Authentication vs Authorization
-
Authentication β Who are you? (identity)
-
Authorization β What can you access? (permissions)
πΉ Challenge in Microservices
-
Multiple services
-
Stateless REST APIs
-
Shared security logic
-
Avoid session replication
π Solution: Token-based security (JWT + OAuth2)
πΉ OAuth2 (High-Level)
OAuth2 is a delegation framework:
-
User authenticates once
-
Gets an access token
-
Token is used to access services
π Components:
-
Authorization Server
-
Resource Server (Microservices)
-
Client (UI / App)
πΉ JWT (JSON Web Token)
JWT is a self-contained token that includes:
-
User info
-
Roles
-
Expiry
-
Signature
π Structure:
πΉ Authentication Flow (Step-by-Step)
-
User logs in
-
Auth Server validates credentials
-
Auth Server generates JWT
-
Client sends JWT in
Authorizationheader -
API Gateway validates token
-
Request forwarded to microservice
-
Microservice authorizes based on roles
πΉ Where Security Logic Lives?
| Component | Responsibility |
|---|---|
| API Gateway | Token validation, rate limiting |
| Auth Server | Login, token issuing |
| Microservices | Role-based access |
πΉ Spring Security Example
πΉ Advantages
β
Stateless
β
Scalable
β
No session storage
β
Works well with microservices
πΉ Challenges
β Token revocation is hard
β Token expiry handling
β Key rotation
πΉ Best Practices
-
Short-lived access tokens
-
Refresh tokens
-
Validate JWT at API Gateway
-
Use HTTPS always
β Interview One-Liner
βMicroservices typically use OAuth2 with JWT for stateless, scalable authentication and role-based authorization.β
πΉ Follow-Up Questions
-
JWT vs Session?
-
How do you revoke JWT?
-
Where do you store refresh tokens?