Episode 116 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Replays Rejected: Fortifying Microservices Against Stolen Tokens

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Mert Coskuner, Principal Product Security Engineer at Yahoo
• Guest: Naveen CM, Senior Principal Software Engineer at Yahoo

Channels

• Linkedin Event
• Youtube Video

Description

At the OAuth Security Workshop 2025, Mert and Naveem co-presented a session titled "Enhancing Security with Transaction Tokens," where they introduced a novel approach to mitigating cookie theft and replay attacks in microservices architectures. This method involves the use of Transaction Tokens (TraTs)—narrowly scoped, time-limited tokens exchanged at the CDN level. These tokens are validated locally and bound to specific services, thereby reducing the risk of replay attacks and minimizing latency associated with centralized session validators. This innovative strategy is currently progressing through the IETF OAuth Working Group.

If you're attending Identiverse this year, they will also be presenting this topic Wednesday, June 4, Mandalay Bay H at 4:35 pm - 5 pm.

Homework

• Identiverse 2025 Slides
• Transaction Token JWT Claims

Sample JWT

{  "sub": "foobar", 
   "txnID": "753edc0755bd", 
   "authz-context": "encrypted_user_data__authn_event_details", 
   "exp": 1689790025, 
   "iat": 123456789, 
   "scope" : "mail-read"
}

Diagram 1: Problem

Diagram 2: Sequence Diagram

Diagram 3: Attack foiled

Diagram 4: Misconfigured Service

Insider threat: what if a misconfigured service logs the cookie. Then it could be replayed...

Takeaways

• ⚡ Passing the cookie directly from the browser to downstream services created all kinds of risks. Just by swapping the cookie for a JWT token made the backend services a lot more secure.

• ⚡ Using a token-exchange pattern created all sorts of opportunities to improve security--it was possible to add extra security information into the new token, to filter the identity assertion, or to downscope the token.

• ⚡ Although the draft IETF transaction token spec has some details, there isn't any agreement over schema beyond the basic claims. It's also interesting how Yahoo is sending an encrypted identity assertion downstream to the APIs. Lots of people say you shouldn't do this, but it just goes to show that it's not that uncommon. It's not that uncommon to even see SAML asssertions passed downsteram to APIs.

• ⚡ There is no jti claim specified in the OAuth transaction token spec. Why not? It's convenient if all issued tokens have a primary key (jti). You could still add it... not sure why it's not reserved though.

Livestream Audio Archive

here