Usual flow:
User logs in via Auth Server and user credentials and receives an access token.
App uses the access token and request data to send the request.
Cloudflare checks the token with the Auth Server’s public key. (Also, it checks the token expiration date and audience, etc.)
Our proposed flow:
User has a private key and signs the request data with that private key then sends the request.
Cloudflare checks the request by verifying the signature with the user’s public key. In order to do this, it needs to either
Fetch the user’s public key from the auth server (based on a key ID in the request). Optionally the public key could be cached for subsequent access.
b. Do the check via the certificate in the request: the certificate is signed by the Auth Server’s public key.
Attachments:
image-20220610-031634.png (image/png)
image-20220610-031714.png (image/png)
image-20220610-031955.png (image/png)
image-20220610-032216.png (image/png)
image-20220610-032450.png (image/png)