Authentication and Secure Microservices Primer



Chapter 1: A First Glimpse—Modern Web Authentication

“Imagine you walk into a library. The librarian needs to know who you are, not just once, but every time you return. The library’s process—proving your identity, being granted a library card, and showing it when you enter—is at the heart of modern web authentication.”

  • The library is your web application.

  • Authentication is when you prove who you are to the librarian, perhaps by showing your driver’s license. If the librarian believes you, you receive a library card—your proof of identity (your token, like a JWT).

  • Authorization is what happens next: the librarian checks what you’re allowed to do.

    • Can you enter the reading room?

    • Are you permitted to check out rare books?

    • Can you access the staff lounge?

  • The library’s rules for what you can access are permissions and roles.

In short:

  • Authentication (AuthN): “Who are you?”

  • Authorization (AuthZ): “Now that I know who you are, what are you allowed to do?”

In code:

  • AuthN issues your token (library card).

  • AuthZ checks the claims on that token (what doors you can open).

Absolutely! Here’s Chapter 1 of your “primer,” C++ Primer style, using your library metaphor and the code you’ve built as the working example.

Chapter 1: A First Glimpse—Modern Web Authentication

1.1 The Library and Its Patrons: Understanding AuthN and AuthZ

Imagine you’re building a digital library. People from all over the world want to read, upload, or manage documents. How do you ensure every patron is who they claim to be, and that they only access what they’re allowed?

Authentication (AuthN): "Who are you?"

The first time someone walks through your library doors, the librarian asks for ID. If the patron’s credentials check out, the librarian issues a library card—a signed pass that says, “Yes, I know this person. Here’s proof.”

In your code, this is handled by the identity-backend microservice.

  • The user visits your app (the library).

  • If they don’t have a valid library card (token), they are redirected to the identity desk (/authorize route).

  • The librarian (identity-backend) asks them to log in (username and password).

  • If correct, a token (the library card, technically a JWT) is issued.

@app.route("/authorize")
def authorize():
    # ... if not logged in, show login page

After successful login:

@app.route("/login", methods=["POST"])
def handle_login():
    if username == USERNAME and password == PASSWORD:
        # Issue a single-use code
        # Later, this is traded for a JWT (your library card)

Authorization (AuthZ): "What are you allowed to do?"

Once the patron has a card, the library must decide where they can go and what they can do. Are they allowed into the rare books section? Can they upload new materials? These permissions depend on their role.

In your system:

  • Each room (microservice) checks your card at the door.

  • The card (JWT) includes information (“claims”) about your identity and your scope (like “member,” “admin,” etc.).

  • If your card isn’t valid, isn’t signed by the real librarian, or has expired, you can’t come in.

For example, when a user tries to upload a file:

def require_login():
    if not is_logged_in():
        return redirect(url_for("login"))
    try:
        user = verify_id_token(get_id_token())
        return user
    except ValueError as e:
        session.clear()
        return redirect(url_for("login"))

  • This checks if the patron’s card is authentic and unexpired.

  • If not, they are sent back to the front desk (login).

Summary Table: The Roles in Your Library

Term Metaphor Your Code Example
Authentication Showing ID at the desk /authorize & /login in identity-backend
Token (JWT) Library card Issued after login, used in session
Authorization Doors/rooms checked by staff require_login() and JWT claims
Permissions Access to reading room, etc scope claim in JWT
Identity Service Librarian/front desk identity-backend microservice

Exercise for the Reader

  • Try logging in with an incorrect password.

    • What happens?

    • What response does your library give?

  • After logging in, try changing the token (library card) in your browser cookie.

    • Does the app let you in? Why or why not?

  • What happens when your token expires?

    • Wait 15 minutes and reload the page.

    • Describe the login flow again.

Callout: Why Not Just Use Passwords Everywhere?

Just as a real library doesn’t check your driver’s license at every door, your app shouldn’t ask for the password every time. A signed card (JWT) means users don’t have to keep handing over their password—they just show the card, and the room (service) checks its authenticity.

