Optimasi Sistem Keamanan REST API Menggunakan Zero Trust Architecture dan Keycloak Tools Dalam Infrastruktur Berbasis Microservices

Abstract

Keamanan layanan REST API pada arsitektur microservices menjadi isu penting seiring meningkatnya kompleksitas sistem digital dan perluasan permukaan serangan. Penelitian ini bertujuan mengimplementasikan prinsip Zero Trust Architecture (ZTA) untuk memperkuat mekanisme otorisasi OAuth 2.0 pada sistem REST API berbasis microservices. Pendekatan ZTA menolak kepercayaan implisit dan mewajibkan verifikasi berkelanjutan pada setiap permintaan akses, baik dari dalam maupun luar jaringan. Penelitian ini menggunakan metode kualitatif dengan pendekatan eksperimental melalui tahapan kajian literatur, perancangan sistem, implementasi, pengumpulan data, dan pengujian. Studi kasus dilakukan pada pengembangan sistem keamanan REST API berbasis Spring Boot dengan Keycloak sebagai penyedia identitas dan akses. Penguatan keamanan diterapkan melalui integrasi Multi-Factor Authentication (MFA), validasi token JSON Web Token (JWT), pemanfaatan code verifier sekali pakai, serta Redis sebagai penyimpanan sementara untuk mendukung proses verifikasi dinamis. Pengujian dilakukan dengan membandingkan kondisi sebelum dan sesudah penerapan ZTA berdasarkan parameter skor risiko, impact, likelihood, dan waktu proses permintaan. Hasil pengujian menunjukkan bahwa penerapan ZTA menurunkan skor risiko rata-rata dari 34,08 menjadi 10,88 atau sebesar 68,1 persen, tanpa menimbulkan dampak signifikan terhadap performa sistem. Waktu proses permintaan tetap berada pada kisaran 7 milidetik dengan perbedaan yang sangat kecil setelah penguatan keamanan diterapkan. Temuan ini membuktikan bahwa ZTA efektif dalam memperkuat otorisasi OAuth 2.0 pada lingkungan microservices, sekaligus menekan risiko serangan seperti token hijacking, brute-force, replay attack, dan man-in-the-middle (MiTM). Dengan demikian, penerapan ZTA dapat menjadi pendekatan keamanan yang relevan dan praktis untuk pengembangan REST API yang membutuhkan perlindungan data tinggi. 

Kata kunci: Zero Trust Architecture, OAuth 2.0, REST API, Keamanan, Microservices

----------------------------------------------------------------------

Enhancing REST API Security Through Zero Trust Architecture and Keycloak Integration in Microservices-Based Infrastructures

The security of REST API services in microservices architecture has become a critical issue as the complexity of digital systems increases and the attack surface expands. This study aims to implement the principles of Zero Trust Architecture (ZTA) to strengthen the OAuth 2.0 authorization mechanism in a microservices-based REST API system. The ZTA approach rejects implicit trust and mandates continuous verification for every access request, whether originating from inside or outside the network. This study employs a qualitative method with an experimental approach, conducted through the following stages: literature review, system design, implementation, data collection, and testing. The case study was carried out on the development of a REST API security system built with Spring Boot, using Keycloak as the identity and access provider. Security hardening was applied through the integration of Multi-Factor Authentication (MFA), JSON Web Token (JWT) validation, the use of a one-time code verifier, and Redis as temporary storage to support dynamic verification processes. Testing was conducted by comparing conditions before and after the implementation of ZTA based on the parameters of risk score, impact, likelihood, and request processing time. The test results indicate that the implementation of ZTA reduced the average risk score from 34.08 to 10.88, representing a decrease of 68.1 percent, without causing any significant impact on system performance. The request processing time remained at approximately 7 milliseconds, with only a marginal difference observed after security hardening was applied. These findings demonstrate that ZTA is effective in strengthening OAuth 2.0 authorization within a microservices environment, while simultaneously mitigating the risk of attacks such as token hijacking, brute-force, replay attacks, and man-in-the-middle (MiTM) attacks. Therefore, the adoption of ZTA can serve as a relevant and practical security approach for REST API development that requires a high level of data protection.

Keywords: Zero Trust Architecture, OAuth 2.0, REST API, Security, Microservices