Authentication as a microservice talk given by Brian Pontarelli at the Denver Microservices meetup. Want to learn how to implement authentication in your microservices architecture, this presentation covers the basic concepts.

1. Auth as a Microservice
How I learned to stop worrying and love JWT

2. In the Beginning

3. Backend

4. Backend users user_roles roles
todos

5. CREATE TABLE todos (
id INT NOT NULL,
text TEXT NOT NULL,
user_id INT NOT NULL,
PRIMARY KEY (id),
CONSTRAINT todos_fk_1 FOREIGN KEY (user_id)
REFERENCES users(id) ON DELETE CASCADE
);

6. Backend
GET /login
HTML

7. Backend
POST /login
302 + Session
ID
Session
user
42
users

8. Backend
GET /todos +
Session ID
HTML
Session
user
42
todos

9. SELECT * FROM todos WHERE user_id = 42;

10. What about everything else?
● Works on SPAs and Mobile
● Session ID is the user identifier
● Generally hard to steal or forge
● Uses simple HTTP cookies

11. The Pain
● Stateful
● Potentially requires session replication
● Session pinning
● Harder to scale since every instance runs everything
● One big database

12. User API
Todo API

13. User API
Todo API
users
todos

14. User API
users user_roles roles

15. Todo API
todos

16. CREATE TABLE todos (
id INT NOT NULL,
text TEXT NOT NULL,
user_id INT NOT NULL,
PRIMARY KEY (id)
);

17. User API
POST /login
???

18. User API
POST /login
???
user
42
users

19. User API
POST /login
User as JSON
user
42
users

20. {
"user": {
"id": 42,
"name": "Brian Pontarelli",
"email": "brian@inversoft.com",
"roles": ["admin"]
}
}

21. user
42 Todo API
GET /todos?user_id=42
JSON todos

22. Danger Will Robinson!

23. user
1 Todo API
GET /todos?user_id=1
JSON todos

24. X Get milk

25. Haha - His wife is gonna be pissed

26. Haha - Her husband is gonna be pissed

27. User API
Todo API
users
todos
user
user
T
T
T

28. User API
Todo API
users
todos
user
user
T
T
T
GET /token/T User as JSON

29. Tokens
● There must be a User -> Token mapping
● In memory or in database
● Makes the User API slightly stateful
● Can be very chatty
● Couples the User API to EVERYTHING (almost)

30. User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T

31. JWT
● JSON Web Tokens
● Signed with a public/private key pair
● Can be validated by Todo API without calling User API
● Contains roles

32. JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0
ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZ
S5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy
0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM
3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9s
ZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP
04kZo

33. JWT Header
{
"typ": "JWT",
"alg": "RS256"
}

34. JWT Body
{
"iss": "inversoft.io",
"exp": 1300819380,
"sub": "19016b73-3ffa-4b26-80d8-aa9287738677",
"name": "Brian Pontarelli",
"roles": ["RETRIEVE_TODOS"]
}

35. select * from todos where user_id =
‘19016b73-3ffa-4b26-80d8-aa9287738677’;

36. Code!

37. Deleting Users?

38. delete from users where user_id = 42;

39. Oops! No ON DELETE CASCADE

40. User API
Todo API
users
todos
DELETE
DELETE
DELETE
DELETE

41. User API
Todo API
users
todos
DELETE DELETE
Event
Webhook
DELETE

42. Code!