136_auth_deployment_azure - amresh087/Question GitHub Wiki

Azure Authentication for Microservices

1. Overview

This document explains how to implement authentication and authorization for microservices using Azure native services, replacing a custom auth-service.

Current State

  • user-service
  • cloud-gateway-service
  • auth-service (custom JWT)

Target State

  • Azure-managed authentication
  • No custom auth-service
  • JWT validation at gateway
  • Zero Trust security

2. Target Architecture

Client
  |
  v
Azure Active Directory
  |
  v
Cloud Gateway (JWT Validation)
  |
  v
User Service / Other Microservices

Key Principle: :contentReference[oaicite:0]{index=0} acts as the central authentication provider and replaces auth-service.

3. Core Azure Components

Component Description
Azure Active Directory User authentication, OAuth2, OpenID Connect, JWT issuance
Azure API Management Optional API gateway, JWT validation, throttling
Azure Kubernetes Service Runs microservices
Azure Managed Identity Service-to-service authentication
Azure Key Vault Secrets and certificates

4. Authentication Responsibility Model

Handled by Azure AD

  • User login
  • Password and MFA
  • JWT token issuance
  • Token signing and key rotation

Handled by Microservices

  • JWT validation
  • Authorization using scopes
  • Business logic

5. App Registration Strategy

Azure authentication is based on App Registrations. Two app registrations are required.

5.1 Backend API App Registration (user-service)

Expose API and create scope:

api://user-service/read

Meaning: Any client with this scope can call user-service.

5.2 Client App Registration

Represents frontend, mobile app, or Postman.

user-service/read

6. OAuth2 Token Flow

Client
 → Azure AD Login Page
 → User authenticates
 → Azure AD issues JWT access token

Sample JWT (Decoded)

{
  "iss": "https://login.microsoftonline.com/<tenant-id>/v2.0",
  "aud": "api://user-service",
  "scp": "read",
  "sub": "user-id",
  "exp": 1710000000
}

Tokens are signed by Microsoft. Services never generate tokens.

7. cloud-gateway-service

Responsibilities

  • Validate JWT signature
  • Verify issuer and expiry
  • Enforce authorization rules

Gateway Configuration

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://login.microsoftonline.com/<tenant-id>/v2.0

Authorization Mapping

scp: read → SCOPE_read

8. Why Validate JWT at Gateway?

Without Gateway Validation

  • Security duplicated in every service
  • Harder to manage

With Gateway Validation

  • Single enforcement point
  • Consistent security

9. user-service Security (Zero Trust)

Even after gateway validation, user-service validates JWT again. 

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://login.microsoftonline.com/<tenant-id>/v2.0

10. Service-to-Service Authentication

user-service → order-service

What NOT to Do

  • Do not forward user JWT
  • Do not use shared secrets

Azure Managed Identity

Each service has its own Azure identity. 

DefaultAzureCredential credential =
    new DefaultAzureCredentialBuilder().build();

11. Secrets Management

Secret Storage
Database password Azure Key Vault
API keys Azure Key Vault

Secrets must never be stored in Git, YAML files, or Docker images.

12. Security Principles Applied

  • Central Authentication – Azure AD
  • Zero Trust – JWT validation everywhere
  • Least Privilege – OAuth scopes
  • No Secrets – Managed Identity
  • Defense in Depth – Gateway + service validation

13. Interview-Ready Summary

We replaced a custom auth-service with Azure AD. Authentication is centralized, JWTs are issued by Azure, validated at the gateway, and microservices act as OAuth2 resource servers. Service-to-service communication uses Managed Identity.

⚠️ **GitHub.com Fallback** ⚠️