Using Policy Engines to handle Authorization in Microservice Architectures: Finding a better way to handle authorization in microservices

Abstract

[Context and Motivation] The microservice architecture is an emerged architectural style that is used to design scalable and flexible IT systems. Although there are several benefits of microservices, the challenge of security becomes a major concern when these microservices store sensitive data that needs to be protected from unauthorized access. There is a need to identify and explore an authorization system that is simple, flexible, and scalable, while the underlying authorization rules are understood by everyone that is part of the system. [Question/Problem] Despite frameworks and techniques available to implement authorization in microservices, there are often challenges that are faced. Having a complex authorization system makes it difficult for new colleagues or even the customers of a company to understand the essence of what level of access a particular microservice holds. Additionally, when there are new microservices introduced to the system and makes the architecture more distributed, managing the authorization with less time and resources becomes a challenge. [Principal ideas/results] This thesis provides an artifact that introduces policybased authorization in which authorization policies are written using simple string expressions, a middleware containing the authorization logic based on the policies written, and finally a code generation plugin that generates this authorization middleware. These put together, overcome the problems stated above, along with additional problems that were identified in the current authorization system that was the main focus of this thesis. The findings shows that the solution provides a simple way to define and enforce authorization in a microservice architecture by allowing the authorization to be defined at the same time as the API is defined. [Contribution] The main contribution of the thesis is not the artifact itself but the different concepts of the artifact, which contributes to the field of research in microservice authorization and in the industry where similar challenges are faced. The general aspects of the thesis are the ability to write authorization policies as string expressions, utilize middlewares to decouple authorization from the business logic, and achieve auto-generation.