Skip to content

[Security] Add Token Service #421

New issue
New issue
Open
Open
[Security] Add Token Service#421
Labels
Type/Improvement
@ginaxu1

Description

@ginaxu1
ginaxu1
opened on Jan 12, 2026

Current Limitation

Security Risks:

  1. Passing appToken through system
  2. Missing userToken in Consumer Application validation
  3. No auth validation for OE -> PDP and OE -> CE

Suggested Improvement

RESEARCH FIRST

For now: create SecureTokenInterface with a test client that OE can use; create a generic payload that can be signed

Ideal Flow:

  1. When a request comes to OE with appToken and userToken
  2. The token service will look up clientID to get appID; and mint a token containing all information (appToken, userToken, audience, etc) --> this secure token will be used within OpenDIF system

Version

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type/Improvement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions