Bird
Raised Fist0
Microservicessystem_design~7 mins

Service-to-service authentication in Microservices - System Design Guide

Choose your learning style10 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Problem Statement
When microservices communicate without verifying each other's identity, unauthorized services can access sensitive data or perform actions they shouldn't. This leads to security breaches, data leaks, and trust issues between services.
Solution
Service-to-service authentication ensures that each service proves its identity before accessing another service. This is done by exchanging secure tokens or certificates that confirm the caller is trusted, preventing unauthorized access and maintaining secure communication.
Architecture
┌───────────────┐          ┌───────────────┐
│   Service A   │          │   Service B   │
│ (Client)      │          │ (Server)      │
└──────┬────────┘          └──────┬────────┘
       │  Request with Token          │
       │────────────────────────────>│
       │                             │
       │       Validate Token        │
       │<────────────────────────────│
       │                             │
       │       Response Data         │
       │<────────────────────────────│

This diagram shows Service A sending a request with an authentication token to Service B. Service B validates the token before responding with data.

Trade-offs
✓ Pros
Prevents unauthorized services from accessing APIs, enhancing security.
Enables fine-grained access control between microservices.
Supports auditing and monitoring of service interactions.
Improves trust and accountability in distributed systems.
✗ Cons
Adds complexity to service communication with token management.
Requires infrastructure for issuing and validating tokens or certificates.
May introduce latency due to authentication checks on each request.
Use when multiple microservices communicate over a network and sensitive data or operations require protection, especially at scale beyond 1000 requests per second.
Avoid when services run in a fully trusted, isolated environment with no external access and minimal security requirements, or for very low-scale internal tools where overhead outweighs benefits.
Real World Examples
Netflix
Uses mutual TLS for service-to-service authentication to ensure only authorized microservices communicate within their cloud environment.
Google
Implements service accounts and OAuth tokens for secure authentication between microservices in Google Cloud Platform.
Uber
Uses JWT tokens for authenticating requests between microservices to prevent unauthorized access and ensure secure data flow.
Code Example
The before code shows a simple request without authentication, which is insecure. The after code adds JWT token generation in Service A and token validation in Service B, ensuring only authorized requests succeed.
Microservices
### Before: No service-to-service authentication
import requests

def call_service_b():
    response = requests.get('http://service-b/api/data')
    return response.json()

### After: Service-to-service authentication using JWT token
import requests
import jwt
import time

SECRET_KEY = 'shared-secret'

# Generate JWT token

def generate_token():
    payload = {'iss': 'service-a', 'exp': int(time.time()) + 60}
    token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
    return token

# Call Service B with token

def call_service_b():
    token = generate_token()
    headers = {'Authorization': f'Bearer {token}'}
    response = requests.get('http://service-b/api/data', headers=headers)
    return response.json()

# Service B validates token
from flask import Flask, request, jsonify
import jwt

app = Flask(__name__)

@app.route('/api/data')
def data():
    auth_header = request.headers.get('Authorization', '')
    if not auth_header.startswith('Bearer '):
        return jsonify({'error': 'Unauthorized'}), 401
    token = auth_header.split(' ')[1]
    try:
        jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
    except jwt.ExpiredSignatureError:
        return jsonify({'error': 'Token expired'}), 401
    except jwt.InvalidTokenError:
        return jsonify({'error': 'Invalid token'}), 401
    return jsonify({'data': 'secure data'})
OutputSuccess
Alternatives
Network-level security (e.g., VPN, VPC)
Secures communication channels but does not authenticate individual services explicitly.
Use when: Choose when you need to secure the network perimeter but have trusted services inside the network.
API Gateway Authentication
Centralizes authentication at the gateway rather than between each service pair.
Use when: Choose when you want to simplify authentication by handling it at the edge before requests reach internal services.
Summary
Service-to-service authentication prevents unauthorized microservices from accessing APIs.
It uses tokens or certificates to verify each service's identity before communication.
This pattern is essential for secure, scalable microservice architectures.

