<![CDATA[The Rocket Car Wash Semarang application operates using a microservice architecture that handles sensitive information such as user identity data, transaction history, and vehicle details. As multiple services interact through authenticated API calls, strong access control is required to protect the system from unauthorized access and privilege escalation. This research evaluates the Keycloak-based Role-Based Access Control (RBAC) implementation by referencing relevant domains of the OWASP Application Security Verification Standard (ASVS) Level 2, specifically V2: Authentication, V3: Session Management, V4: Access Control, and V14: Configuration. The RBAC structure consists of three primary roles—Admin, Owner, and Customer—and the assessment examines the correctness of role–permission mapping and token-based authorization across microservices. The security evaluation was conducted through configuration auditing, API endpoint verification using Postman, JWT token validation, and automated penetration testing using OWASP Zed Attack Proxy (ZAP). The ZAP scan targeted common web vulnerabilities, particularly misconfigurations and weaknesses in HTTP security headers. The results indicate that Keycloak effectively enforces centralized authentication and authorization, with no critical issues such as Broken Access Control identified. However, several non-critical weaknesses were found, including incomplete Content Security Policy (CSP) directives and missing HSTS headers. These findings show that the RBAC implementation meets core ASVS Level 2 controls, while further improvements in security header configuration are required to enhance overall system resilience.]]>
