Suggestions for authorization in the sidekick component of microservice architecture
DOI:
https://doi.org/10.26906/SUNZ.2025.1.116-123Keywords:
Sidecar, microservices, authorization, Keycloak, performance, cache, containers, Kubernetes, scalability, open-source, Gatling, resource allocation, load balancing, web server, information systemAbstract
The article develops proposals on the feasibility of implementing authorization in the sidekick component of a
microservice, which allows separating business logic from authorization tasks, logging, caching, etc. Such an implementation
allows the main business modules to remain focused exclusively on their business logic, changing only when there are updates to
business procedures, and tasks that are common to almost any modern solution to be transferred to auxiliary components such as
a sidekick. Proper implementation of authorization is a key aspect of any system, it is very important and requires taking into
account a large number of features and using best practices to ensure the safety of data from unauthorized access. The possibilities of the open-source Keycloak solution are considered. This solution is a very popular service for authentication/authorization,
it supports standard identification protocols, such as: OpenID Connect, OAuth 2.0, SAML 2.0. The solution supports multi-factor
authentication, supports containerization, and can be easily distributed in a microservices environment like Kubernates and integrated with various external services, including Google, Facebook, etc. The architecture and proposals necessary for integration
with the sidekick component are developed. A study on the performance of the developed solution was conducted. Numerical
values were obtained and presented in tables and graphs. Additionally, it can integrate with various external services, including
Google, Facebook, and others. The article presents the architecture and method required for integration with a sidecar component
and includes a performance analysis of the proposed solution. To enhance the performance further, the sidecar architecture incorporates a local caching mechanism, utilizing Caffeine cache — known for its high performance and effectiveness. This cache
stores authorization tokens, significantly decreasing the volume of calls required to Keycloak by reusing the tokens stored locally
until they expire. This mechanism reduces reliance on central Keycloak servers and minimizes latency, providing a performance
boost through decreased network traffic and accelerated token retrieval processes. Extensive performance testing was conducted
using the Gatling framework to validate the integration and caching strategy. These tests demonstrated that the sidecar configuration, equipped with the local Caffeine cache, maintained consistent performance under varying loads and was capable of horizontal scaling without degradation in response times. Moreover, the reduced load on the Keycloak servers showcased the effectiveness of the caching approach in minimizing backend calls for token validations. The approach confirms the robustness and scalability of the sidecar, poised to handle increased loads efficiently while safeguarding sensitive authorization data.
Downloads
References
1. K. Salah, R. N. Calheiros, and R. Buyya, "Security challenges in microservice architectures: A comprehensive survey," IEEE Trans. Cloud Comput., vol. 9, no. 3, pp. 1185-1206, Jul. 2019.
2. Документація Keycloak: https://www.keycloak.org/documentation.html
3. S. Nkomo, "Managing API credentials for microservices security," J. Network and Systems Management, vol. 28, no. 2, pp. 345-367, Apr. 2020.
4. K. Ueda, T. Fujibayashi, and H. Suzuki, "Role-Based Access Control in Microservice Architectures," Journal of Information Security and Applications, vol. 56, pp. 102-114, Mar. 2021.
5. D. Wang, H. Jiang, and L. Meng, "Secure Authorization Mechanism Using Sidecar Architecture in Microservices," in Proceedings of the Symposium on Applied Computing, pp. 1522-1529, March 2021.
6. Y. Zhang, P. Li, and J. Xu, "Enhancing Microservices Security via Sidecar Proxies: A Case Study with Envoy," IEEE Access, vol. 10, pp. 23452-23463, 2022.
7. С. С. Бульба, О. В. Коломійцев, О. І. Соловйова, С. В. Носко. Засоби побудови додаткового рівня системи комунікацій у мікро-сервісній архітектурі. Грааль науки : міжнар. наук. журнал. – Вінниця : ГО «Європейська наукова платформа»;НУ «Інститут науково-технічної інтеграції та співпраці», 2024. – No 46. – 651-659 с. DOI 10.36074/grail-ofscience.
8. Kuchuk, N., Shiman, A., Filonenko, A. and Bulba, S. 2021. Розрахунок ефективності використання обчислювальних ресурсів самовідновлювальної комп’ютерної системи. Системи управління, навігації та зв’язку. Збірник наукових праць. 3, 65 (Вер 2021), 92-95. DOI: https://doi.org/10.26906/SUNZ.2021.3.092
9. DevOps блог: "Caffeine Cache". URL: https://blog.devops.dev/easy-to-use-caffeine-cache-1-3db5861f6f39
10. Gatling фреймворк: веб-сайт. URL: https://gatling.io/
Downloads
Published
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
