Register by July 31 to get a limited edition ping-pong paddle when you check in!

September 24-27, 2018  /  Washington, D.C.

Securing Microservices in Hybrid Cloud

Serverless, Microservices

T-Mobile Authentication and Authorization Process (TAAP) is designed to address several limitations and security issues with previous approaches of two-way SSL or OAuth 2.0 bearer tokens. TAAP is based on OAuth 2.0 but incorporates aspects of: OpenID Connect 1.0 (OIDC) JSON Web Tokens (JWT) Proof of key Possession (PoP) With OAuth 2.0, an opaque access token is requested by a client from an authorization server and then provided to a resource server (REST API). The resource server then asks the authorization server if the access token is valid. The access token is a bearer token and is just placed beside a request as a header with nothing binding them together. With TAAP, the access token becomes a digitally signed JWT, and includes a PoP token which digitally signs the entire request. The result is the resource server (REST API) receiving a TAAP request knows that it originated from the client whom possess the signing key and that the client has been authenticated by the Authorization server.


Komes Subramaniam

Komes Subramaniam
Principal Software Engineer, T-Mobile USA Inc