Alpha Coder

Authentication strategies in microservices architecture

When moving from monolith to microservices or considering microservices for a greenfield project, it’s important to evaluate the authentication strategies available to you to find the one most suitable for your system, as authentication is an integral part of how most applications are interacted with.

In this article, I outline the most common auth strategies I’ve come across working with microservices, describing how they work and identifying their pros and cons.

Auth service

In this strategy, a microservice is created for the purpose of authentication. This service is contacted by downstream services required to authenticate client requests before processing them.

Pros:

Cons:

JWT verification per service

This approach is an extension of the previous strategy and is intended to reduce dependence on the auth service. Authentication primarily involves issuing and verifying tokens. JWT (JSON Web Tokens) can be used to verify tokens without having to hit a database or other persistent storage. This means each service can verify requests on their own. Token issuing is done in the auth service, while verification is handled in every service where it’s required. A client library is usually used to share this verification functionality with all the services that need to perform authentication.

Pros:

Cons:

Token blacklist cache

To compensate for the shortcomings of JWT, a cache can be used to store tokens that need to be invalidated. This means that every service must contact a shared cache to check if a token has been blacklisted after successfully verifying it, before proceeding to execute any auth-protected code.

Pros:

Cons:

API gateway auth

Most, if not all, microservices applications use an API gateway. An API gateway is the entry point where client requests go to before being sent to the appropriate API/edge services. The main function of a gateway is routing requests but they can be used for other purposes such as analytics, rate-limiting, data transformation, logging, health monitoring, caching and as you might have already guessed, authentication.

Pros:

Cons:

Need help getting something to work in your project? Try Alpha Coder Support!

Subscribe to the Alpha Coder Newsletter!

Get timely updates on new articles, courses and more from Nicholas Kajoh. Unsubscribe anytime.

Enjoy the content on Alpha Coder? Please buy me a coffee. 😊

Previous post: How to connect to a host's database from inside a Docker container


comments powered by Disqus