1.2 Connecting to Code: Your First Login

Let’s trace what happens, step by step, when a user enters the library (visits your web app):

  1. User loads the app (e.g., http://localhost:5000).

  2. API Gateway checks for a session with a valid JWT.

    • No session? Redirects user to /login.

  3. User enters username and password.

  4. Identity-backend verifies credentials, issues a one-time code.

  5. API Gateway exchanges this code for a JWT (library card).

  6. User is now authenticated and can use the app.

    • Each time the user does something, the card (JWT) is checked by require_login() and verify_id_token().

This handshake—the librarian checking your identity and issuing a card, the rooms checking your card at each door—is the essence of secure, modern authentication and authorization.
You’ve already built it.

Next:
In Chapter 2, we’ll walk through the step-by-step flow, deepening your understanding of how each piece fits, and what could go wrong.

Let me know if you want the next chapter, want to see more code callouts, or prefer even more C++ Primer-style exercises at the end!


1.1 The Building Blocks

Authentication: The process of proving who you are.
Authorization: Deciding what you’re allowed to do.
Tokens: Secure, signed proof that you passed authentication.

1.2 The Story of Your Application

Suppose you’re building a research portal for your classmates. You want to be sure only your classmates can read notes, and only teachers can post assignments.

How do you ensure this, even when the app grows from one computer to many, or from a single website to a constellation of small, cooperating services?

This is the problem that modern authentication, and microservices, aim to solve.

Chapter 2: Understanding the Flow—From Login to Authorization

2.1 A User’s Journey

Let’s follow Alice as she uses your portal:

  1. Alice opens the site. The portal checks for her library card (token). She doesn’t have one.

  2. The portal sends her to the identity desk (Identity Service), where she shows her student ID and receives a fresh library card (JWT).

  3. Each time Alice opens a door (uploads a file, asks a question), she shows her card.

  4. Each desk (service) checks if her card is real (signature), unexpired, and that she’s allowed to be there (claims, roles).

2.2 Your Tools

  • JWT (JSON Web Token): Like a passport with a signature only the government (your Identity Service) can produce. Every microservice can check its authenticity with a shared secret.

  • Session Cookie: If Alice uses a browser, her library card is kept in a sealed envelope (cookie), and she hands it over automatically each time.

Chapter 3: A Modular World—Microservices

3.1 Why Not One Big Room?

  • In the beginning, a single room (monolith) is easy.

  • Over time, the library adds more rooms: a reading lounge (API Gateway), archives (Worker), an information desk (Parser), a security office (Logging Service).

  • Each room is managed independently, but all trust the librarian’s cards (JWTs) for access.

3.2 The Power of Small Pieces

  • Separation of concerns: Each microservice does one thing—just like each room in the library.

  • Scaling: If more students want archives, add more archives rooms.

  • Easier upgrades: Fix one room without shutting down the whole library.

Chapter 4: Security—What Makes a Good Library Safe?

4.1 Protecting the Library

  • Secret keys: Only the librarian can sign cards. Never write the secret on the wall.

  • Session management: Old cards expire. Lost cards can’t be reused.

  • HTTPS: The library’s doors are always locked; conversations inside are private.

  • Logs: Every entry and exit is written in a logbook—but personal details are protected.

4.2 Common Weaknesses

  • Forged cards: If the secret leaks, anyone can get in.

  • Old cards: Expired tokens must not work.

  • Open logbooks: Never let the public read the entire log.

Chapter 5: The Essential Flows—OAuth2 and OIDC

5.1 Authorization Code Flow (Your Portal’s Main Entrance)

  1. The portal asks Alice to login.

  2. Alice goes to the identity desk, shows her credentials.

  3. The desk gives Alice a one-time slip (authorization code).

  4. Alice returns to the portal, which trades the slip for a real card (JWT).

  5. Now Alice moves freely—until her card expires.

5.2 Other Entrances (for Special Guests)

  • Client Credentials: For staff and services (no humans).

  • Device Flow: For kiosks and smart TVs.

  • Implicit Flow: For single-page apps (now discouraged).

Chapter 6: Logging and Observability—The Library’s Journal

  • Every action, success, and mistake is recorded.

