Bird
Raised Fist0
Microservicessystem_design~20 mins

Service-to-service authentication in Microservices - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Service Authentication Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding service-to-service authentication methods

Which of the following methods is most suitable for authenticating microservices communicating within a trusted internal network?

AEmbedding static API keys in service requests without rotation
BUsing mutual TLS (mTLS) certificates exchanged between services
CRelying solely on IP whitelisting without any cryptographic verification
DUsing user session tokens passed between services
Attempts:
2 left
💡 Hint

Think about secure identity verification between services without relying on user context.

Architecture
intermediate
2:00remaining
Designing a token-based service-to-service authentication flow

In a microservices architecture, which sequence correctly describes a typical OAuth 2.0 client credentials flow for service-to-service authentication?

AService A requests an access token from the authorization server, then uses the token to call Service B
BService A directly calls Service B without any token, relying on network security
CService A sends user credentials to Service B to authenticate
DService B requests a token from Service A before processing the request
Attempts:
2 left
💡 Hint

Consider which service obtains the token and who validates it.

scaling
advanced
2:00remaining
Scaling service-to-service authentication with token caching

To reduce latency and load on the authorization server, a microservice caches access tokens. Which approach best balances security and performance?

ARequest a new token for every service call without caching
BCache tokens indefinitely without checking expiry to avoid repeated requests
CCache tokens until they expire, then request new ones; validate token expiry before each use
DCache tokens but ignore expiry and refresh only on failure
Attempts:
2 left
💡 Hint

Think about token validity and avoiding unnecessary calls.

tradeoff
advanced
2:00remaining
Choosing between mTLS and token-based authentication

Which statement best describes a tradeoff when choosing between mutual TLS (mTLS) and OAuth 2.0 token-based authentication for service-to-service security?

AmTLS provides strong identity verification but is complex to manage at scale; tokens are easier to rotate but require additional validation logic
BTokens are more secure than mTLS because they use encryption; mTLS does not encrypt data
CTokens cannot be revoked once issued; mTLS certificates never expire
DmTLS requires user credentials; tokens do not require any credentials
Attempts:
2 left
💡 Hint

Consider management complexity and security features.

estimation
expert
3:00remaining
Estimating token validation load in a large microservices system

A system has 100 microservices, each making 50 authenticated calls per second to other services using OAuth 2.0 tokens. If each token validation takes 5 milliseconds on average, estimate the total CPU time spent per second on token validation across the system.

A250 seconds of CPU time per second
B2.5 seconds of CPU time per second
C0.25 seconds of CPU time per second
D25 seconds of CPU time per second
Attempts:
2 left
💡 Hint

Calculate total calls per second and multiply by validation time.

Practice

(1/5)
1. What is the main purpose of service-to-service authentication in microservices?
easy
A. To ensure that one service can securely verify the identity of another service
B. To speed up communication between services
C. To store data between services
D. To monitor the health of services

Solution

  1. Step 1: Understand the role of authentication

    Authentication is about verifying identity to ensure trust between entities.

  2. Step 2: Apply to microservices context

    In microservices, service-to-service authentication ensures one service knows it is talking to a trusted service.

  3. Final Answer:

    To ensure that one service can securely verify the identity of another service -> Option A

  4. Quick Check:

    Authentication means verifying identity = A [OK]
Hint: Authentication means verifying identity between services [OK]
Common Mistakes:
  • Confusing authentication with data storage
  • Thinking authentication speeds up communication
  • Mixing authentication with monitoring
2. Which of the following is a common method used for service-to-service authentication?
easy
A. Using JWT tokens issued by an authentication server
B. Using SQL queries to verify service identity
C. Using CSS styles to secure communication
D. Using HTML forms for authentication

Solution

  1. Step 1: Identify valid authentication methods

    JWT tokens are widely used for secure token-based authentication between services.

  2. Step 2: Eliminate unrelated options

    SQL queries, CSS, and HTML forms are unrelated to service authentication.

  3. Final Answer:

    Using JWT tokens issued by an authentication server -> Option A

  4. Quick Check:

    JWT tokens = common authentication method [OK]
Hint: JWT tokens are standard for service authentication [OK]
Common Mistakes:
  • Confusing UI technologies with authentication
  • Thinking database queries authenticate services
  • Mixing frontend and backend concepts
3. Consider this simplified code snippet for service-to-service authentication using JWT: 
token = auth_server.issue_token(service_id="serviceA")
if auth_server.verify_token(token):
    print("Access granted")
else:
    print("Access denied")
What will be printed if the token is valid?
medium
A. Access denied
B. Error: token missing
C. Access granted
D. No output

Solution

  1. Step 1: Understand token issuance and verification

    The token is issued by the auth server and then verified immediately.

  2. Step 2: Check the conditional logic

    If the token is valid, verify_token returns True, so "Access granted" is printed.

  3. Final Answer:

    Access granted -> Option C

  4. Quick Check:

    Valid token means access granted [OK]
Hint: Valid token means verify_token returns True [OK]
Common Mistakes:
  • Assuming token is invalid without checking
  • Confusing print outputs
  • Ignoring the if-else structure
4. A microservice uses mTLS for service-to-service authentication but fails to connect. Which is the most likely cause?
medium
A. The server service is down
B. The API key is expired
C. The database is unreachable
D. The client service does not have a valid client certificate

Solution

  1. Step 1: Understand mTLS requirements

    mTLS requires both client and server to have valid certificates for mutual authentication.

  2. Step 2: Identify the cause of failure

    If connection fails due to authentication, missing or invalid client certificate is the likely cause.

  3. Final Answer:

    The client service does not have a valid client certificate -> Option D

  4. Quick Check:

    mTLS needs valid client cert = B [OK]
Hint: mTLS needs valid client certificate on both sides [OK]
Common Mistakes:
  • Blaming server downtime without checking certificates
  • Confusing database issues with authentication
  • Mixing API keys with mTLS
5. You design a system where multiple microservices authenticate each other using JWT tokens issued by a central auth server. To improve scalability and security, which approach is best?
hard
A. Each service calls the auth server to verify tokens on every request
B. Each service validates tokens locally using the auth server's public key without calling the auth server every time
C. Services share a single API key for all authentication
D. Services trust any token without verification to reduce latency

Solution

  1. Step 1: Consider scalability of token verification

    Calling the auth server on every request creates a bottleneck and reduces scalability.

  2. Step 2: Use public key verification locally

    JWT tokens can be verified locally using the auth server's public key, improving speed and security.

  3. Final Answer:

    Each service validates tokens locally using the auth server's public key without calling the auth server every time -> Option B

  4. Quick Check:

    Local JWT verification improves scalability = A [OK]
Hint: Verify JWT locally with public key for scalability [OK]
Common Mistakes:
  • Calling auth server on every request causing bottlenecks
  • Using shared API keys reduces security
  • Skipping token verification breaks security