I have been familiarizing myself with Googles Security Design Whitepaper. As far as I can understand, and with respect to a Micro-services architecture, from the Access Management of End User Data section, Googles authentication scheme works as follows:
- User authenticates with the "Central User Identity Service" and is issued a session token. This token is associated with the user and stored by the identity service.
- User attempts to access a Google Service, (e.g. Gmail), provides there session token (usually as a cookie).
- Gmail passes the users session token onto the "Central User Identity Service" who lookup up the validity of the session token & grants a "end user permission ticket". This appears to be a signed claims based token for the Gmail service to pass around to other services. This is probably a signed JSON Web token or similar, stating gmail has my authority to access users data. This signature can be validated without ever communicating with the Central User Identity Service based on a shared secret, I guess in this instance Google is using a public/private key pair for signature?
Is the "Central User Identity Service" really a central, single instance, sharing a single backing store? It seems so given the architecture and name. How can this be given it represents a single point of failure for Google? Am I missing something?
I am poised to believe that the "Central User Identity Service" may in fact be several sharded instances?
This pattern seems to cause a lot of chatter between the Gmail Service and the Central User Identity Service, meaning that it would need to be involved with nearly every request. Assuming that load balancing is non-sticky the users request to load page #2 of there inbox is more likely than not to hit another Gmail Service instance. Local caching of the users Session cookie's validity probably represents a risk that it would still be honored after revocation?
Is there any public documentation, or anyone that can give me an insight into just how central the "Central User Identity Service" really is?