First-things-first, let’s get back to basics
In the beginning… Let there be a simple service…
Then, as the business grows, we scale the system with AKF scale cube:
Plus Conway’s law: organization designs the systems mirroring its communication structure. We usually evolve the architecture to micro-services (see why microservices? for more)
In the microservice world, let’s take a functional slice of the authn and authz services, and there is an Identity and Access Management (IAM) team working on it.
Identity Provider
Workflow: User Settings and Profile Updates
Ory.sh/Kratos as an Example Architecture
OAuth2 let the user or client go through four major workflows (not sure which one to use? see this) like
And then finally get the access token and refresh token
The assumption is that there are so many entities involved in this workflow - client, resource owner, authorization server, resource server, network, etc. More entities introduce more exposure to attack. A comprehensive protocol should consider all kinds of edge cases. For example, what if the network is not HTTPs / cannot be fully trusted?
OpenID connect is the identity protocol based on OAuth2, and it defines customizable RESTful API for products to implement Single Sign-On (SSO).
There are a lot of tricky details in those workflows and token handling processes. Don’t reinvent the wheel.
Problem: Credential stuffing attack
Users tend to reuse the same username and password across multiple sites. When one of those sites suffers from a data breach, hackers brute-force attack other sites with those leaked credentials.
Challenge: Bad deliverability of Email or SMS
How could clients subscribe to the server’s state? Short polling, long polling, web socket, or server-sent events.
Don’t reinvent the wheel.
Challenge 1: Web login is super slow or cannot submit login form at all.
See Web App Delivery Optimization for more info
Challenge 2: Account taking-over
Challenge 3: Account creation takes too long
When the backend system gets too large, a user creation may fan out to many services and create a lot of entries in different data sources. It feels bad to wait for 15 seconds at the end of sign up, right?
isAuthorized(subject, action, resource)
{
"subjects": ["alice"],
"resources": ["blog_posts:my-first-blog-post"],
"actions": ["delete"],
"effect": "allow"
}
Challenge: single point of failure and cascading failures
Western culture has a tradition to respect privacy, especially after the Nazis murdered millions of people. Here are some typical sensitive data types: Personally Identifiable Information (PII), Protected Health Information (PHI, regulated by HIPAA), and Credit Card or Payment Card Industry (PCI) Information.
Redacting sensitive information alone may not be good enough to prevent data associated with other datasets.
Differential privacy helps analysts extract data from the databases containing personal information but still protects individuals’ privacy.
To decouple id from a centralized identity provider and its associated sensitive data, we can use decentralized id (DID) instead.
did:example:123456789abcdefghijk
Imagine that Alice has a state-issued DID and wants to buy some alcohol without disclosing her real name and precise age.
A DID solution:
did:ebfeb1f712ebc6f1c276e12ec21
, name, avatar url, birthday and other sensitive data.did:ebfeb1f712ebc6f1c276e12ec21
is over the age 21This article is an overview of authn and authz in microservices, and you don’t have to memorize everything to be an expert. Here are some takeaways:
Architects model the world in system thinking to optimize everything. As an engineer and businessman, I am continually working on the orchestration of work and life and maintain a high personal growth rate. Lessons learned are generalized to the BOZ growth loops.
BOZ is the acronym for a big loop that engages three small loops:
Stress is a good thing for people while the distress is not.
When the organization grows too big, it becomes unclear that who should do what and who should decide what to do. RACI and DACI are here to clarify those responsibilities.
The assumption here is that too many projects happen in parallel, and it is easy to lose focus. We should rely more on the team member mutually driving each other than one person as the single point of failure.
RACI is an acronym for the model:
RACI is an acronym for the model:
Dropbox’s design research team grew from 4 members to 30+ today. How do they scale the efforts healthily, even when the headcount for the team is limited? More researches usually mean more harm if they are done improperly.
And the major challenges for the scaling process are
To enjoy a life of building software, media, and community as a hobby (all things here are NOT related to my job) / for pure pleasure - why build personal infrastructure? And what are the strategies and executions to grow hobby projects? What is my current progress?
Playing Chinese copy of Tamiya mini 4WD
And play computer games on DOS.
Introduction to programming with Macromedia Authorware
And then you can play in the classroom behind piles of textbooks :)
Lego Robots | Challenge |
---|---|
![]() |
![]() |
… the fascination of fashioning complex puzzle-like objects of interlocking moving parts and watching them work in subtle cycles, playing out the consequences of principles built in from the beginning.
— The Mythical Man-month
Meanwhile, I came across some mind-blowing articles.
I conclude:
Plus, some take-away from my previous pre-PMF startup experience
Here is the architecture of my hobby projects.
Technologies: React, React Native Expo, GraphQL, KOA, TypeScript, AVA, Webpack, Airflow, MongoDB, Python Pandas and Flask, svelte, Metabase, Golang, etc.
Servers and APIs: Heroku, DigitalOcean, Azure, AWS, Github Pages, BunnyCDN.
Being an early majority to adopt proven new tech
Focus on building, not wasting time on SRE
Example 1
Example 2
“This architecture is not future-proof! / does not scale!”
Well…
Living a balanced life and keep everything on track, measured by data
The key metrics for a “retention-first growth” is cohort analysis.
Benchmarks for reference:
Industry | Day 1 | Day 7 | Day 30 |
---|---|---|---|
2C | 40 | 20 | 10 |
E-commerce | 35 | 15 | 5 |
Gaming | 30 | 15 | <5 |
EdTech | 25 | 10 | 5 |
Products
Framework
Helped my friends’ projects to start from scratch
Media:
Community:
👍 Definitely and welcome! They are mostly open sourced or open for registration. Thank you for becoming our valued customer or community member!
👏 Feedback is highly appreciated!
❤️ Like it? Check this article at https://tianpan.co and follow me on https://twitter.com/puncsky :)
Learn startup engineering anywhere, anytime