Requests for comment/Service-oriented architecture authentication

Problem statement
With many more entry points and the need for inter-service authentication, a service-oriented architecture requires a stronger authentication system.

Goals

 * single sign-on support
 * support a relatively timely revocation of rights (minutes)
 * minimize the risk & impact of exploits:
 * confused deputy
 * most services should not have access to sensitive user information (password hashes etc)
 * be efficient for high request volumes (APIs)
 * no synchronous checking with other services required for common requests (reads etc)
 * follow best security guidelines, use established standards & existing implementations

OpenID connect / OAuth2 + Bearer tokens

 * All authenticated traffic uses TLS
 * Authentication service is only service that has access to sensitive user information
 * Client follows the normal OpenID connect token request flow with auth service
 * retrieves time-limited signed Bearer token
 * token encodes common access rights like 'read article' (in signed JWT)
 * client forwards token with each request (HTTP-only cookie?)
 * Most backend services have no special rights; they merely forward the user-provided token to other services
 * Checking happens at the lowest possible layer to avoid multiple entry point issues. Example: storage service
 * Common requests like read only require a signature and timestamp check
 * Less common requests require calls back into auth service to establish rights

Used by: PayPal, Microsoft, Salesforce, Google, Deutsche Telekom, mobile carriers (GSMA) etc