A Secure Token-Based Communication for Authentication and Authorization Servers

Today, software projects often have several independent subsystems which provide resources to clients. To protect all subsystems from unauthorized access, the mechanisms proposed in the OAuth2.0 framework and the OpenID Standard are often used. The communication between the servers, described in the OAuth2.0 framework, must be encrypted. Usually, this is achieved using Transport Layer Security (TLS), but administrators can forget to activate this protocol in the server configuration. This makes the whole system vulnerable. Neither the developer, nor the user of the system is able to check whether the communication between servers is safe. This paper presents a way to ensure secure communication between authentication-, authorization-, and resource servers without relying in on a correct server configuration. For this purpose, this paper introduces an additional encryption of the transmitted tokens to secure the transmission independently from the server configuration. Further this paper introduces the Central Authentication & Authorization System (CAAS), an implementation of the OpenId standard and the OAuth2.0 framework that uses the token encryption presented in this paper.