Skip to main content

Purpose

The User & Auth Service is the identity authority for MCSP. It issues and validates JWT access tokens, manages refresh token rotation, enforces RBAC role claims, and coordinates multi-factor authentication challenges. Every API request that reaches the application layer has already had its token signature verified at the API Gateway — the Auth Service is invoked for elevated operations such as session creation, token refresh, and privilege checks that require database-backed validation.
Zero-Trust boundary. Every inter-service call on MCSP requires a valid mTLS client certificate issued per service identity. No internal endpoint is reachable without mutual authentication — the service mesh (Istio) enforces this independently of application code.

Responsibilities

ResponsibilityDetail
JWT issuanceIssues short-lived access tokens (15-minute TTL) encoding role, sub (user ID), and minimal claims. Access tokens are signed with a rotating RS256 private key held in KMS.
Refresh token managementRotating refresh tokens stored as HttpOnly, Secure, SameSite=Strict cookies. Each use of a refresh token rotates the token — reuse of a consumed refresh token triggers session revocation (token theft detection).
RBAC enforcementRole claims in the JWT are the authoritative source for permission checks at the API Gateway. Service-level permission checks delegate to the Auth Service via gRPC for operations requiring database-backed role verification.
Multi-factor authentication (2FA)TOTP-based 2FA available for all users; enforced for all admin and organisation admin accounts. Anomalous login geography triggers a 2FA challenge regardless of account settings.
OAuth2 / Social loginSupports OAuth2 authorization code flow for Google and Apple sign-in. External identity mapped to an internal MCSP user record on first login.
Session invalidationLogout invalidates the active refresh token immediately. Session revocation by Platform Admin cascades to active sessions within 5 minutes via Redis TTL expiry.
Password securityPasswords stored as Argon2id hashes. Breached password check against HaveIBeenPwned API at registration and password change. Rate limiting at /login: lockout after 5 failed attempts, CAPTCHA after 3.

API Surface

MethodEndpointAuthDescription
POST/api/v1/auth/registerNoneCreate a new user account
POST/api/v1/auth/loginNoneAuthenticate and receive access + refresh tokens
POST/api/v1/auth/refreshRefresh cookieExchange refresh token for a new access token
POST/api/v1/auth/logoutBearerRevoke current session
POST/api/v1/auth/2fa/setupBearerEnrol TOTP 2FA
POST/api/v1/auth/2fa/verifyBearerVerify 2FA challenge
GET/api/v1/users/meBearerFetch authenticated user profile
PATCH/api/v1/users/meBearerUpdate profile (name, avatar, language preference)
DELETE/api/v1/users/meBearerInitiate account deletion (GDPR right to erasure)

Data Owned

StoreSchema
Postgresusers (id, email, password_hash, role, status, created_at), refresh_tokens (token_hash, user_id, expires_at, revoked), mfa_configs (user_id, totp_secret, enabled)
RedisSession cache keyed by session:{userId} (15-minute sliding TTL); failed login attempt counters

Kafka Topics

The Auth Service does not produce Kafka events. It is a synchronous service — its outputs are direct API responses and session state in Redis/Postgres.

Failure Behaviour

FailureBehaviour
Auth Service pod failureAPI Gateway falls back to cached session validation from Redis for up to 5 minutes. Operations requiring database-backed validation (role elevation, session creation) fail with 503 until recovery.
Redis cache missAuth Service falls back to Postgres session lookup. Higher latency per request but correct behaviour.
KMS unreachableToken issuance fails — new login requests return 503. Active sessions remain valid until existing JWT expiry.

Build docs developers (and LLMs) love

Get started for freeTalk to us