Microservices Authentication & Authorization Architecture (RBAC Scenario)
1. Architectural Overview
A robust, scalable authentication and authorization system for your healthcare platform should be built around a dedicated Auth domain (Option 2: auth.myhospitalnow.com
). This enables Single Sign-On (SSO) across all user types (patients, doctors, hospitals, nurses) and avoids login conflicts, while supporting modern security and RBAC requirements.
Key Components
- API Gateway: Central entry point for all client requests. Handles routing, token validation, and propagates user claims.
- Authentication Service: Manages login, registration, JWT/OAuth2 token issuance, and refresh flows.
- Authorization Service: Enforces RBAC policies, validates roles/permissions per request.
- User Management Service: Handles registration, profile, password resets, and role assignments.
- Resource Microservices: Patient, Doctor, Hospital, Nurse services, etc. Business logic and data, but delegate auth decisions.
- Identity Store: Central SQL/Directory DB for users, roles, permissions.
- External Identity Providers (Optional): Google, Azure AD, LDAP for SSO/federated login.
- Audit Logging Service: Captures security events and access logs for compliance.
2. Recommended Service Separation
| Service | Responsibilities |
|------------------------|----------------------------------------------------------------------------------|
| Authentication | Login, registration, token issuance, refresh, SSO/federation |
| Authorization | RBAC policy enforcement, permission checks, access decision API |
| User Management | CRUD for users, profile, role assignment, password management |
| Resource Microservices | Patient, Doctor, Hospital, Nurse, etc. (business logic, delegate auth decisions) |
| API Gateway | Routing, token verification, propagating user claims, rate limiting |
| Identity Store | Central DB for users, roles, permissions |
| Audit Logging | Security event logging, access monitoring |
3. High-Level Flow: RBAC Decision
- User logs in via any frontend (web/app) → API Gateway.
- API Gateway routes to Authentication Service for login.
- Authentication Service validates credentials, issues JWT/OAuth2 token with user claims (roles, permissions).
- User presents token on subsequent requests.
- API Gateway verifies token, extracts claims, and forwards to Resource Microservice.
- Resource Microservice calls Authorization Service to check if user’s role/permissions allow requested action.
- Authorization Service consults RBAC policies in Identity Store, returns allow/deny.
- Resource Microservice proceeds or denies based on auth decision.
- Audit Logging records all sensitive/auth events.
4. Inter-Service Communication
- REST/gRPC: Use REST for broad compatibility; gRPC for internal, high-performance service-to-service calls.
- JWT/OAuth2: Stateless tokens for user/session identity, signed and validated by Authentication Service and API Gateway.
- API Gateway: Handles token verification, user claim extraction, and secure routing.
5. Best Practices & Security
- Zero Trust: All internal and external calls require authentication and authorization; never trust network boundaries.
- Principle of Least Privilege: Assign only necessary permissions to each role/user.
- Audit Logging: Log all authentication, authorization, and sensitive resource access.
- Token Expiry/Revocation: Use short-lived JWTs with refresh tokens; support revocation for compromised accounts.
- Service Mesh (Optional): For advanced security, use a service mesh (e.g., Istio) for mTLS, traffic policy, and observability.
6. Domain & SSO Recommendation
Adopt Option 2: Central Auth Domain (auth.myhospitalnow.com
)
- All user types authenticate via a shared Auth Service.
- SSO across all portals and mobile apps.
- Unified user management and RBAC enforcement.
- Easier integration with external IdPs for federated login.
7. Example Architecture Diagram (Description)
- Clients: Web portals and mobile apps for Patients, Doctors, Hospitals, Nurses.
- API Gateway: Single entry point (validates JWT, routes requests).
- Auth Services:
- Authentication (login, token, SSO)
- Authorization (RBAC, permission checks)
- User Management (registration, profile, roles)
- Identity Store: Central DB for users, roles, permissions.
- Resource Microservices: Patient, Doctor, Hospital, Nurse services.
- Audit Logging: Monitors all sensitive actions.
- External IdPs (optional): Google, Azure AD, LDAP for SSO.
8. Sample RBAC Flow (Patient Accessing Doctor Listing)
- Patient logs in at
www.myhospitalnow.com
→ API Gateway.
- API Gateway routes to Auth Service → JWT issued (role: patient).
- Patient requests doctor listing at
/doctors/
.
- API Gateway verifies JWT, forwards to Doctor Service with user claims.
- Doctor Service calls Authorization Service: “Does patient have permission to view doctor list?”
- Authorization Service checks RBAC policy, returns “allow.”
- Doctor Service responds with data.
9. Technology Stack Alignment
- Laravel/PHP: Can implement Auth, User Management, and Resource Microservices as separate Laravel apps.
- MySQL: Central identity and resource data store.
- API Gateway: Use Kong, NGINX, or Laravel-based gateway.
- JWT/OAuth2: Use Laravel Passport or similar for token-based auth.
- Android/Flutter: All apps authenticate via the same Auth Service.
10. Summary Table: Option Comparison
| Option | Pros | Cons |
|----------------|--------------------------------------------------------|----------------------------------------------------|
| Separate Auth | SSO, unified RBAC, less conflict, easier scaling | Requires refactoring, central point of failure |
| Per-Service | Simpler per service, less initial coordination | No SSO, user confusion, fragmented RBAC, conflicts |
11. Next Steps
- Refactor to central Auth Service (
auth.myhospitalnow.com
).
- Implement API Gateway for unified routing and security.
- Decouple user management, authentication, and authorization logic.
- Define RBAC policies in a central store.
- Integrate audit logging and consider external IdP support for future SSO needs.
This architecture will provide a secure, scalable, and user-friendly authentication and authorization system that supports RBAC and modern security best practices.