<p>Application Programming Interfaces (APIs) are widely consumed by both internal and external entities. When services authenticate to other services, they typically rely on static credentials such as API keys, username-password pairs, or mutual Transport Layer Security (mTLS) certificates. These static credentials have contributed to several major security breaches due to inadvertent or malicious disclosure. This paper proposes a cloud-agnostic authentication framework that replaces static credentials with cloud-native bootstrap identities. The approach works by having a calling application cryptographically prove its entitlement to a cloud-assigned role (such as an AWS IAM Role, GCP Service Account, or Azure Managed Identity) to an organisational identity provider (Org IDP), which validates the proof against the cloud platform and issues a short-lived JSON Web Token (JWT) conforming to the OpenID Connect (OIDC) standard. Receiving applications authenticate the caller using standard OIDC validation, requiring no shared secrets. The framework is evaluated through a proof of concept implementation on AWS, with the identity proof mechanisms for GCP and Azure independently validated on their respective platforms. Performance benchmarks demonstrate that JWT validation adds only 1–2 ms of overhead per request, and a threat analysis shows that the model removes reliance on static credentials, thereby eliminating a major class of secret-leakage risk whilst reducing man-in-the-middle and replay attack surfaces.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A simpler approach to inter-application authentication utilising cloud-native identities

  • Adrian Asher,
  • Raj Rajarajan

摘要

Application Programming Interfaces (APIs) are widely consumed by both internal and external entities. When services authenticate to other services, they typically rely on static credentials such as API keys, username-password pairs, or mutual Transport Layer Security (mTLS) certificates. These static credentials have contributed to several major security breaches due to inadvertent or malicious disclosure. This paper proposes a cloud-agnostic authentication framework that replaces static credentials with cloud-native bootstrap identities. The approach works by having a calling application cryptographically prove its entitlement to a cloud-assigned role (such as an AWS IAM Role, GCP Service Account, or Azure Managed Identity) to an organisational identity provider (Org IDP), which validates the proof against the cloud platform and issues a short-lived JSON Web Token (JWT) conforming to the OpenID Connect (OIDC) standard. Receiving applications authenticate the caller using standard OIDC validation, requiring no shared secrets. The framework is evaluated through a proof of concept implementation on AWS, with the identity proof mechanisms for GCP and Azure independently validated on their respective platforms. Performance benchmarks demonstrate that JWT validation adds only 1–2 ms of overhead per request, and a threat analysis shows that the model removes reliance on static credentials, thereby eliminating a major class of secret-leakage risk whilst reducing man-in-the-middle and replay attack surfaces.