Amir Hossein Shirazi
Back to Projects
Security, identity management, and access control patterns

Authentication & Authorization Service

A centralized auth service supporting OAuth 2.0, RBAC, and multi-tenant access control for a SaaS platform.

GoPostgreSQLRedisJWTOAuth 2.0
Source Code

Problem

Multiple services implemented their own authentication, leading to inconsistent security policies, duplicated code, and difficulty onboarding new tenants.

Solution

Centralized authentication into a dedicated service implementing OAuth 2.0 authorization code flow with PKCE, role-based access control, and tenant-scoped permissions.

Architecture

The service manages user identities, issues JWTs with embedded claims, and provides a policy evaluation endpoint. Tenant configurations are cached in Redis. Password hashing uses Argon2id. Token refresh is handled via rotating refresh tokens.

Key Decisions

  • Chose Argon2id over bcrypt for better resistance to GPU-based attacks
  • Implemented rotating refresh tokens to limit the blast radius of token theft
  • Used PostgreSQL row-level security for tenant data isolation
  • Designed the RBAC model to support hierarchical roles with permission inheritance