  • The journal is secured—staff can search for patterns, but public can’t see personal info.

  • If something goes wrong, the logs are the first place to look.

Chapter 7: The Checklist—Building a Library Worthy of Trust

  • No secrets posted on walls (never hardcode secrets).

  • Only the librarian has the stamp (JWT secret).

  • Cards are checked at every door (token validation).

  • Expired cards are not accepted (check expiry).

  • Logs are kept safe and reviewed.

Chapter 8: Going Further

  • Add more rooms (services) as your needs grow.

  • Upgrade security (rate limiting, CSRF tokens, etc.).

  • Practice handling lost cards (token revocation, refresh).

  • Experiment with new card types (JWT claims, scopes, roles).

Epilogue: Mastery Through Practice

Just as with the C++ Primer, the key is to build, experiment, and reflect.
Read, code, break things, fix them.
And when you want to know what’s possible—remember that the library (your architecture) can always be improved.

Where to Dive Deeper:

  • For each chapter, try building or breaking an example.

  • For every tool or idea, look up the official docs and write your own demo.

  • Don’t just read—do.

Ready for the next chapter? Or want a sample "walkthrough" like in the blue book, with code examples and “Exercises for the Reader”?

Comments

Post a Comment

Popular posts from this blog

Feature: Audit log for one login, and identity service

Image
Customer (Product) Page High-Level System Design Diagram (PlantUML) Sequence Diagram: Audit Event Ingestion Sequence Diagram: Orchestration Event For a High-Level System (Component) Diagram The queue is implemented as message_queue (generic), and the audit log service consumes from it, writing to a dedicated audit_log table. The logging service also consumes from the same message_queue and writes to log_store. Orchestration/other services use the same queue. Summary Table: What Writes Where Event Type Goes Into Consumed By Final Storage audit message_queue Audit Log Service audit_log table log message_queue Logging Service log_store table doc_uploaded message_queue Orchestration Worker (business DB, or triggers next event) ocr_ready message_queue Notification Worker, etc. (notification log, etc.)  Core Tables message_queue – universal event bus (temp buffer) audit_log – immutable audit/compliance events log_store – application logs (op...
Read more

Getting started - Build your data science lab environment

This guide explains how to set up a complete data science environment for the udemy program. A proper setup ensures compatibility and avoids recurring environment issues.  1. Overview Goal : Create a full-featured environment with sufficient resources for all course exercises. Recommendation : Use Anaconda for the most reliable setup. Alternative : Use a Python virtual environment with pip if Anaconda isn’t working. 2. Setup Options Primary (Recommended) Create a dedicated Anaconda environment (isolated, compatible). Alternative Use a standard Python virtualenv + pip (faster but less reliable). 3. Windows Setup Steps Clone Course Repository git clone https://github.com/ed-donner/llm_engineering/ Follow the repository’s README.md instructions for additional setup details. Create Anaconda Environment Inside the llm_engineering folder: conda env create -f environment.yml ⏳ This may take several minutes. Activate the environment: conda activate llms Deactivat...
Read more

QA - Run #1 - Results

Image
# QA Report for Tag QA_July2025_A - **Tag/Commit:** QA_July2025_A (`f32abc1`) - **Date:** 2025-08-01 - **QA Outcomes:** All tests passed except for file upload (see below)... - **Environment:** Windows 10, Python 3.12, requirements.txt as of tag - **Notes:** See log for detailed results. ## Issue Found - **Step:** - **Bug:** - **Log excerpt:** - **Screenshot:** For this QA run, we begin with pristine state by: Stop all services Delete logs.db, and jobs.db Delete all files in doc_store folder Start all services Test, you should see no data on index page, and query should result in no data found error Next, go ahead and upload new1.txt, and after that new2.txt Issue the query: "can you summarize all of the todo items you can find, seperating each one on a single line, with due date first, then title, and description with any details you can augment" Expected Answer: - August 1, 2025: Respond to Amira and discuss weekend plans - August 3, 2025: Go to Somesh class and finish ta...
Read more