September 24-27, 2018  /  Washington, D.C.

Securing Microservices in Hybrid Cloud

Serverless, Microservices

T-Mobile Authentication and Authorization Process (TAAP) is designed to address several limitations and security issues with previous approaches of two-way SSL or OAuth 2.0 bearer tokens. TAAP is based on OAuth 2.0 but incorporates aspects of: OpenID Connect 1.0 (OIDC), JSON Web Tokens (JWT), Proof of key Possession (PoP). With OAuth 2.0, an opaque access token is requested by a client from an authorization server and then provided to a resource server (REST API). The resource server then asks the authorization server if the access token is valid. The access token is a bearer token and is just placed beside a request as a header with nothing binding them together. With TAAP, the access token becomes a digitally signed JWT, and includes a PoP token which digitally signs the entire request. The result is the resource server (REST API) receiving a TAAP request knows that it originated from the client whom possess the signing key and that the client has been authenticated by the Authorization server.

September 25, 2018
5:40 pm - 6:10 pm
Maryland Ballroom A

Watch Video


Komes Subramaniam

Komes Subramaniam
Principal Software Engineer, T-Mobile

Senthil Velusamy

Senthil Velusamy
Sr MTS Domain Architecture, Director, T-Mobile