Proof-of-Possession Tokens in Microservice Architectures

Abstract: The popular OAuth 2.0 Framework specifies the use of Bearer Tokens for the transmission of authorization credentials. A Bearer Token has the property that any party in possession of it can use the it. Requests including Bearer Tokens are therefore performed over a secure channel t oensure that tokens cannot be obtained by eavesdroppers. There are, however, still ways in which tokens may be leaked, including cross-site scripting and man-in-the-middle attacks. In situations where Bearer Tokens do not provide adequate security, proof-of-possession techniques may be employed to bind tokens to clients, thereby mitigating token leakage. This project presents a method which can be used to bind tokens to clients based on authentication performed by an external identity provider. How clients form proof-of-possession tokens is also described. The resultis a token which may be used to transmit authorization credentials overan insecure channel. Token performance is measured in terms of client key generation time, token generation time, and authorization time. The effect different signing a lgorithms have on performance is measured and the proof-of-possession token is compared to Bearer Token based authorization. The results show that Elliptical Curve cryptography may be employed by lightweight devices to reduce client key and token generation times. The analysis also shows that an increase in authorization time by a factor of between six and nine can be expected when compared to Bearer Token based authorization.