How to handle user authentication with microservices in AWS?

Question

I'm reading a tutorial provided by AWS explaining how to break up a monolithic NodeJS application into a microservice architectured one.

Here is a link to it.

One important piece is missing from the simple application example they've provided and that is user authentication.

My question is, where does authentication fit into all this? How do you allow users to authenticate to all these services separately?

I am specifically looking for an answer that does not involve AWS Cogntio. I would like to have my own service perform user authentication/management.

Answer 1

First, there is more than one approach for this common problem.

Here is one popular take:

Divide your world to authentication (you are who you say you are) and authorization (you are permitted to do this action).

As a policy, every service decides on authorization by itself. Leave the authentication to a single point in the system - the authentication gateway - usually combined inside the API gateway.

This gateway forwards requests from clients to the services, after authenticating, with a trusted payload stating that the requester is indeed who they say they are. Its then up to the service to decide whether the request is allowed.

An implementation can be done using several methods. A JWT is one such method.

The authenticator creates a JWT after receiving correct credentials, and the client uses this JWT in every request to each service.

Answer 2

It is important to centralize the authentication, even for a microservices approach for a single product. So I'm assuming you will be looking at having an Identity Service(Authentication Service) which will handle the authentication and issue a token. The other microservices will be acting as the service providers which will validate the token issued.

Note: In standards like OpenID connect, the id_token issued is in the format of JWT which is also stateless and self-contained with singed information about the user. So individual Microservices doesn't have to communicate with the authentication service for each token validation. However, you can look at implementing or using Refresh tokens to renew tokens without requiring users to login again.

Depending on the technology you choose, it will change the nature how you issue the tokens and validate.

e.g:

• ExpressJS framework for backend - You can verify the tokens and routes in a Node Middleware Handler using Passport.
• If you use API Gateway in front of your Microservice endpoints you can use a Custom Authorizer Lambda to verify the tokens.

However, it is recommended to use a standard protocol like OpenID connect so that you can be compatible with Identity Federation, SSO behaviors in future.

Since you have mentioned that you are hoping to have your own solution, it will come also with some challenges to address,

• Password Policies
• Supporting standards (OpenID Connect)
• Security (Encryption at rest and transit especially for PIDs)
• SSO, MFA & Federation support etc.
• IDS/IPS

In addition to non-functional requirements like scalability, reliability, performance. Although these requirements might not arise in the beginning, I have seen many come down the line, when products get matured, especially for compliance.

That's why most people encourage to use an identity server or service like Cognito, Auth0 & etc to get a better ROI.

Answer 3

If you want to write your own auth, it can be a service like the others. Part of it would be a small client middleware that you run at all other service endpoints which require protection (golang example for middleware).

An alternative to a middleware is to run a dedicated API Gateway that queries the auth service before relaying the requests to the actual services. AWS also has a solution for those and you can write custom authentication handlers that will call your own auth service.