🐝
Mess around software system design
  • README
  • ArchitectureTradeOffAnalysis
    • Estimation
    • Middleware
    • Network
    • Server
    • Storage
  • Conversion cheat sheet
  • Scenarios
    • TinyURL
      • Estimation
      • Flowchart
      • Shortening mechanisms
      • Rest API
      • Performance
      • Storage
      • Follow-up
    • TaskScheduler
      • JDK delay queue
      • Timer based
      • RabbitMQ based
      • Kafka-based fixed delay time
      • Redis-based customized delay time
      • MySQL-based customized delay time
      • Timer TimingWheel
      • Industrial Scheduler
      • Workflow Engine
      • Airflow Arch
    • GoogleDrive
      • Estimation
      • Flowchart
      • Storage
      • Follow-up
    • Youtube
      • Estimation
      • Flowchart
      • Performance
      • Storage
      • Follow-up
      • Netflix
    • Uber
      • Estimation
      • Rest api
      • Flowchart
      • KNN algorithms
      • Geohash-based KNN mechanism
      • Redis implementation
      • Storage
    • Twitter
      • Estimation
      • Flowchart
      • Storage
      • Scalability
      • Follow-up
    • Instant messenger
      • Architecture overview
      • Presence
      • Unread count
      • Notifications
      • Read receipt
      • Large group chat
      • Storage-Offline 1:1 Chat
      • Storage-Offline group chat
      • Storage-Message roaming
      • NonFunc-Realtime
      • NonFunc-Reliability
      • NonFunc-Ordering
      • NonFunc-Security
      • Livecast-LinkedIn
    • Distributed Lock
      • Single machine
      • AP model based
      • CP model based
      • Chubby-TODO
    • Payment system
      • Resilience
      • Consistency
      • Flash sale
    • Key value store
      • Master-slave KV
      • Peer-to-peer KV
      • Distributed cache
  • Time series scenarios
    • Observability
      • TimeSeries data
      • Distributed traces
      • Logs
      • Metrics
      • NonFunc requirments
  • Search engine
    • Typeahead
    • Search engine
    • Distributed crawler
      • Estimation
      • Flowchart
      • Efficiency
      • Robustness
      • Performance
      • Storage
      • Standalone implementation
      • Python Scrapy framework
    • Stream search
  • Big data
    • GFS/HDFS
      • Data flow
      • High availability
      • Consistency
    • Map reduce
    • Big table/Hbase
    • Haystack
    • TopK
    • Stateful stream
    • Lambda architecture
    • storm架构
    • Beam架构
    • Comparing stream frameworks
    • Instagram-[TODO]
  • MicroSvcs
    • Service Registry
      • Flowchart
      • Data model
      • High availability
      • Comparison
      • Implementation
    • Service governance
      • Load balancing
      • Circuit breaker
      • Bulkhead
      • Downgrade
      • Timeout
      • API gateway
      • RateLimiter
        • Config
        • Algorithm comparison
        • Sliding window
        • Industrial impl
    • MicroSvcs_ConfigCenter-[TODO]
    • MicroSvcs_Security
      • Authentication
      • Authorization
      • Privacy
  • Cache
    • Typical topics
      • Expiration algorithm
      • Access patterns
      • Cache penetration
      • Big key
      • Hot key
      • Distributed lock
      • Data consistency
      • High availability
    • Cache_Redis
      • Data structure
      • ACID
      • Performance
      • Availability
      • Cluster
      • Applications
    • Cache_Memcached
  • Message queue
    • Overview
    • Kafka
      • Ordering
      • At least once
      • Message backlog
      • Consumer idempotency
      • High performance
      • Internal leader election
    • MySQL-based msg queue
    • Other msg queues
      • ActiveMQ-TODO
      • RabbitMQ-TODO
      • RocketMQ-TODO
      • Comparison between MQ
  • Traditional DB
    • Index data structure
    • Index categories
    • Lock
    • MVCC
    • Redo & Undo logs
    • Binlog
    • Schema design
    • DB optimization
    • Distributed transactions
    • High availability
    • Scalability
    • DB migration
    • Partition
    • Sharding
      • Sharding strategies
      • Sharding ID generator overview
        • Auto-increment key
        • UUID
        • Snowflake
        • Implement example
      • Cross-shard pagination queries
      • Non-shard key queries
      • Capacity planning
  • Non-Traditional DB
    • NoSQL overview
    • Rum guess
    • Data structure
    • MySQL based key value
    • KeyValueStore
    • ObjectStore
    • ElasticSearch
    • TableStore-[TODO]
    • Time series DB
    • DistributedAcidDatabase-[TODO]
  • Java basics
    • IO
    • Exception handling
  • Java concurrency
    • Overview
      • Synchronized
      • Reentrant lock
      • Concurrent collections
      • CAS
      • Others
    • Codes
      • ThreadLocal
      • ThreadPool
      • ThreadLifeCycle
      • SingletonPattern
      • Future
      • BlockingQueue
      • Counter
      • ConcurrentHashmap
      • DelayedQueue
  • Java JVM
    • Overview
    • Dynamic proxy
    • Class loading
    • Garbage collection
    • Visibility
  • Server
    • Nginx-[TODO]
  • Distributed system theories
    • Elementary school with CAP
    • Consistency
      • Eventual with Gossip
      • Strong with Raft
      • Tunable with Quorum
      • Fault tolerant with BFT-TODO
      • AutoMerge with CRDT
    • Time in distributed system
      • Logical time
      • Physical time
    • DDIA_Studying-[TODO]
  • Protocols
    • ApiDesign
      • REST
      • RPC
    • Websockets
    • Serialization
      • Thrift
      • Avro
    • HTTP
    • HTTPS
    • Netty-TODO
  • Statistical data structure
    • BloomFilter
    • HyperLoglog
    • CountMinSketch
  • DevOps
    • Container_Docker
    • Container_Kubernetes-[TODO]
  • Network components
    • CDN
    • DNS
    • Load balancer
    • Reverse proxy
    • 云中网络-TODO
  • Templates
    • interviewRecord
  • TODO
    • RecommendationSystem-[TODO]
    • SessionServer-[TODO]
    • Disk
    • Unix philosophy and Kafka
    • Bitcoin
    • Design pattern
      • StateMachine
      • Factory
    • Akka
    • GoogleDoc
      • CRDT
Powered by GitBook
On this page
  • Security
  • Auth architecture revolution
  • Microservices security architecture
  • Real world examples

