Features of token-based authentication and authorization in a web-oriented microservice architecture

Abstract

In the context of the ongoing digital transformation of the economy, web-oriented information systems have become a foundational infrastructure for e-commerce, financial services, government e-services, and corporate information resources. The widespread adoption of distributed architectures, particularly microservices, along with the use of cloud and containerized platforms, increases the need for reliable authentication of both users and services while maintaining acceptable performance. Under these conditions, authentication mechanisms are no longer merely a local security component; they substantially affect scalability, fault tolerance, and the efficiency of computing resource utilization. One of the de facto standards for token-based authentication is the JSON Web Token (JWT), which is widely used across the OAuth 2.0 and OpenID Connect (OIDC) ecosystems, as well as in proprietary solutions for securing RESTful APIs and microservice interactions. Standards and normative documents (e.g., RFC 7519, RFC 7518, RFC 8032) define the token format and the permissible signing algorithms. At the same time, in practical web-application design, the choice of a specific cryptographic algorithm and authentication scheme is often made empirically, without relying on formalized models or quantitative criteria to assess the impact of this choice on latency, throughput, and system resource consumption. As a result, designers may adopt either overly “heavy” algorithms that significantly increase latency under high load, or overly “lightweight” mechanisms that do not provide an adequate cryptographic level of protection—an issue that is particularly critical for microservice architectures, where tokens may be verified repeatedly across a chain of services. An analysis of scientific publications and standards reveals that much of the research focuses on the security of authorization and authentication protocols, the stability of access schemes, and the construction of architectural templates for using JSON Web Tokens (JWT) in web services. However, the issue of comprehensively quantifying the impact of cryptographic algorithm choices for JWT token signing and specific authentication schemes on the performance of web-oriented applications within various architectural approaches (e.g., monolith, SOA, and microservices) has not been sufficiently researched. This issue is usually considered only for specific technology stacks or load scenarios. Thus, there is a need to develop models, methods, and software tools that enable a comparative analysis of these mechanisms using uniform criteria and performance metrics.