User Microservice Authentication (UMA) streamlines the authentication (“Who are you?”) and authorization (“What are you allowed to do?”) processes for users through a centralized user management system, delivering secure access to microservice APIs without clogging up servers with requests.
UMA is connected to an API Authentication Gateway that directs the flow of API traffic through a JSON Web Token (JWT) – a signed JSON object that contains a list of user credentials that identify both who the sender is and what services they have permissions to access to allow the receiver to validate through a memory-based proxy network.
User Login Activity with UMA
flowchart TD
A(("User")) -- User Sends Credentials --> B("Find User by Email")
B --> C{"User Found?"}
C -- No --> F("Compare Passwords Bcypt Hashes") & E>"User Receives 403 Error"]
F --> G{"Are Passwords Equal?"}
G -- No --> E
G -- Yes --> H{"Should User Reset Password?"}
H -- No --> I{"Is 2FA Enabled?"}
I -- Yes --> J{"Is Device Already Verified?"}
J -- No --> K{"Is 2FA Code Provided?"}
K -- No --> S>"User Receives 422 Error, Along with Available 2FA Options"]
K -- Yes --> L{"Is 2FA code valid"}
L -- No --> S
L -- Yes --> M{"Does User Have at least One Active Firm Assigned?"}
M -- No --> T>"User Receives 403 Error"]
M -- Yes --> N{"Has User Asked to Remember Device?"}
N -- No --> U["Saving Device ID in Database as Verified"] & O["Creating Session and Tokens"]
O --> P(("Success"))
P <--> Q>"User Receives 201 Response with Refresh & Access Tokens."]
I -- No --> O
J -- Yes --> O
style E fill:#FFCDD2
style S fill:#FFCDD2
style T fill:#FFCDD2
style P fill:#C8E6C9
style Q fill:#C8E6C9
linkStyle 2 stroke:#D50000,fill:none
linkStyle 3 stroke:#D50000,fill:none
linkStyle 5 stroke:#D50000,fill:none
linkStyle 6 stroke:#00C853,fill:none
linkStyle 7 stroke:#D50000,fill:none
linkStyle 8 stroke:#00C853,fill:none
linkStyle 9 stroke:#D50000,fill:none
linkStyle 10 stroke:#D50000,fill:none
linkStyle 11 stroke:#00C853,fill:none
linkStyle 12 stroke:#D50000,fill:none
linkStyle 13 stroke:#00C853,fill:none
linkStyle 14 stroke:#D50000,fill:none
linkStyle 15 stroke:#00C853,fill:none
linkStyle 16 stroke:#D50000,fill:none
linkStyle 17 stroke:#D50000,fill:none
linkStyle 20 stroke:#D50000,fill:none
linkStyle 21 stroke:#00C853,fill:none
For example, UMA generates a JWT at login that claims the end user is “logged in as a system admin,” which allows that user to access APIs and other microservices with admin permissions through the server’s signed key.
In other words, microservices are accepting the JWT or private key as the authentication for the end user without receiving sensitive information (such as ID, Email, Role, etc.), while also encoding the user session data and preventing a potential malicious actor from modifying the information. JWT encryption ensures data integrity as well, so if a bad actor were to try and impersonate a user without the private key, the system will void the request.
API Gateway-Microservice Database Connection
flowchart LR
subgraph ide1["Microservice Database"]
a2(("API Gateway"))
a1(["Users"])
a3(["Account Management"])
a4(["Insight API"])
a5(["Global ID"])
a6(["Custodian Exchange"])
a7(["Continuous ID"])
a8(["IPO Admin"])
a9(["Blacklist API"])
a10(["PDFGen"])
a11(["Billing & Reporting"])
a12(["Middleware API"])
a13(["Dow Jones Watchlist"])
a14(["Aggreement Entitlement System (AES)"])
end
C(("API Gateway")) --- a2
a1 --- a2
a2 --- a3 & a4 & a5 & a6 & a7 & a8 & a9 & a10 & a11 & a12 & a13 & a14
style a2 stroke:#00C853,fill:#C8E6C9
style a1 stroke:#2962FF
style a3 stroke:#2962FF
style a4 stroke:#2962FF
style a5 stroke:#2962FF
style a6 stroke:#2962FF
style a7 stroke:#2962FF
style a8 stroke:#2962FF
style a9 stroke:#2962FF
style a10 stroke:#2962FF
style a11 stroke:#2962FF
style a12 stroke:#2962FF
style a13 stroke:#2962FF
style a14 stroke:#2962FF
style C fill:#C8E6C9,stroke:#00C853
style ide1 fill:#BBDEFB,color:#000000,stroke:#BBDEFB
linkStyle 0 stroke:#00C853
linkStyle 1 stroke:#2962FF,fill:none
linkStyle 2 stroke:#2962FF,fill:none
linkStyle 3 stroke:#2962FF,fill:none
linkStyle 4 stroke:#2962FF,fill:none
linkStyle 5 stroke:#2962FF,fill:none
linkStyle 6 stroke:#2962FF,fill:none
linkStyle 7 stroke:#2962FF,fill:none
linkStyle 8 stroke:#2962FF,fill:none
linkStyle 9 stroke:#2962FF,fill:none
linkStyle 10 stroke:#2962FF,fill:none
linkStyle 11 stroke:#2962FF,fill:none
linkStyle 12 stroke:#2962FF,fill:none
linkStyle 13 stroke:#2962FF,fill:none
This method of authentication allows for multiple requests to run simultaneously, while not populating logic across the many microservices accessible by end users that require permissions.
