Phantom Token Flow


Phantom Token Flow is an implementation for securing APIs and microservices that combines the security of opaque tokens with the convenience of JSON Web Token (JWT).

Phantom Token Flow concept is to have a pair of a by-reference (or Opaque token) and a by-value tokens. The client (often a OAuth Client) is not aware of the JWT and only encounters the Opaque token

When a client asks for a token the Token Service Provider the Opaque token.

The Internal APIs and microservices call the Token Service Provider for resolving the Opaque token for every request the pattern takes advantage of an API-Gateway, Reverse Proxy or any other middleware that is usually placed between the client and the Services or Resources. In that way the APIs and microservices can benefit from the JWT without exposing any data or Private data to the client as the client will only retrieve an opaque token.

Phantom Token Flow enables consistent security across Services. Each Service expects an Access Token in JSON Web Token (JWT) Format. On the Internet opaque tokens are exchanged for for JWTs in the Phantom Token Flow.

Which allows exposure of Opaque token externally and ensuring proper Access Control internally.

Phantom Token Flow may make use of the Token Introspection Endpoint for resolution or exchange of the Opaque token

More Information#

There might be more information for this subject on one of the following: