Methods and systems for controlling access to a protected resource

The invention claimed is: 1. A network device, comprising: a communication interface connected to an external network; a memory; a processing unit coupled to the communication interface and the memory, the processing unit being configured to: receive, via the communication interface from a client application executing on a first device, a first signal including a request to obtain an access token for accessing a protected resource, the request including a public key associated with an end user; validate the request to obtain the access token; and in response to validating the request: encrypt an authorization code associated with the request using the public key to generate a first code; and transmit, via the communication interface to the client application on the first device, a second signal including both the access token for accessing the protected resource and the first code. 2. The network device of claim 1 , wherein the authorization code is a unique code encoding authentication of an end user of the client application. 3. The network device of claim 1 , wherein the processing unit is further configured to: decrypt the first code; receive, via the communication interface from the client application, a third signal including an indication that decrypting the first code failed to produce a match of the authorization code; and in response to receiving the third signal, revoking the access token at a token revocation endpoint of the network device. 4. The network device of claim 1 , wherein the processing unit is further configured to: receive, via the communication interface from a web server associated with the protected resource, a fourth signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validate the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fifth signal including a notification that the bearer token is valid. 5. The network device of claim 4 , wherein the bearer token includes a cryptographic nonce. 6. The network device of claim 4 , wherein the digital signature is generated based on a message that includes a combination of a first representation of the access token and a cryptographic nonce. 7. The network device of claim 6 , wherein the digital signature is generated using a private key corresponding to the public key, the private key being stored in a hardware-based key manager that is isolated from the processing unit. 8. The network device of claim 7 , wherein the digital signature is generated in the hardware-based key manager. 9. The network device of claim 4 , wherein sending the fifth signal to the web server comprises generating a message and signing the generated message using a first private key. 10. The network device of claim 1 , wherein the access token has an associated expiry period and wherein the processing unit is further configured to store a cryptographic nonce in the memory for duration of the expiry period of the access token. 11. A method comprising: receiving, via a communication interface from a client application executing on a first device, a first signal including a request to obtain an access token for accessing a protected resource, the request including a public key associated with an end user; validating the request to obtain the access token; and in response to validating the request: encrypting an authorization code associated with the request using the public key to generate a first code; and transmitting, via the communication interface to the client application on the first device, a second signal including both the access token for accessing the protected resource and the first code. 12. The method of claim 11 , wherein the authorization code is a unique code encoding authentication of an end user of the client application. 13. The method of claim 11 , further comprising: decrypting the first code; receiving, via the communication interface from the client application, a third signal including an indication that decrypting the first code failed to produce a match of the authorization code; and in response to receiving the third signal, revoking the access token at a token revocation endpoint of a network device. 14. The method of claim 11 , further comprising: receiving, from a web server associated with the protected resource, a third signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validating the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, sending to the web server a fourth signal including a notification that the bearer token is valid. 15. The method of claim 14 , wherein the bearer token includes a cryptographic nonce. 16. The method of claim 14 , wherein the digital signature is generated based on a message that includes a combination of a first representation of the access token and a cryptographic nonce. 17. The method of claim 16 , wherein the digital signature is generated using a private key corresponding to the public key, the private key being stored in a hardware-based key manager. 18. The method of claim 17 , wherein the digital signature is generated in the hardware-based key manager. 19. The method of claim 14 , wherein sending the fifth signal to the web server comprises generating a message and signing the generated message using a first private key. 20. The method of claim 11 , wherein the access token has an associated expiry period and wherein the method further comprises storing a cryptographic nonce in a memory for duration of the expiry period of the access token.