Requests for comment/Service-oriented architecture authentication

Problem statement
With many more entry points and the need for inter-service authentication, a service-oriented architecture requires a stronger authentication system.

Goals

 * single sign-on support
 * support a relatively timely revocation of rights (minutes)
 * minimize the risk & impact of exploits:
 * confused deputy
 * most services should not have access to sensitive user information (password hashes etc)
 * be efficient for high request volumes (APIs)
 * no synchronous checking with other services required for common requests (reads etc)
 * follow best security guidelines, use established standards & existing implementations

OpenID connect / OAuth2 + Bearer tokens

 * All authenticated traffic uses TLS
 * Authentication service is only service that has access to sensitive user information
 * Client authentication
 * Normal browser auth / our domains: Bearer token is set in HTTP-only cookie (instead of session id)
 * Cross-domain: Client follows the normal OpenID connect token request flow with auth service
 * retrieves time-limited signed Bearer token
 * token encodes common access rights like 'read article' (in signed JWT)
 * Client sends token with each request (SPDY can make sure it only goes over the wire once)
 * Most backend services have no special rights; they merely forward the user-provided token to other services
 * Checking happens at the lowest possible layer to avoid multiple entry point issues. Example: storage service
 * Common requests like read only require a signature and timestamp check
 * Less common requests require calls back into auth service to establish rights
 * CSRF tokens for state-changing operations provided and verified by the auth service on behalf of backends (storage service for example)
 * performance not as critical as those operations are rare compared to reads

Used by: PayPal, Microsoft, Salesforce, Google, Deutsche Telekom, mobile carriers (GSMA) etc