Skip to content

πŸ” Security – Detailed Answers

1. How do you implement security in microservices?

You don’t bolt on security at the end. You weave it through every layer.

πŸ”Ή Core Approach I Follow

πŸ›‘οΈ 1. API Gateway Security

  • All requests pass through a gateway

  • Handles:

    • Authentication
    • Rate limiting
    • Logging

πŸ‘‰ Acts like a border checkpoint

πŸ” 2. Token-Based Authentication (JWT)

  • User logs in once
  • Receives a token
  • Token is sent with every request

πŸ‘‰ Services don’t store session state

πŸ”‘ 3. Centralized Identity Provider

Use tools like:

  • Keycloak
  • OAuth 2.0
  • OpenID Connect

πŸ‘‰ Handles login, roles, permissions

πŸ”’ 4. Service-to-Service Security

  • Use mutual TLS (mTLS) or internal tokens
  • Prevent unauthorized internal calls

πŸ” 5. Role-Based Access Control (RBAC)

  • Define roles like:

    • ADMIN
    • USER
    • Restrict APIs accordingly

πŸ“¦ 6. Secure Communication

  • Always use HTTPS
  • Encrypt sensitive data

🎯 Interview Answer

β€œI secure microservices using an API Gateway, JWT-based authentication, and a centralized identity provider like Keycloak. For internal communication, I use mTLS or secure tokens, and enforce authorization using RBAC.”

2. What is JWT authentication?

JWT is like a digitally signed passport πŸ›‚ Once issued, every service can verify it without calling the authority again.

πŸ”Ή What is JWT?

JWT (JSON Web Token) is a compact, self-contained token used for authentication.

πŸ”Ή Structure of JWT

A JWT has 3 parts:

Header.Payload.Signature

🧱 1. Header

  • Algorithm used (e.g., HS256)

πŸ“¦ 2. Payload

  • User data (claims)
{
  "username": "swapnil",
  "role": "ADMIN"
}

πŸ” 3. Signature

  • Ensures token is not tampered

πŸ” Flow

  1. User logs in
  2. Server generates JWT
  3. Client stores token
  4. Client sends token in header:

Authorization: Bearer <token>
5. Service validates token β†’ grants access

βœ… Advantages

  • Stateless
  • Scalable
  • No session storage needed

⚠️ Considerations

  • Token expiry required
  • Don’t store sensitive data in payload

🎯 Interview Answer

β€œJWT is a stateless authentication mechanism where a signed token containing user claims is issued after login and validated by services on each request.”

3. Difference between authentication and authorization?

This is the classic β€œWho are you vs What can you do” question 🎭

πŸ”Ή Authentication (AuthN)

πŸ‘‰ Verifies identity

  • Are you really the user you claim to be?

  • Example:

    • Username + Password
    • OTP
    • Token validation

πŸ”Ή Authorization (AuthZ)

πŸ‘‰ Determines permissions

  • What are you allowed to access?

  • Example:

    • Admin can delete users
    • User can only view data

βš”οΈ Side-by-Side

Aspect Authentication Authorization
Purpose Identity check Access control
Happens when First After authentication
Example Login Role check
Data used Credentials Roles/permissions

🎯 Perfect Interview Answer

β€œAuthentication verifies the user’s identity, while authorization determines what actions that authenticated user is allowed to perform.”

πŸš€ Quick Memory Hook

  • Security = Gateway + JWT + Identity Provider
  • JWT = Stateless identity token
  • AuthN = Who you are
  • AuthZ = What you can do