A robust authentication and authorization mechanism is imperative in modular system development, where modularity and modular thinking are pivotal. Traditional systems often employ identity modules responsible for authentication and token issuance. Tokens, representing user credentials, offer advantages such as reduced reliance on passwords, limited lifespan, and scoped access. Despite these benefits, the "bearer token" problem persists, leaving systems vulnerable to abuse if tokens are compromised. We propose a token-based authentication mechanism addressing modular systems' critical bearer token problem. The proposed mechanism includes a novel RAF (Recursive Augmented Fernet) token, a blacklist component, and a policy enforcer component. RAF tokens are one-time-use tokens, like tickets. They carry commands, and the receiver of an RAF token can issue new tokens using the received RAF token. The blacklist component guarantees an RAF token can not be approved more than once, and the policy enforcer checks the compatibility of commands carried by an RAF token. We introduce two variations of RAF tokens: User-tied RAF, offering simplicity and compatibility, and Fully-tied RAF, providing enhanced security through service-specific secret keys. We thoroughly discuss the security guarantees, technical definitions, and construction of RAF tokens backed by game-based proofs. We demonstrate a proof of concept in the context of OpenStack, involving modifications to Keystone and creating an RAFT library. The experimental results reveal minimal overhead in typical scenarios, establishing the practicality and effectiveness of RAF. Our experiments show that the RAF mechanism beats the idea of using short-life Fernet tokens while providing much better security.

翻译：在模块化系统开发中，鲁棒的认证与授权机制至关重要，其中模块化与模块化思维起关键作用。传统系统常采用负责认证与令牌签发的身份模块。令牌作为用户凭证，具有减少密码依赖、限定有效期和范围访问等优势。然而，“持有者令牌”问题依然存在，若令牌遭泄露，系统易受攻击。我们提出一种基于令牌的认证机制，旨在解决模块化系统的关键持有者令牌问题。该机制包含新型RAF（递归增强费尔内）令牌、黑名单组件和策略执行组件。RAF令牌为一次性令牌，类似票据；其携带指令，接收者可利用该令牌签发新令牌。黑名单组件确保RAF令牌不会被重复批准，策略执行组件则检查令牌携带指令的兼容性。我们引入两种RAF令牌变体：用户绑定RAF，注重简洁性与兼容性；全绑定RAF，通过服务专用密钥提供更高安全性。我们基于博弈论证明，全面讨论了RAF令牌的安全保障、技术定义与构造。在OpenStack环境中进行了概念验证，涉及Keystone模块的修改与RAFT库的创建。实验结果显示典型场景下开销极小，验证了RAF机制的有效性与实用性。实验表明，RAF机制在提供更强安全性的同时，优于使用短寿命费尔内令牌的方案。