The Problem
A decade-old monolithic authentication system had become the single biggest risk in a 10M+ user financial platform. Session management, token issuance, and permission evaluation all ran in the same process. A single deployment freeze blocked every team.
The ask: migrate to a standards-compliant identity mesh without a maintenance window.
Architecture Decision
The migration used a strangler fig pattern with a compatibility shim layer that allowed both the old and new systems to serve tokens concurrently:
- Phase 1: Deploy new OAuth2/OIDC service (Go) behind the shim — old tokens still valid
- Phase 2: Dual-write all new sessions to both systems, validate parity
- Phase 3: Flip read path to new system, deprecate shim
Terraform managed all infrastructure with blue/green routing at the load balancer level. No code freeze was required.
The Outcome
10 million user sessions migrated without a single reported auth failure. The new service handles 3x the original peak load on 40% fewer compute resources, and teams can now deploy identity changes independently without cross-team coordination.