Authentication Request Life Cycle
flowchart TB
A>"User Sends Request to Gateway"] --> B(("Start"))
B --> C["Extract Path Prefix from Request (First Path Element of Request URI)"]
C --> D["Fetches Microservice Domain Corresponding to Path Prefix"]
D --> E{"Domain found?"}
E -- No --> F>"User Receives 502 Error"]
E -- Yes --> G["Fetches Endpoint"]
G --> H{"Endpoint Found?"}
H -- No --> I>"User Receives 403 Error"]
H -- Yes --> J{"Is Request Public?"}
J -- No --> K{"Has User Sent Valid JWT Access Token?"}
K -- No --> L>"User Receives 401 Error"] & M{"Is session active?"}
M -- No --> L
M -- Yes --> N{"Is User B2B and Email Verification Required for Endpoint? Has User Verified Email?"}
N -- No --> L
N -- Yes --> O{"Has User All Required Permissions by Endpoint?"}
O -- No --> S>"User Receives 403 Error"]
O -- Yes --> P("Request Redirected to Microservice in Private Network")
P --> Q(("Success"))
Q --> R>"Microservice Response Redirected to User"]
J -- Yes --> P
style F fill:#FFCDD2
style I stroke:none,fill:#FFCDD2
style L fill:#FFCDD2
style S fill:#FFCDD2
style Q fill:#C8E6C9
style R fill:#C8E6C9
linkStyle 4 stroke:#D50000,fill:none
linkStyle 5 stroke:#00C853,fill:none
linkStyle 7 stroke:#D50000,fill:none
linkStyle 8 stroke:#00C853,fill:none
linkStyle 9 stroke:#D50000,fill:none
linkStyle 10 stroke:#D50000,fill:none
linkStyle 11 stroke:#00C853,fill:none
linkStyle 12 stroke:#D50000,fill:none
linkStyle 13 stroke:#00C853,fill:none
linkStyle 14 stroke:#D50000,fill:none
linkStyle 15 stroke:#00C853,fill:none
linkStyle 16 stroke:#D50000,fill:none
linkStyle 17 stroke:#00C853,fill:none
linkStyle 20 stroke:#00C853,fill:none
Being located in a centralized system, UMA allows for full control of user sessions on UMA and Gateway through session management tooling, allowing end users the ability to turn off user sessions due to suspicious activity, setup up two-factor authentication for improved security (supported configurations include email and SMS code, Google authenticator, hardware key and QR code authenticators), and reset their password and modify settings without loading the server with requests.
Moreover, with UMA there does not need to be a separate user for each role and permission. The system has separate B2C and B2B user databases, with B2B admin users being responsible for configuring their user base creation and management, while B2C end users only have permissions for features set by the admin.
UMA - API Gateway User Communication
flowchart LR
A>"B2B User (Admin)"] --> B(("API Gateway"))
B --- C("Session Management") & D("Basic Login") & E("2FA Setup") & F("Password Reset") & G("Tokens Refresh") & H("User Setting Change")
B ----- I("B2C Users CRUD") & J("Firm-Scoped Roles CRUD") & K("Firms Read") & L("Branches Read") & M("API Keys login") & N("Branches CRUD") & O("B2B Users CRUD") & P["Sharing password by link after B2B/B2C user creation"] & Q("User's API Keys CRUD")
R>"B2C User (End User/All Users)"] --> B
style A stroke:#FFCDD2,fill:#FFCDD2
style B stroke:#C8E6C9,fill:#C8E6C9
style C stroke:#E1BEE7,fill:#E1BEE7
style D stroke:#E1BEE7,fill:#E1BEE7
style E stroke:#E1BEE7,fill:#E1BEE7
style F stroke:#E1BEE7,fill:#E1BEE7
style G stroke:#E1BEE7,fill:#E1BEE7
style H stroke:#E1BEE7,fill:#E1BEE7
style I stroke:#FFCDD2,fill:#FFCDD2
style J fill:#FFCDD2,stroke:#FFCDD2
style K fill:#FFCDD2
style L fill:#FFCDD2,stroke:#FFCDD2
style M fill:#FFCDD2,stroke:#FFCDD2
style N fill:#FFCDD2,stroke:#FFCDD2
style O stroke:#FFCDD2,fill:#FFCDD2
style P stroke:#FFCDD2,fill:#FFCDD2
style Q stroke:#FFCDD2,fill:#FFCDD2
style R stroke:#BBDEFB,fill:#BBDEFB
linkStyle 0 stroke:#D50000,fill:none
linkStyle 1 stroke:#AA00FF,fill:none
linkStyle 2 stroke:#AA00FF,fill:none
linkStyle 3 stroke:#AA00FF,fill:none
linkStyle 4 stroke:#AA00FF,fill:none
linkStyle 5 stroke:#AA00FF,fill:none
linkStyle 6 stroke:#AA00FF,fill:none
linkStyle 7 stroke:#D50000
linkStyle 8 stroke:#D50000,fill:none
linkStyle 9 stroke:#D50000,fill:none
linkStyle 10 stroke:#D50000,fill:none
linkStyle 11 stroke:#D50000,fill:none
linkStyle 12 stroke:#D50000,fill:none
linkStyle 13 stroke:#D50000,fill:none
linkStyle 14 stroke:#D50000,fill:none
linkStyle 15 stroke:#D50000,fill:none
linkStyle 16 stroke:#2962FF,fill:none