Practice

(1/5)
1. What is the main purpose of service-to-service authentication in microservices?
easy
A. To ensure that one service can securely verify the identity of another service
B. To speed up communication between services
C. To store data between services
D. To monitor the health of services

Solution

  1. Step 1: Understand the role of authentication

    Authentication is about verifying identity to ensure trust between entities.

  2. Step 2: Apply to microservices context

    In microservices, service-to-service authentication ensures one service knows it is talking to a trusted service.

  3. Final Answer:

    To ensure that one service can securely verify the identity of another service -> Option A

  4. Quick Check:

    Authentication means verifying identity = A [OK]
Hint: Authentication means verifying identity between services [OK]
Common Mistakes:
  • Confusing authentication with data storage
  • Thinking authentication speeds up communication
  • Mixing authentication with monitoring
2. Which of the following is a common method used for service-to-service authentication?
easy
A. Using JWT tokens issued by an authentication server
B. Using SQL queries to verify service identity
C. Using CSS styles to secure communication
D. Using HTML forms for authentication

Solution

  1. Step 1: Identify valid authentication methods

    JWT tokens are widely used for secure token-based authentication between services.

  2. Step 2: Eliminate unrelated options

    SQL queries, CSS, and HTML forms are unrelated to service authentication.

  3. Final Answer:

    Using JWT tokens issued by an authentication server -> Option A

  4. Quick Check:

    JWT tokens = common authentication method [OK]
Hint: JWT tokens are standard for service authentication [OK]
Common Mistakes:
  • Confusing UI technologies with authentication
  • Thinking database queries authenticate services
  • Mixing frontend and backend concepts
3. Consider this simplified code snippet for service-to-service authentication using JWT: 
token = auth_server.issue_token(service_id="serviceA")
if auth_server.verify_token(token):
    print("Access granted")
else:
    print("Access denied")
What will be printed if the token is valid?
medium
A. Access denied
B. Error: token missing
C. Access granted
D. No output

Solution

  1. Step 1: Understand token issuance and verification

    The token is issued by the auth server and then verified immediately.

  2. Step 2: Check the conditional logic

    If the token is valid, verify_token returns True, so "Access granted" is printed.

  3. Final Answer:

    Access granted -> Option C

  4. Quick Check:

    Valid token means access granted [OK]
Hint: Valid token means verify_token returns True [OK]
Common Mistakes:
  • Assuming token is invalid without checking
  • Confusing print outputs
  • Ignoring the if-else structure
4. A microservice uses mTLS for service-to-service authentication but fails to connect. Which is the most likely cause?
medium
A. The server service is down
B. The API key is expired
C. The database is unreachable
D. The client service does not have a valid client certificate

Solution

  1. Step 1: Understand mTLS requirements

    mTLS requires both client and server to have valid certificates for mutual authentication.

  2. Step 2: Identify the cause of failure

    If connection fails due to authentication, missing or invalid client certificate is the likely cause.

  3. Final Answer:

    The client service does not have a valid client certificate -> Option D

  4. Quick Check:

    mTLS needs valid client cert = B [OK]
Hint: mTLS needs valid client certificate on both sides [OK]
Common Mistakes:
  • Blaming server downtime without checking certificates
  • Confusing database issues with authentication
  • Mixing API keys with mTLS
5. You design a system where multiple microservices authenticate each other using JWT tokens issued by a central auth server. To improve scalability and security, which approach is best?
hard
A. Each service calls the auth server to verify tokens on every request
B. Each service validates tokens locally using the auth server's public key without calling the auth server every time
C. Services share a single API key for all authentication
D. Services trust any token without verification to reduce latency

Solution

  1. Step 1: Consider scalability of token verification

    Calling the auth server on every request creates a bottleneck and reduces scalability.

  2. Step 2: Use public key verification locally

    JWT tokens can be verified locally using the auth server's public key, improving speed and security.

  3. Final Answer:

    Each service validates tokens locally using the auth server's public key without calling the auth server every time -> Option B

  4. Quick Check:

    Local JWT verification improves scalability = A [OK]
Hint: Verify JWT locally with public key for scalability [OK]
Common Mistakes:
  • Calling auth server on every request causing bottlenecks
  • Using shared API keys reduces security
  • Skipping token verification breaks security