Microservice authentication and authorisation

Below is a sequence diagram describing a common pattern for handling authentication and authorisation in a microservice solution, where you have a number of small web services interconnected and don’t want them all having to implement  authentication and authorisation individually, just to be simple services focused on their job.

Microservice authentication and authorisation seq

Using this pattern you can have any number of business microservices, all using the authentication automatically and calling the same authorisation service when necessary, making them simpler to implement and re-using the services easier.

You can go a step further and put the authorisation checks in the reverse proxy against each service endpoint but this requires the reverse proxy to know the actions/permissions of each service, plus it’s likely your services permissions will be dynamic based on execution.

Nginx with lua scripts are a good way of implementing the smart reverse proxy, below are some links about this.





8 thoughts on “Microservice authentication and authorisation

    • I’m using it on a couple of internal projects, can’t find any clear documentation of it being used in other projects but I’m fairly sure it is as it’s just a microservice implementation of the “Intercepting Web Agent” or “Web Agent Interceptor” pattern, which is common for large web applications.

      • Thanks for your reply, I’m gonna check this pattern.
        Actually I meant more like an example implementation for this architecture. Do you have an example github project about it?

      • Not currently, but was thinking about making one as a template for new projects. Problem is it would be quite implementation specific, i.e. example services in Java/Ruby, routing config scripts for nginx or apache and provisioning in puppet/vagrant. The majority of the effort for a real implementation is in the setup/routing, not the services, and how it has to be implemented changes depends on the architecture (front web server setup, number of services/servers, using haproxy, routing script language).

        A simple example would just be the config and lua scripts for a single nginx box pointing at a couple of simple Microservices, which wouldn’t show the real benefits of the pattern, the ability to scale, failover, reduction in code across multiple services.

  1. Thank you for pointing out these things, got a better understanding from it.
    Tried to find an example project for this and regardless of the implementation details like: vagrant/puppy, java/ruby, nginx/apache couldn’t find anything, probably due to the maturity of the topic, so I think it would be useful.
    If you finally decide to publish such an example, please drop a link here.

  2. Pingback: Microservice authentication and authentication scaling | Steven Alexander

  3. Pingback: Microservice authentication and authorisation using Docker | Steven Alexander

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s