For the modern computing architectures involving multiple independent workloads and following the zero trust model, it is important that the calls between the workloads be properly authenticated and authorized. SPIFFE/SPIRE does solve the authentication part; however, it does not take into account the request context and other dynamic data.

A new Internet draft called Transaction Tokens has been adopted by the IETF OAuth Working Group, which addresses the authorization part. A transaction token is a short-lived, cryptographically signed, request-specific token obtained from the new Transaction Token Service in exchange for the external OAuth/OIDC access token and other context-dependent data. The token is then included into every inter-workload call, which guarantees that only non-spurious calls between the workloads can take place. From this talk, the attendees will learn about how Transaction Tokens work, how they help to make the internal perimeter more secure, how we implemented this upcoming specification using a customized version of Keycloak, what challenges we faced and how we solved them.