

Implement refresh token rotation and secure storage to reduce risk and complexity.

Use API Gateway to centralize authentication and offload microservices.

Use asynchronous event-driven mechanisms to propagate token revocation information to microservices.

Interview Tips

Time: Spend 10 minutes clarifying requirements and constraints, 20 minutes designing components and data flow, 10 minutes discussing scaling and security considerations, and 5 minutes summarizing.

Explain OAuth 2.0 flows suitable for microservices (Authorization Code with PKCE, Client Credentials).

Discuss trade-offs between JWT and opaque tokens for validation and security.

Highlight importance of scopes and roles for fine-grained access control.

Describe how API Gateway can centralize authentication to reduce complexity.

Address token revocation and refresh token security best practices.

Discuss scaling strategies to maintain low latency and high availability.