Authentication in Microservices: Approaches and Techniques

Authentication is the practice of verifying the identity of users or other entities as part of an access control system. A microservices application has multiple, independent services, each performing a specific predefined function. In this article, we’ll discuss the primary challenges of authentication in a microservices architecture, approaches you can use, and common techniques such as SSO and JWT.

Authentication in microservices can have three meanings:

Authenticating end-users accessing the microservices application
Authenticating microservices connecting to other microservices
Authenticating external services connecting to your microservices via API

Monolith authentication vs microservices authentication

A monolithic app consists of a single indivisible unit. It typically consists of a client-side user interface, a server-side app, and a database, all tightly integrated to deliver all functions in one unit. It has all the resources it needs, so there is no need for authentication within a monolithic application. Authentication only needs to be handled when users need to access the app.

By contrast, a microservices application has multiple independent components integrated via APIs. Whenever a microservice communicates with other microservices, you must make sure it is authenticated. Authentication ensures that only legitimate services and users have access to each microservice. In addition, like in a monolithic app, there is a need to authenticate end-users.

When implemented correctly, authentication and authorization are essential assets of a microservices app. It serves as an additional security check for all accessed resources, preventing security gaps and blind spots.

Microservices authentication challenges

In a microservices architecture, each microservice implements a specific function or part of the business logic. Each microservice access request must be authenticated and approved, which creates several challenges:

Central dependency—authentication and authorization logic must be handled separately by each microservice. You could use the same code in all microservices, but this requires that all microservices support a specific language or framework.
Violating the single responsibility principle—microservices are supposed to fulfill only one function. If you add global authentication and authorization logic to microservices, they now perform an additional function, making them less reliable and more difficult to manage.
Complexity—authentication and authorization in microservices can lead to very complex scenarios. Consider that there might be users, microservices, and third-party systems accessing every microservice. This complexity can make implementation and maintenance difficult.

3 Microservices Authentication Approaches

You can use one of the following strategies to implement authentication in a microservices application.

1. Edge-level authorization

In a simple scenario, authorization only occurs at the edge, typically using an API Gateway. You can use an API Gateway to centralize authentication and authorization for all downstream microservices. The gateway enforces authentication and access control for each microservice. In this case, NIST recommends implementing mitigation controls such as mutual authentication between microservices to prevent direct anonymous connections to internal services.

This strategy has the following disadvantages:

Less secure—if an attacker gets past the gateway, they can freely access any microservice. An API Gateway as a single access point violates the “defense in depth” principle.
More difficult to manage—if the system is complex with many roles and access control rules, pushing all authorization decisions to an API gateway can become unmanageable.
Limited access to development teams—typically, operations and maintenance teams set up API gateways, so the development team cannot change permissions directly. This disconnect can lead to communication and process overhead.

2. Service-level authorization

This strategy enables direct authentication and authorization for each microservice. The advantage is that each microservice has more control to enforce its access control policies. A service-level authorization architecture includes the following:

Policy Administration Point—lets administrators create, manage, and test access rules.
Policy Decision Point—checks which access control policy applies to the current request and evaluates whether to grant or deny the request.
Policy Enforcement Point—provides access decisions, enforcing the access policy for specific requests.
Policy Information Point—allows elements in the system to retrieve data about policies or receive account attributes to make policy decisions.

3. External entity identity propagation

This strategy can make authorization decisions while taking into account user context. For example, it can change the authorization decision based on user ID, user roles or groups, user location, time, or other parameters.

To perform authentication based on entity context, you must receive information about the end-user and propagate it to downstream microservices. A simple way to achieve this is to take an Access Token received at the edge and transfer it to individual microservices. This strategy provides the most granular control over microservice authentication. However, it has two main drawbacks:

Not secure—the content of the token is shared with all microservices, and as a result, attackers can compromise it. A possible solution is to sign tokens via a trusted issuer.
It requires internal microservices to support multiple authentication techniques, such as JWT, OIDC, or cookies.

Microservices authentication techniques

Once you have decided on your approach to microservices authentication, here are a few technical methods you can use to implement authentication in microservices.

Single Sign-On (SSO)

SSO allows a user or entity to log in once and gain access to multiple systems. In the context of a microservices architecture, SSO can have two meanings:

Authentication of end-users – It’s very convenient for end-users to have one central login, preferably using existing credentials, instead of requiring new credentials to log into your app. You can use identity and access management (IAM) solutions to set up a user database and define permissions for your user-facing microservices.

Microservices can redirect users to the IAM system for authentication, receive an encrypted SSO token, and then use it to log in users on subsequent attempts. Microservices can also use the IAM system for authorization, and the SSO token can specify which resources the user is permitted to access.

Authentication of microservices – You can also enable SSO for microservices that need to connect to other microservices, or to external services requesting access via API. Here you need to authorize a software entity or service account, not human users. You can use the same IAM solution. When a software entity requires access, it can be redirected to the IAM, and the IAM system provides an SSO token they can use in future API calls.

JSON Web Tokens

JSON Web Token (JWT) provides a mechanism for sharing a set of claims or properties from a client to a microservices application in an encrypted and secure way. JWTs can also secure communication between services or pass end-user context and data between microservices.

For example, you can use a JWT token to pass the ID of the calling microservice, the ID of the client, or the system that initiated the request. You can also store authorization and authentication properties in a JWT token and share them between multiple clients and servers.

Learn more in our detailed guide to JWT authentication

OAuth API Authentication

OAuth 2.0 provides an industry-standard protocol for authorizing users in distributed systems. In the context of microservices, the OAuth 2.0 client credential flow supports secure server-to-server communication between API clients and API servers. The OAuth framework reduces the burden on developers, eliminating the need to build their own authentication mechanism in each microservice.

OpenID Connect (OIDC) extends OAuth to add federated identities, making it possible to set up delegated authorization. Together, these two layers allow developers to build systems that interact with multiple identity providers. With OIDC and OAuth 2.0, it’s also possible to retrieve a user ID by sending an access token to the user information endpoint. The path to this endpoint can be determined using an OIDC lookup.

Microservices authentication with Frontegg

Frontegg gives you the flexibility to implement any approach you choose or need to protect your microservices. You can verify the authentication and authorization on the edge API Gateway. You also have the option of using our SDKs to verify them on the service level. These options allow you to create a robust and secure SaaS app, regardless of the use case or target audience.

GET STARTED NOW

The Complete Guide to SaaS Multi-Tenant Architecture

Read the guide

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.