This kind of architecture divides an application up into its core functions. The organization then implements and deploys these microservices independently. The microservices can communicate with each other via language-independent APIs. This makes individual services easy to implement. It also allows for short development cycles and means that it is possible to develop highly scalable and robust applications.
Diagram of a microservices architecture
Authentication in microservices
With a microservices architecture, users have to communicate with several systems instead of just one. They also need the right authorizations for several systems at the same time. Users shouldn’t have to authenticate themselves repeatedly, for example by having to enter a password for each system. A kind of single sign-on solution (SSO) is therefore needed for the individual microservices.
SSO in microservices
With an SSO solution, users authenticate themselves just once with a special system. Usually this system is called an authentication server. The authentication server verifies the user’s identity and generates a signed proof of it, otherwise known as a token. The user’s client application stores and uses the token. In a web application, this client application will be the browser, but it can also be a mobile or desktop application. The token is used to verify the user’s identity for individual services without any further authentication.
Today, the protocol OAuth 2.0 has become the de facto standard for communication between the authentication server and the client. It’s also worth mentioning OpenID Connect (OIDC), which builds on this protocol. OAuth 2.0 does not define the format of the token. However, many applications now use JSON Web Tokens (JWTs).
Stateless or stateful transfer
There are basically two ways to transfer the token from the client to the microservice: A stateless transfer sends the token with each HTTP request. Technically, this can be implemented with HTTP headers or cookies. A stateful transfer sends the token just once to each microservice. The microservice creates a user session, usually with the aid of a session cookie, and stores the token there. Any further communication with the microservice must then contain this session cookie.
With a stateless transfer, the microservice can authorize each request independently. This means that it is easier to implement microservices with stateless transfers. This is particularly advantageous for dynamically scaled applications, since instances of a microservice are easy to remove or add. However, if the application requires a large amount of user information, a certain overhead results with each request. A stateful transfer can reduce this overhead. So it’s crucial to take the specific needs of the application into account.
Using open-source solutions
Using standard protocols also means that you can use open-source solutions or other standard software. This is a great advantage, especially for security-related issues such as user authentication. High-quality and tested solutions are easily available to organizations that take this route. The open-source solution Keycloak deserves special mention here. It offers various authentication and social login methods. They include Bring Your Own Identity (BYOI). This means that users might log in with a Google or Facebook account, for example. Keycloak is also easy to extend and adapt. However, commercial products such as Okta or Microsoft’s Active Directory Federation Services (ADFS) also support OpenID Connect. On the client and server side, they also have implementations for all the major platforms.
ti&m security suite
The ti&m security suite offers user-friendly authentication that you can combine with a risk-based authentication approach. The company is the leading provider of this technology in Switzerland. ti&m secure mobile uses hardware-based security mechanisms to store cryptographic keys in the Trusted Platform Module on modern smartphones. This means it can offer secure yet user-friendly authentication. The ti&m security suite uses standard protocols such as OpenID Connect. This makes it easy to integrate into existing or new infrastructures. By contrast, independently developed security solutions (for example, using mobile transaction authentication numbers, or mTANs) are often error-prone. The ti&m security suite provides the ideal alternative here. It guarantees a strong and mobile authentication solution for modern multichannel platforms.