Authentication and Role-Based Authorization in Microservice Architecture: A Generic Performance-Centric Design

Abstract

—In a microservice-based system, each microservice is a stand-alone application that may be targeted individually to obtain unauthorized access. Consequently, it is necessary to include authentication and authorization features. However, a set of related design decisions needs to be taken in a way that accommodates the scale of a developed system. To illustrate, a user may be authenticated depending on a password and authorized based on roles. In such a case, one integrated authentication and role-based authorization microservice can be added. Besides, the Application Programming Interfaces (APIs) that are associated with roles may be hard-coded as static API-level role authorization checks. Nevertheless, static relation between roles and APIs hinders the ease of modification of their associations when a massive number of APIs exist in a microservice system. To transform the relation into dynamic relation, this paper presents a generic microservice-based architectural design with a separate role-based authorization microservice that contains role/API database records. Moreover, it shows experimentation for performance optimization that was carried out on authentication and role-based authorization databases to utilize the suggested architectural design. The obtained results of password-based authentication encouraged employing not only Structured Query Language (NoSQL) databases with small microservice-based systems, which deal with 1500 users or less while employing Structured Query Language (SQL) databases with medium to large systems. Furthermore, the results indicated that there is no difference between the two database types in the role-based authorization process for all API-based system scale levels.