Securing Microservices in Hybrid Cloud
T-Mobile Authentication and Authorization Process (TAAP) is designed to address several limitations and security issues with previous approaches of two-way SSL or OAuth 2.0 bearer tokens. TAAP is based on OAuth 2.0 but incorporates aspects of: OpenID Connect 1.0 (OIDC) JSON Web Tokens (JWT) Proof of key Possession (PoP) With OAuth 2.0, an opaque access token is requested by a client from an authorization server and then provided to a resource server (REST API). The resource server then asks the authorization server if the access token is valid. The access token is a bearer token and is just placed beside a request as a header with nothing binding them together. With TAAP, the access token becomes a digitally signed JWT, and includes a PoP token which digitally signs the entire request. The result is the resource server (REST API) receiving a TAAP request knows that it originated from the client whom possess the signing key and that the client has been authenticated by the Authorization server.
Principal Software Engineer, T-Mobile USA Inc