Doing FMEA on Flows rather than Components (a beginning)

By Stefan Bergfeldt | 27 October, 2025 |

Figured the FMEA needs to be done on my flows rather than on my components, to better visualize the issues. I’m doing the login flow first.

AuthProvier isn’t available, or can’t be reached due to a network problem.
This would cause the login to fail, and stop the user from using the system.
This is detected by our front end getting error messages from the AuthProvider.
Display an error message to the user, telling them this is a temporary error with the AuthProvider, and they can try again soon. Logging is of course key. Also, we’re planning a backup login routine by email (enter email, get temporary password).

Redirection to the authentication endpoint fails.
This would also cause the login to fail, and prevent the user from using the system.
We can detect this only if we get errors on our part, and in that case we can show a meaningful error to the user.

Next up, we have the AuthenticationMiddleware.

AuthProvier isn’t available, or can’t be reached due to a network problem.
This would cause the token validation to fail, and stop the user from using the system.
This is detected by our JwtValidator getting error messages from the AuthProvider.
The AuthProvider is called to get their public key, and caching that public key on our end would make us less vulnerable to short outages. The providers rotate their keys, and we would have to handle that, adding complexity to the application. The benefit would be both performance and resilience.

Let’s also check the UserProvisioningMiddleware.

Database isn’t available, or can’t be reached due to a network problem.
The risk for connection issues with the database is definitely not specific for the UserProvisioningMiddleware, it will occur anywhere we try to connect to a database. When it happens in our UserProvisioningMiddleware, it means we cannot tell what permissions the user has. We will handle this by denying access, but tell the User that this probably is a temporary problem.

It’s also obvious we need monitoring, setting up Azure Application Insights seems like a good choice since we’re already deep in the Azure eco system.

Posted in ArchStream

About Stefan Bergfeldt

Jag som kallar mig för Ordbajsarn heter egentligen Stefan Bergfeldt. Jag föddes på Falu lasarett i augusti 1978, och är uppväxt i Hedemora. Webbutvecklare, sökmotoroptimerare, entreprenör och gitarrist är andra saker man kan kalla mig, om inte Ordbajsarn passar. Jag driver konsultfirman CRS Webbproduktion, och har specialiserat mig på att ta fram kostnadseffektiva webblösningar till små- och medelstora företag.