Secure Token Handler
For one of my customer, I have created a "Secure Token" specific Handler, that I will publish for the community.
The goal is to transfer to the protected application a token, that will be used by this application to do a call (web service, or other) to get the real user identity. This token is created at the request, and deleted when the response comes back.
A use case: the protected application is calling a third party web service, but for security reasons, cannot send the user identity to this web service. Instead, it sends the token to this web service, and the web service resolves the token to get user identity.
My first implementation uses a Memcached server, with these benefits:
- High read/write performances (remember that we create a token per request!)
- Built-in token expiration (no need to purge token manually)
This is a kind of proof of concept, but can maybe be useful to others.