Was this helpful?

  1. MicroSvcs

MicroSvcs_Security

PreviousMicroSvcs_ConfigCenter-[TODO]NextAuthentication

Last updated 3 years ago

Was this helpful?

Security

Auth architecture revolution

Single server cookie based auth

Multi server sticky session based auth

  • Cons:

    • Sticky session binds a session to a server. If the server goes down or needs to be maintained.

    • Sticky session needs to store session data in load balancer.

  • Possible solutions:

    1. Session synchronization by replicating across web servers

    2. Store session data completely inside users' browser

      • Cons: Limited size of cookie

    3. Store session data in a shared storage

Auth Service and token

  • Pros:

    • Encapsulate everything related with token issuing

    • Introduce the concept of token, which could be passed around between services

  • Cons:

    • Services need to implement the logic to validate the token.

    • All services need to talk to authSvc, which might become a performance bottleneck.

    • All requests need to be verified via auth service.

Gateway and token

  • Pros:

    • Gateway centralizes the logic of parsing userInfo. Only gateway need to validate the token with auth service.

  • Cons:

    • All requests need to be verified via auth service. Auth service needs to be maintained and scaled in a manageable way.

Gateway and JWT

  • Pros:

    • Compact and lightweight

    • Low pressure on Auth server

    • Simplify the implementation of auth server

  • Cons:

    • Could not invalidate a JWT token if it has been leaked

    • JWT might become big

Microservices security architecture

External access token internal JWT token

  • Cons: Still rely on gateway to switch access token with JWT token.

