Methods and systems for controlling access to a protected resource

The invention claimed is: 1. A network device, comprising: a communication interface connected to an external network; a memory; and a processor coupled to the communication interface and the memory, the processor being configured to: receive, via the communication interface from a client application executing on a first device, a first signal including a request to obtain an access token for accessing a protected resource, the request including: a client identifier uniquely identifying the client application; a user identifier uniquely identifying an end user of the client application; and a public key associated with the end user; validating the request to obtain the access token; in response to validating the request to obtain the access token, transmit via the communication interface to the client application on the first device, a second signal including an access token for accessing the protected resource; receive, via the communication interface from a web server associated with the protected resource, a third signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validate the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fourth signal including a notification that the bearer token is valid. 2. The network device of claim 1 , wherein the processor is further configured to store the public key in the memory. 3. The network device of claim 1 , wherein the bearer token includes a cryptographic nonce. 4. The network device of claim 3 , wherein the cryptographic nonce comprises a combination of the client identifier, the user identifier, and a salt value. 5. The network device of claim 3 , wherein the digital signature is generated based on a message that includes a combination of a first representation of the access token and the cryptographic nonce. 6. The network device of claim 5 , wherein the digital signature is generated using a private key corresponding to the public key, the private key being stored in a hardware-based key manager that is isolated from the processing unit. 7. The network device of claim 6 , wherein the digital signature is generated in the hardware-based key manager. 8. The network device of claim 3 , wherein the access token has an associated expiry period and wherein the processing unit is further configured to store the nonce in the memory for duration of the expiry period of the access token. 9. The network device of claim 1 , wherein sending the fourth signal to the web server comprises generating a message and signing the generated message using a first private key. 10. The network device of claim 3 , wherein the validating further includes verifying the cryptographic nonce. 11. A method comprising: receiving, from a client application executing on a first device, a first signal including a request to obtain an access token for accessing a protected resource, the request including: a client identifier uniquely identifying the client application; a user identifier uniquely identifying an end user of the client application; and a public key associated with the end user; validating the request to obtain the access token; in response to validating the request to obtain the access token, transmitting, to the client application on the first device, a second signal including an access token for accessing the protected resource; receiving, from a web server associated with the protected resource, a third signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validating the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, sending to the web server a fourth signal including a notification that the bearer token is valid. 12. The method of claim 11 , further comprising storing the public key in a memory. 13. The method of claim 11 , wherein the bearer token includes a cryptographic nonce. 14. The method of claim 13 , wherein the cryptographic nonce comprises a combination of the client identifier, the user identifier, and a salt value. 15. The method of claim 13 , wherein the digital signature is generated based on a message that includes a combination of a first representation of the access token and the cryptographic nonce. 16. The method of claim 15 , wherein the digital signature is generated using a private key corresponding to the public key, the private key being stored in a hardware-based key manager. 17. The method of claim 16 , wherein the digital signature is generated in the hardware-based key manager. 18. The method of claim 13 , wherein the access token has an associated expiry period and wherein the method further comprises storing the nonce in a memory for duration of the expiry period of the access token. 19. The method of claim 11 , wherein sending the fourth signal to the web server comprises generating a message and signing the generated message using a first private key. 20. The method of claim 13 , wherein the validating further includes verifying the cryptographic nonce.