A simpler approach to inter-application authentication utilising cloud-native identities
摘要
Application Programming Interfaces (APIs) are widely consumed by both internal and external entities. When services authenticate to other services, they typically rely on static credentials such as API keys, username-password pairs, or mutual Transport Layer Security (mTLS) certificates. These static credentials have contributed to several major security breaches due to inadvertent or malicious disclosure. This paper proposes a cloud-agnostic authentication framework that replaces static credentials with cloud-native bootstrap identities. The approach works by having a calling application cryptographically prove its entitlement to a cloud-assigned role (such as an AWS IAM Role, GCP Service Account, or Azure Managed Identity) to an organisational identity provider (Org IDP), which validates the proof against the cloud platform and issues a short-lived JSON Web Token (JWT) conforming to the OpenID Connect (OIDC) standard. Receiving applications authenticate the caller using standard OIDC validation, requiring no shared secrets. The framework is evaluated through a proof of concept implementation on AWS, with the identity proof mechanisms for GCP and Azure independently validated on their respective platforms. Performance benchmarks demonstrate that JWT validation adds only 1–2 ms of overhead per request, and a threat analysis shows that the model removes reliance on static credentials, thereby eliminating a major class of secret-leakage risk whilst reducing man-in-the-middle and replay attack surfaces.