Encrypted JWT token

  • Pros: Stateless token

External access token internal JWT token with token cache

  • Most widely used in practice

Identity proxy with backend services

  • Identity-aware proxy is a reverse proxy that allows either public endpoints or checks credentials for protected endpoints. If the credential is not presented but required, redirect the user to an identity provider. e.g. k8s ingress controller, nginx, envoy, Pomerium, ory.sh/oathkeeper, etc.

  • Identity provider and manager is one or a few services that manage the user identity through certain workflows like sign in, forgot password, etc. e.g. ory.sh/kratos, keycloak

  • OAuth2 and OpenID Connect provider enables 3rd-party developers to integrate with your service.

  • Authorization service controls who can do what.

Real world examples

Auth at Netflix

Tianpan.co

  • https://tianpan.co/#big-picture-authn-authz-and-identity-management

An excellent blogger

  • https://medium.com/@chamod.14_80003/token-caching-wso2-api-manager-5c5b3d6ddd09

  • https://www.pingidentity.com/en/company/blog/posts/2021/ultimate-guide-token-based-authentication.html

Sticky session

A talk on InfoQ:

Access control at Netflix:

Netflix container security:

Netflix detect credential leak:

Netflix viewing privacy:

Security
Auth architecture revolution
Single server cookie based auth
Multi server sticky session based auth
Auth Service and token
Gateway and token
Gateway and JWT
Microservices security architecture
External access token internal JWT token
Encrypted JWT token
External access token internal JWT token with token cache
Identity proxy with backend services
Real world examples
Auth at Netflix
Tianpan.co
An excellent blogger
https://netflixtechblog.com/edge-authentication-and-token-agnostic-identity-propagation-514e47e0b602
https://www.infoq.com/presentations/netflix-user-identity/
https://netflixtechblog.com/consoleme-a-central-control-plane-for-aws-permissions-and-access-fd09afdd60a8
https://netflixtechblog.com/evolving-container-security-with-linux-user-namespaces-afbe3308c082
https://netflixtechblog.com/netflix-cloud-security-detecting-credential-compromise-in-aws-9493d6fd373a
https://netflixtechblog.com/protecting-netflix-viewing-privacy-at-scale-39c675d88f45
Protecting Server Resources Hosting Unauthenticated APIs
Who Owns API Security, and How Much Security Is Enough?
DSig Part 1: XML Digital Signature and WS-Security Integrity
DSig Part 2: JSON Web Signature (JWS)
DSig Part 3: XML DSig vs. JSON Web Signature
API Security vs. Web Application Security Part 1: A Brief History of Web Application Architecture
API Security vs. Web Application Security: Part 2
SAML 2.0 VS. JWT: UNDERSTANDING FEDERATED IDENTITY AND SAML
Delegation — A General Discussion
OAuth2 Access Tokens vs API Keys — Using JWTs
OAuth2 Access Tokens and Multiple Resources Series
Authorization Series
The Benefits of JWTs as OAuth2 Access Tokens
IDENTIVERSE REFLECTIONS: NEWS, TRENDS AND A GLIMPSE INTO THE FUTURE
The Many Ways of Approaching Identity Architecture
A Brief Summary of All Things Apigee and API Management that I Have Written
Authentication vs. Federation vs. SSO
What is Authorization?
How To Submit Your Security Tokens to an API Provider Pt. 1
JWT Use Cases
Application Security Models
Identity Propagation in an API Gateway Architecture
An Alternative to Delegated Access in the Enterprise
SAML2 vs JWT: Apigee & Azure Active Directory Integration — A JWT Story
Keeping Your APIs Secure for Multiple User Types
Sample: WSO2 EI Cache Mediator based Token Caching
Auth version 1
Auth service and token
Gateway and token
Gateway and token
first arch
second arch
third arch