International Journal of Open Information Technologies

In containerized and microservice systems, access is increasingly granted not to a single request, but to a long-lived HTTP/2 (gRPC, Google Remote Procedure Call) stream. In such a context, authorization only at the moment a connection is opened does not guarantee timely termination of access after a revocation event. We present a reactive identity and access management mechanism implemented for a service mesh based on the Envoy proxy server. The local identity provider publishes OIDC (OpenID Connect) and JWKS (JSON Web Key Set) metadata and issues an access token with the sub, sid, and jti fields—that is, the subject, session, and token identifiers. This ensures that all end-user scenarios use the same authentication approach, and comparisons do not rely on pre-defined identifiers. Envoy accepts standardized Shared Signals Framework (SSF) and Continuous Access Evaluation Profile (CAEP) events in the Security Event Token (SET) format, normalizes subject, session, and token identifiers (sub, sid, jti), stores the denied state in Redis, and specifically terminates an active gRPC flow in the Envoy data plane. For evaluation, a reproducible Kubernetes rig was built with a single local identity provider publishing OIDC/JWKS metadata and compared against three open-source architectures: OPA (Open Policy Agent) + Envoy, Istio CUSTOM with Istio's external authorization mode enabled, and OpenFGA. The main series includes 360 runs: four architectural approaches, three load profiles, and 30 iterations per configuration. The developed approach terminated the active thread in all iterations, ensured complete blocking of reopening after access revocation, and kept the risk window at 0 messages in the low and medium profiles and approximately 0.9 messages in the high profile, while the compared architectures only blocked reopening. The practical significance of this work lies in the reproducible method for translating standardized security events into immediate policy enforcement at the network proxy level.

Ferraiolo D., Gavrila S., Kuhn R. Service Mesh Proxy Models for Cloud-Native Applications. NIST SP 800-233. 2024.

Nadalin A. et al. Building Secure Microservices-based Applications Using Service-Mesh Architecture. NIST SP 800-204A. 2021.

Nadalin A. et al. Attribute-based Access Control for Microservices-based Applications Using a Service Mesh. NIST SP 800-204B. 2021.

OpenID Foundation. OpenID Shared Signals Framework Specification 1.0. 2025.

OpenID Foundation. OpenID Continuous Access Evaluation Profile 1.0. 2025.

Hunt P., Jones M. Security Event Token (SET). RFC 8417. IETF. 2018.

Sandhu R., Park J. Usage Control: A Vision for Next Generation Access Control. Mathematical Methods, Models, and Architectures for Computer Network Security. Springer. 2003.

Park J., Sandhu R. et al. UCON+: Comprehensive Model, Architecture and Implementation for Usage Control and Continuous Authorization. Data and Applications Security and Privacy XXXVI. Springer. 2023.

Ayoade G. et al. A Comprehensive Review of Usage Control Frameworks. Computer Standards & Interfaces. 2024.

Gerdes S. et al. Using the ACE Framework to Enforce Access and Usage Control with Notifications of Revoked Access Rights. International Journal of Information Security. 2024.

Joumaa H., Petrovska A., Hariri A., Dimitrakos T., Crispo B. Continuous Authorization Architecture for Dynamic Trust Evaluation. Trust Management XIV. Springer. 2024.

Open Policy Agent. OPA-Envoy Plugin. 2026. URL: https://www.openpolicyagent.org/docs/latest/envoy-introduction/

Istio Authors. External Authorization. 2025. URL: https://istio.io/latest/docs/tasks/security/authorization/authz-custom/

OpenFGA Authors. OpenFGA Documentation. 2026. URL: https://openfga.dev/docs

Pang R. et al. Zanzibar: Google's Consistent, Global Authorization System. USENIX Annual Technical Conference. 2019.

Mouelhi T. et al. Specifying and Verifying Usage Control Models and Policies in TLA+. International Journal on Software Tools for Technology Transfer. 2021.

Aloufi B. et al. Authentication and Authorization in Microservices Architecture: A Systematic Literature Review. Applied Sciences. 2022.

Zyanchurin I.A. Reactive Mesh AuthZ: iskhodnyj kod, scenarii zapuska i eksperimental'nye artefakty. Repozitorij GitHub. 2026. URL: https://github.com/Dark-Avery/Reactive-Mesh-AuthZ

Ul'bi, T. V., and O. R. Laponina. "Modul' upravlenie dostupom na osnove atributov dlya veb-zaprosov iz raznyh istochnikov." International Journal of Open Information Technologies 11.5 (2023): 128-136.

Kovtun, D. P., and O. R. Laponina. "Ispol'zovanie upravleniya dostupom na osnove atributov i mTLS v mikroservisnoj arhitekture." International Journal of Open Information Technologies 13.6 (2025): 75-85.

Namiot, D. E. Skhemy atak na modeli mashinnogo obucheniya / D. E. Namiot // International Journal of Open Information Technologies. – 2023. – T. 11, № 5. – S. 68-86. – EDN YVRDOB.

Cifrovaya zheleznaya doroga - prognozy, innovacii, proekty / V. P. Kupriyanovskij, G. V. Sukonnikov, P. M. Bubnov [i dr.] // International Journal of Open Information Technologies. – 2016. – T. 4, № 9. – S. 34-43. – EDN WIQHXX.

Cifrovaya ekonomika = modeli dannyh + bol'shie dannye + arhitektura + prilozheniya? / V. P. Kupriyanovskij, N. A. Utkin, D. E. Namiot, P. V. Kupriyanovskij // International Journal of Open Information Technologies. – 2016. – T. 4, № 5. – S. 1-13. – EDN VWANDZ.