User Authentication refers to when the user access services to confirm the user's identity, characteristics restricted to HTTP stateless, application developers need to implement their own user authentication-related functions.
Usually the server when the user logs generated pass back to the client, the client passes the next carrying the request, the server then passes through check user authentication.
Whatever the specific business is, if the user authentication fails, then all subsequent operations can not be performed, need to return to the client-side user authentication fails, correspond to HTTP Status Code is 401.
In this paper, as the flow rate and scale of growth, service development process from stand-alone applications to the micro-service architecture, the implementation of user authentication function of the change.
Stand-alone applications
This stage is only one server, the application session will be maintained in memory / disk of this machine, and then generate a session id can tell the client. Many have built-in Web framework implemented out of the box, you did not have time to notice the presence of a simple user authentication.
However, an application server is often not enough, there are several reasons: one could not carry too much traffic, a machine linked to the availability of the service hung too low ...
Load Balancing
Because more than one server, it is not simply the session and then maintained on the machine, because after the user logs in on one machine, probably next visit to another machine.
- Option A: authentication token
When you login to some of the information encoded in a string to the user is returned to the client, the client carries this string manipulation in subsequent operations, the service side validation string, the string is certified by the legitimate and from a string read user identity information.
This eliminates the need to store session information server-side again, easily support multiple servers. And this used to authenticate the string, just like the military clearance token, we call it an authentication token.
Authentication token format requires careful design, to be able to tamper-resistant, with a validity period, to be able to put the URL to use, but also can be extended, and so on. It has been designed a good token formats, also formed a standard called JWT, can be directly used, of course, if JWT too difficult to use, a redesign is possible.
Here is a JWT's brief introduction .
Authentication token drawback of this scheme is difficult to achieve cloud management login state. Usually after a token generation, can only wait for it to expire, or when some of which encode user identity information changes to take effect. Like Gordon back on the failure of the user, the user's online device management, user's login state control and other functions, there is no way to achieve.
- Program B: Distributed Session
There is also a program that will session come from the application server to maintain a separate, forming a distributed session, so each application server can access available.
Specific to achieve, can be distributed Session Redis, MySQL and so on. But no matter what kind of storage systems, availability of strong user authentication services are dependent on it, the server does not require authentication token compared to storage solutions, availability is certainly relatively lower.
- Scheme A + B
Authentication token there is loss of function, distributed relative lack of availability of Session, to combine the two became justifies scheme.
When the authentication token as a session id, normal service, user authentication are distributed session do check, and when the session dependent distributed storage system occasionally fails, then the service degradation, only instead of checking the authentication token. Such availability is guaranteed, the function is complete.
If you need to log in to a service, distributed Session is highly available, you can also add a field to distinguish between the type of session and non-session token inside.
Micro Services
The increasing scale of business, the number of team more and more. Together with a maintenance service increasingly difficult, split in need of services, but no matter how removed, the user authentication is each end-user-oriented services are needed.
User authentication is required, as long as the split time to take copies of all relevant code, then the individual services must rely on user information and distributed session.
So too difficult to maintain, but to split out the user authentication-related functions, the formation of a separate user authentication services. This service almost every big point of Internet companies have, not the same name, some called Passport, and some called Account, and some called User, but the function is always the same.
In this way login, registration, user authentication-related code, data, online deployment, completely independent, to form a user authentication service. Then as the business grew, the service will continue to split more and more. There may be dependencies between services, service and most especially for end users of the service are dependent on the user authentication service.
Depend on user authentication services independent micro-services more and more, repeat the docking requires a lot of times, the other in a user's request often involves multiple micro-services, in the case of each individual micro-docking service user authentication, they will multiple user authentication, resulting in duplication request, a waste of resources.
API Gateway
API gateway external network, the signatures and user authentication All external interfaces to gather together. After the API gateway receives the user's authentication token, go to user authentication services in exchange for user id, user id and then use to access other micro services. Such services are provided according to each micro user uid service, no longer need to be concerned about end-user authentication, and user authentication services only need to butt API Gateway, their workload is greatly reduced.
Reference
https://www.slideshare.net/opencredo/authentication-in-microservice-systems-david-borsos