A Secure Token-Based Communication for Authentication and Authorization Servers

Jan Kubovy, Christian Huber, Markus Jäger, Josef Küng

Research output: Conference proceeding/Chapter in Book/Report/Chapterpeer-review


Today, software projects often have several independent subsystems which provide resources to clients. To protect all subsystems from unauthorized access, the mechanisms proposed in the OAuth2.0 framework and the OpenID Standard are often used. The communication between the servers, described in the OAuth2.0 framework, must be encrypted. Usually, this is achieved using Transport Layer Security (TLS), but administrators can forget to activate this protocol in the server configuration. This makes the whole system vulnerable. Neither the developer, nor the user of the system is able to check whether the communication between servers is safe. This paper presents a way to ensure secure communication between authentication-, authorization-, and resource servers without relying in on a correct server configuration. For this purpose, this paper introduces an additional encryption of the transmitted tokens to secure the transmission independently from the server configuration. Further this paper introduces the Central Authentication & Authorization System (CAAS), an implementation of the OpenId standard and the OAuth2.0 framework that uses the token encryption presented in this paper.
Original languageEnglish
Title of host publicationFuture Data and Security Engineering
Publication statusPublished - 2016


  • OpenID
  • OAuth2.0
  • security
  • Authentication
  • Authorization
  • Token
  • Encryption


Dive into the research topics of 'A Secure Token-Based Communication for Authentication and Authorization Servers'. Together they form a unique fingerprint.

Cite this