Identity distribution and session handling in microservice architecture

Abstract

Microservices are getting increasingly popular in past couple of years because of their distinct advantages over monolithic applications. In monolithic systems all the services are running in a single same machine or container, but in microservices these services are running in separate containers and they collectively working to form a larger application. This research addresses two basic problems in such kind of system, first problem is how to authenticate users and distribute identity information in a microservice system. And the second problem is how to create and handle user sessions in a microservice system. Both of the first and second chapters of this dissertion gives a solid overview about the research and background of the problem, including a detailed description about microservice architecture and various authentication and authorization mechanisms. In this study, external access delegation system been used to handle user authentication. Then two back-ends developed to distribute and handle the identity information among microservices. Basically in first case, user authentication process handles by each of the microservices and in the second case user authentication process handle by a centralized reverse proxy. Then to handle sessions, a token will create with necessary information about the user session and it will distribute among internal microservices. Both of the chapter 3 and 4 in this dessertion concerned to design and implement this solution. Addtionally, these chapters describes security and performance issues which occured during the design phase of the system and various stratagies that has taken to overcome them. Finally, various end to end and component level tests performed to measure the performance and security tests were made based on OWSAP top ten vulnerabilities. Chapter 5 in this dissertion contains detailed information about these tests and their results. On overall system shows good efficiency in both of security and performance. The user authentication process handled using a central reverse proxy showed much less performance, but it has several advantages over the process which authenticate users at microservice level. Final chapter in the dissertation contains a detailed description about this conclusion and how the test results lead to made this conclusion.