Authentication and Authorization in Microservices Architecture: A Systematic Literature Review

IF 2.5 4区综合性期刊 Q2 CHEMISTRY, MULTIDISCIPLINARY

Applied Sciences-Basel Pub Date : 2022-03-16 DOI:10.3390/app12063023

M. G. de Almeida, E. Canedo

{"title":"Authentication and Authorization in Microservices Architecture: A Systematic Literature Review","authors":"M. G. de Almeida, E. Canedo","doi":"10.3390/app12063023","DOIUrl":null,"url":null,"abstract":"The microservice architectural style splits an application into small services, which are implemented independently, with their own deployment unit. This architecture can bring benefits, nevertheless, it also poses challenges, especially about security aspects. In this case, there are several microservices within a single system, it represents an increase in the exposure of the safety surface, unlike the monolithic style, there are several applications running independently and must be secured individually. In this architecture, microservices communicate with each other, sometimes in a trust relationship. In this way, unauthorized access to a specific microservice could compromise an entire system. Therefore, it brings a need to explore knowledge about issues of security in microservices, especially in aspects of authentication and authorization. In this work, a Systematic Literature Review is carried out to answer questions on this subject, involving aspects of the challenges, mechanisms and technologies that deal with authentication and authorization in microservices. It was found that there are few studies dealing with the subject, especially in practical order, however, there is a consensus that communication between microservices, mainly due to its individual and trustworthy characteristics, is a concern to be considered. To face the problems, mechanisms such as OAuth 2.0, OpenID Connect, API Gateway and JWT are used. Finally, it was found that there are few open-source technologies that implement the researched mechanisms, with some mentions of the Spring Framework.","PeriodicalId":48760,"journal":{"name":"Applied Sciences-Basel","volume":" ","pages":""},"PeriodicalIF":2.5000,"publicationDate":"2022-03-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Applied Sciences-Basel","FirstCategoryId":"103","ListUrlMain":"https://doi.org/10.3390/app12063023","RegionNum":4,"RegionCategory":"综合性期刊","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"CHEMISTRY, MULTIDISCIPLINARY","Score":null,"Total":0}

引用次数: 13

Abstract

The microservice architectural style splits an application into small services, which are implemented independently, with their own deployment unit. This architecture can bring benefits, nevertheless, it also poses challenges, especially about security aspects. In this case, there are several microservices within a single system, it represents an increase in the exposure of the safety surface, unlike the monolithic style, there are several applications running independently and must be secured individually. In this architecture, microservices communicate with each other, sometimes in a trust relationship. In this way, unauthorized access to a specific microservice could compromise an entire system. Therefore, it brings a need to explore knowledge about issues of security in microservices, especially in aspects of authentication and authorization. In this work, a Systematic Literature Review is carried out to answer questions on this subject, involving aspects of the challenges, mechanisms and technologies that deal with authentication and authorization in microservices. It was found that there are few studies dealing with the subject, especially in practical order, however, there is a consensus that communication between microservices, mainly due to its individual and trustworthy characteristics, is a concern to be considered. To face the problems, mechanisms such as OAuth 2.0, OpenID Connect, API Gateway and JWT are used. Finally, it was found that there are few open-source technologies that implement the researched mechanisms, with some mentions of the Spring Framework.

查看原文本刊更多论文

微服务架构中的身份验证和授权:系统的文献综述

微服务架构风格将应用程序拆分为小服务，这些小服务通过自己的部署单元独立实现。这种体系结构可以带来好处，然而，它也带来了挑战，特别是在安全方面。在这种情况下，在单个系统中有几个微服务，它代表了安全表面暴露的增加，与单片风格不同，有几个应用程序独立运行，必须单独保护。在这个体系结构中，微服务彼此通信，有时是基于信任关系。通过这种方式，对特定微服务的未经授权的访问可能会危及整个系统。因此，需要探索微服务中的安全问题，特别是身份验证和授权方面的知识。在这项工作中，进行了系统的文献综述，以回答有关该主题的问题，涉及微服务中处理身份验证和授权的挑战、机制和技术方面。研究发现，很少有研究处理这个主题，特别是在实际顺序中，然而，有一个共识，即微服务之间的通信，主要是由于其个性化和可信赖的特征，是一个需要考虑的问题。为了解决这些问题，使用了OAuth 2.0、OpenID Connect、API Gateway和JWT等机制。最后，我们发现很少有开源技术实现了所研究的机制，其中提到了一些Spring框架。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Applied Sciences-Basel CHEMISTRY, MULTIDISCIPLINARYMATERIALS SCIE-MATERIALS SCIENCE, MULTIDISCIPLINARY

CiteScore

5.30

自引率

11.10%

发文量

10882

期刊介绍： Applied Sciences (ISSN 2076-3417) provides an advanced forum on all aspects of applied natural sciences. It publishes reviews, research papers and communications. Our aim is to encourage scientists to publish their experimental and theoretical results in as much detail as possible. There is no restriction on the length of the papers. The full experimental details must be provided so that the results can be reproduced. Electronic files and software regarding the full details of the calculation or experimental procedure, if unable to be published in a normal way, can be deposited as supplementary electronic material.