Authentication & Authorization

Key words 

Knowledge Factor

Possession Factor

Inherence Factor

All individual factors are not secure, because if any factor comprimise.

So, we got 2FA or MFA came into picture.

SSO

Oauth

JWT (JSon Web Token) ==> not authentication, it's an authorization.

Okta

OpenConnectID

SAML (Secure Assertion Markup Language)

Azure Active Directory

Service Provider

IdentityProvider

Eg: AccessToken --> Employee ID card ( Authorization), validatity( lost or reported, left the orginations, Expire) 

Session or Cookie Based Authorization

In Cookie, will maintain SESSION_ID

Load balance will maintain the session log in sticky Session pattern ( Scalability problem)

Here also, we have a problem if the shared session cache pattern is corrupted then it's single point failure

User is responsible to bring all security information for all microservices, so nothing but JWT

For Stateless server, will pass JWT 

OAuth:

Service to service authorization 

ResourceOwner

ResourceServer

AuthorizationServer

Client

with in same with diff microservices.

OpenIDConnect

Its a specification

MicroServices

 Micro Service 12 Factor

The Twelve-Factor App is a methodology for building software-as-a-service apps

1. Codebase: One codebase tracked in version control, many deploys. A single codebase is shared across all environments, but there may be multiple deployments (e.g., staging, production).
   
   
2. Dependencies: Explicitly declare and isolate dependencies. Applications should not rely on implicit dependencies and should use dependency management tools to declare all dependencies explicitly.
   
   
3. Config: Store config in the environment. Configuration that varies between deploys (such as database credentials) should be stored in environment variables.
   
   
4. Backing Services: Treat backing services as attached resources. Resources like databases, messaging systems, and caches should be attached and detached from deploys without changing the app’s code.
   
   
5. Build, Release, Run: Strictly separate build and run stages. A codebase goes through a build stage to produce a release, which is then run in execution environments.
   
   
6. Processes: Execute the app as one or more stateless processes. Stateless and share-nothing processes ensure the app can scale out by adding more processes.
   
   
7. Port Binding: Export services via port binding. The application should be self-contained and expose services by binding to a port, rather than depending on the runtime environment to provide network services.
   
   
8. Concurrency: Scale out via the process model. The app can handle various workloads by running multiple processes.
   
   
9. Disposability: Maximize robustness with fast startup and graceful shutdown. Processes should start quickly and shut down gracefully to enable rapid deployment and scaling.
   
   
10. Dev/Prod Parity: Keep development, staging, and production as similar as possible. This minimizes the chances of bugs being environment specific.
    
    
11. Logs: Treat logs as event streams. Applications should not manage log files but should send their log output to the environment's centralized log management system.
    
    
12. Admin Processes: Run admin/management tasks as one-off processes. Administrative tasks, like database migrations, should be run in an isolated environment identical to the application’s execution environment.

19 Microservices Design Patterns for System Design

1. Service Registry
   
   
   
   
   
   
2. API Gateway
   
   
   
   
   
3. Circuit Breaker
   

   Purpose: Prevents cascading failures by stopping requests to failing services.
   Benefits:

   • Increases system resilience.
   • Avoids overloading failing services.
     Tools: Resilience4j, Hystrix (deprecated).
   
4. Saga Pattern
   
   Orchestration: WC Architecture
   Choreography: MC Architecture
   
   

   Purpose: Manages distributed transactions across services.
   Benefits:

   • Ensures eventual consistency.
   • Handles rollback through compensating actions.
     Types: Orchestration (central control), Choreography (event-driven).
   
   
   
   
   
5. Database per Service
   
   
   
   
   
6. Command Query Responsibility Segregation (CQRS)
   
   
   
   
   
7. Retry
   
   
   
8. Data Sharding
   
   
   
   
   
9. Event Sourcing
   
   
   
   
   
10. Async Messaging
    
    
    
    
    
11. Consumer-Driven Contracts
    
    
    
    
    
12. Sidecar
    
    
    
    
    
13. Bulkhead
    
    

    
14. Backends for Frontends (BFF)
    
    
    
    
    
15. Shadow Deployment
    
    
    
    
    
16. Transaction Outbox Pattern