github.com/tmobile/tmobile-api-security-lib
"T-Mobile API Security Libraries" provides the libraries which can be leveraged to implement the API security within your enterprise. Currently it provides the PoP (Proof of Possession) token builder and validator related libraries. Proof of possession (PoP) helps enabling the message integrity and also helps avoiding the transaction replay and token theft. For each API request the new PoP token is created by API consumer and signed by the client's private key which can then be verified using the client's public key at API gateway. The PoP token builder libraries are available in multiple languages.
βββ tmobile-api-security-lib # T-Mobile API Security Lib Parent Directory
β
βββ poptoken-lib # PoP Token Lib Parent Directory
β βββ poptoken-builder # PoP Token Builder Lib Parent Directory
β β βββ java-lib-tmobile-oss-poptoken-builder # Java PoP Token Builder Lib
β β βββ js-lib-tmobile-oss-poptoken-builder # JavaScript PoP Token Builder Lib
β β βββ android-lib-tmobile-oss-poptoken-builder # Android PoP Token Builder Lib
β β βββ ios-lib-tmobile-oss-poptoken-builder # iOS PoP Token Builder Lib
β β βββ C#-lib-tmobile-oss-poptoken-builder # C# .NetCore PoP Token Builder Lib
β β
β βββ poptoken-validator # PoP Token Validator Lib Parent Directory
β βββ java-lib-tmobile-oss-poptoken-validator # Java PoP Token Validator Lib
β
βββ encryption-lib # Encryption (JWE) Lib Parent Directory
βββ C#-Encryption-Lib # C# Encryption Lib
βββ encyption-lib-core # C# Encryption Lib .NET Core 3.1 Standard Library 2.0
βββ encyption-lib-core.test # C# Encryption Lib .NET Core 3.1 MS Test
The OAuth 2.0 bearer token specification, as defined in RFC6750, allows any party in possession of a bearer token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens must be protected from disclosure in transit and at rest.
Some scenarios demand additional security protection, whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource.
Proof of possession (PoP) provides a mechanism to bind key material to access tokens. This key material can then be used by the client to add signatures to outgoing HTTP requests to the resource server. The resource server in turn can use the key material to make sure that the sender is the same entity that requested the token in the first place (as opposed to someone who stole the token in transit or at rest).
Proof of possession (PoP) helps enabling the message integrity and also helps avoiding the transaction replay and token theft. For each API request the new PoP token is created by API consumer and signed by client's private key which can then be verified using client's public key at API gateway.
The format of the PoP token used by T-Mobile is:
Header: {alg, type}
Body {
iat: <epoch time>
exp: <epoch time>
ehts: <authorization; content_type; uri; http-method; body> => All request headers, URI, HTTP method and body fields used to create hash
edts: <Base64UrlSafeEncoding[SHA256(all ehts claim values as a concatenated string)]">
jti: <unique identifier>
v: "1"
}
Signature: <digitalSignature>
The T-Mobile API security libraries are released under the Apache 2.0 License.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.