Security Evaluation of Keycloak-Based Role-Based Access Control in Microservice Architectures Using the OWASP ASVS Framework
DOI:
https://doi.org/10.30871/jaic.v9i6.11604Keywords:
Role-Based Access Control, Data Security, Mobile Application, OWASP, Security EvaluationAbstract
The Rocket Car Wash Semarang application operates using a microservice architecture that handles sensitive information such as user identity data, transaction history, and vehicle details. As multiple services interact through authenticated API calls, strong access control is required to protect the system from unauthorized access and privilege escalation. This research evaluates the Keycloak-based Role-Based Access Control (RBAC) implementation by referencing relevant domains of the OWASP Application Security Verification Standard (ASVS) Level 2, specifically V2: Authentication, V3: Session Management, V4: Access Control, and V14: Configuration. The RBAC structure consists of three primary roles—Admin, Owner, and Customer—and the assessment examines the correctness of role–permission mapping and token-based authorization across microservices. The security evaluation was conducted through configuration auditing, API endpoint verification using Postman, JWT token validation, and automated penetration testing using OWASP Zed Attack Proxy (ZAP). The ZAP scan targeted common web vulnerabilities, particularly misconfigurations and weaknesses in HTTP security headers. The results indicate that Keycloak effectively enforces centralized authentication and authorization, with no critical issues such as Broken Access Control identified. However, several non-critical weaknesses were found, including incomplete Content Security Policy (CSP) directives and missing HSTS headers. These findings show that the RBAC implementation meets core ASVS Level 2 controls, while further improvements in security header configuration are required to enhance overall system resilience.
Downloads
References
[1] D. Das, A. Walker, V. Bushong, J. Svacina, T. Cerny, and V. Matyas, “On automated RBAC assessment by constructing a centralized perspective for microservice mesh,” PeerJ Comput. Sci., vol. 7, p. e376, Feb. 2021, doi: 10.7717/peerj-cs.376.
[2] S.-F. Wen and B. Katt, “A quantitative security evaluation and analysis model for web applications based on OWASP application security verification standard,” Comput. Secur., vol. 135, p. 103532, Dec. 2023, doi: 10.1016/j.cose.2023.103532.
[3] K. Abdulghaffar, N. Elmrabit, and M. Yousefi, “Enhancing Web Application Security through Automated Penetration Testing with Multiple Vulnerability Scanners,” Computers, vol. 12, no. 11, p. 235, Nov. 2023, doi: 10.3390/computers12110235.
[4] B. Ünver and R. Britto, “Automatic Detection of Security Deficiencies and Refactoring Advises for Microservices,” in 2023 IEEE/ACM International Conference on Software and System Processes (ICSSP), Melbourne, Australia: IEEE, May 2023, pp. 25–34. doi: 10.1109/ICSSP59042.2023.00013.
[5] “OWASP Top 10:2021.” Accessed: Oct. 23, 2025. [Online]. Available: https://owasp.org/Top10/
[6] A. Chatterjee and A. Prinz, “Applying Spring Security Framework with KeyCloak-Based OAuth2 to Protect Microservice Architecture APIs: A Case Study,” Sensors, vol. 22, no. 5, Art. no. 5, Jan. 2022, doi: 10.3390/s22051703.
[7] “Design and Security Evaluation of IAM Module in Microservice Architecture Using Keycloak | The Indonesian Journal of Computer Science.” Accessed: Jul. 28, 2025. [Online]. Available: https://ijcs.net/ijcs/index.php/ijcs/article/view/4854
[8] A. Venčkauskas, D. Kukta, Š. Grigaliūnas, and R. Brūzgienė, “Enhancing Microservices Security with Token-Based Access Control Method,” Sensors, vol. 23, no. 6, p. 3363, Mar. 2023, doi: 10.3390/s23063363.
[9] P. Billawa, A. B. Tukaram, N. E. D. Ferreyra, J.-P. Steghöfer, R. Scandariato, and G. Simhandl, “SoK: Security of Microservice Applications: A Practitioners’ Perspective on Challenges and Best Practices,” in Proceedings of the 17th International Conference on Availability, Reliability and Security, Aug. 2022, pp. 1–10. doi: 10.1145/3538969.3538986.
[10] K. V. Palavesam, S. V. Arcot, M. V. Krishnamoorthy, and E. G V, “Building Automated Security Pipeline for Containerized Microservices,” J. Adv. Math. Comput. Sci., vol. 40, no. 2, pp. 53–66, Feb. 2025, doi: 10.9734/jamcs/2025/v40i21969.
[11] M. S. Rahaman, S. N. Tisha, E. Song, and T. Cerny, “Access Control Design Practice and Solutions in Cloud-Native Architecture: A Systematic Mapping Study,” Sensors, vol. 23, no. 7, Art. no. 7, Jan. 2023, doi: 10.3390/s23073413.
[12] A. Oluwaferanmi, “Ensuring Authentication and Authorization Security Using OWASP ASVS Controls in Enterprise Applications”.
[13] S. Sutradhar, S. Karforma, R. Bose, S. Roy, S. Djebali, and D. Bhattacharyya, “Enhancing identity and access management using Hyperledger Fabric and OAuth 2.0: A block-chain-based approach for security and scalability for healthcare industry,” Internet Things Cyber-Phys. Syst., vol. 4, pp. 49–67, Jan. 2024, doi: 10.1016/j.iotcps.2023.07.004.
[14] E. Amissah and F. Bentil, “Exposing Insecure Direct Object Reference (IDOR) Vulnerabilities in Academic Publication Platforms: A Case Study),” Int. J. Eng. Res., vol. 13, no. 08.
[15] N. R. P. Hutasuhut, M. G. Amri, and R. F. Aji, “Security Gap in Microservices: A Systematic Literature Review,” Int. J. Adv. Comput. Sci. Appl., vol. 15, no. 12, 2024, doi: 10.14569/IJACSA.2024.0151218.
[16] A. Bambhore Tukaram, S. Schneider, N. E. Díaz Ferreyra, G. Simhandl, U. Zdun, and R. Scandariato, “Towards a Security Benchmark for the Architectural Design of Microservice Applications,” in Proceedings of the 17th International Conference on Availability, Reliability and Security, Vienna Austria: ACM, Aug. 2022, pp. 1–7. doi: 10.1145/3538969.3543807.
[17] M. Tahir, A. Abdullah, N. I. Udzir, and K. A. Kasmiran, “A novel approach for handling missing data to enhance network intrusion detection system,” Cyber Secur. Appl., vol. 3, p. 100063, Dec. 2025, doi: 10.1016/j.csa.2024.100063.
[18] F. Di Nocera, G. Tempestini, and M. Orsini, “Usable Security: A Systematic Literature Review,” Information, vol. 14, no. 12, p. 641, Nov. 2023, doi: 10.3390/info14120641.
[19] W. S. Admass, Y. Y. Munaye, and A. A. Diro, “Cyber security: State of the art, challenges and future directions,” Cyber Secur. Appl., vol. 2, p. 100031, 2024, doi: 10.1016/j.csa.2023.100031.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Indra Gamayanto, Michael Christ Kurniawan , Gabriello Klavin Sanyoto
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License (Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) ) that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
