Диаграмма: auth микросервисы

Previous Next
graph TB subgraph "Client Layer" CLIENT[Web App / Mobile] end subgraph "Edge Gateway" APIGW[api-gateway] end subgraph "Auth Orchestration" ORCH[auth-orchestrator] end subgraph "Identity & Auth Domain" IDENTITY[identity-service
User Management] VERIFY[verification-service
Email/SMS OTP] PASSWORD[password-vault
Argon2id Hashing] MFA[mfa-engine
TOTP, WebAuthn] TOKEN[session-token-service
JWT, OAuth2, refresh] SOCIAL[social-idp-bridge
Google, GitHub, LinkedIn] RISK[risk-engine
Fraud Detection] end subgraph "Supporting Services" AUDIT[audit-service
Compliance Logs] ACCOUNT[account-service
User Profiles] HERALD[herald
Notifications] end subgraph "Data Layer" POSTGRES[(PostgreSQL)] REDIS[(Redis)] KAFKA[Kafka Events] end CLIENT --> APIGW APIGW --> ORCH APIGW --> ACCOUNT ORCH --> IDENTITY ORCH --> VERIFY ORCH --> PASSWORD ORCH --> MFA ORCH --> TOKEN ORCH --> SOCIAL ORCH --> RISK IDENTITY --> POSTGRES VERIFY --> REDIS PASSWORD --> POSTGRES MFA --> POSTGRES TOKEN --> POSTGRES SOCIAL --> POSTGRES RISK --> POSTGRES AUDIT --> POSTGRES ACCOUNT --> POSTGRES IDENTITY -.->|Events| KAFKA PASSWORD -.->|Events| KAFKA MFA -.->|Events| KAFKA TOKEN -.->|Events| KAFKA SOCIAL -.->|Events| KAFKA RISK -.->|Events| KAFKA KAFKA -.->|Consume| AUDIT KAFKA -.->|Consume| RISK HERALD -.->|Email/SMS| CLIENT style ORCH fill:#4A90E2 style IDENTITY fill:#50C878 style RISK fill:#FF6B6B style AUDIT fill:#FFD93D

Описание архитектуры

Слои системы

  1. Client Layer
  2. Web App (Next.js/React)

  3. Mobile Apps (React Native)

  4. Edge Gateway

  5. api-gateway (Go) - единая точка входа, маршрутизация, rate limiting

  6. Auth Orchestration

  7. auth-orchestrator - координирует все auth-related операции

  8. Реализует business flows: signup, login, password reset, MFA, social login

  9. Identity & Auth Domain (9 микросервисов)

  10. identity-service: Управление пользователями, идентификаторами (email/phone)
  11. verification-service: Verification challenges (email/SMS OTP), Redis-based
  12. password-vault: Password hashing (Argon2id), password history
  13. mfa-engine: MFA devices (TOTP, WebAuthn), backup codes
  14. session-token-service: JWT signing (RS256), OAuth2 clients, refresh tokens и жизненный цикл сессии
  15. social-idp-bridge: OAuth2 integration (Google, GitHub, LinkedIn)

  16. risk-engine: Risk scoring, fraud detection, device fingerprinting

  17. Supporting Services

  18. audit-service: Audit logs, compliance tracking, retention policies
  19. account-service: User profiles (PII), avatar, preferences

  20. herald: Email/SMS notifications (Inbox Pattern)

  21. Data Layer

  22. PostgreSQL: 13 databases (по одной на микросервис)
  23. Redis: Temporary data (OTP codes, verification challenges, rate limits)
  24. Kafka: Event streaming (Inbox/Outbox Pattern)

Паттерны взаимодействия

  • REST API: Публичные endpoints через api-gateway
  • gRPC: Внутренние inter-service коммуникации
  • Event-driven: Kafka для асинхронных процессов (Inbox/Outbox Pattern)
  • CQRS: Разделение команд (write) и запросов (read)
  • DDD: Onion Architecture, bounded contexts
  • Security: JWT (RS256), session replay detection, refresh token rotation
Принципы контрактов данных Введение (control plane)