Securing identity token forwarding

What is claimed is: 1 . A computer-implemented method for secure access token forwarding between components in cloud platforms, the method being executed by one or more processors and comprising: receiving, from a first component and by a second component in a cloud platform, a first call, a token, and a first client certificate, the token comprising a field populated with a manifest as a set of client identifiers, the manifest being generated by a central identity and authentication service (IAS) of the cloud platform during creation of the token and defining legs of allowed communication paths between components within the cloud platform, at least one leg defined in the manifest comprising the first component and the second component, the token being received by the first component and being forwarded unchanged from the first component to the second component; determining, by the second component, a first client identifier associated with the first component, the first client identifier being determined from the first client certificate; and determining, by the second component, that the first client identifier is included in the manifest of the token, and in response, executing functionality responsive to the first call, wherein executing functionality responsive to the first call at least partially comprises transmitting, from the second component and to a third component, a second call with the token, wherein the token is provided to the first component in response to a request from the first component to a central identity and authentication service (IAS) of the cloud platform, the request including the first client certificate, and wherein the token comprises an open authentication (OAuth) client and the field comprises an audience field, and the first client certificate comprises a X.509 client certificate. 2 . The method of claim 1 , wherein the token is received by the first component from a third component. 3 . The method of claim 1 , wherein at least one client identifier in the set of client identifiers of the manifest represents an immediate dependency that is declared as an intent to use a component identified by the at least one client identifier. 4 . The method of claim 1 , wherein the first client certificate is provided during execution of a process to generate the token. 5 . A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for secure access token forwarding between components in cloud platforms, the operations comprising: receiving, from a first component and by a second component in a cloud platform, a first call, a token, and a first client certificate, the token comprising a field populated with a manifest as a set of client identifiers, the manifest being generated by a central identity and authentication service (IAS) of the cloud platform during creation of the token and defining legs of allowed communication paths between components within the cloud platform, at least one leg defined in the manifest comprising the first component and the second component, the token being received by the first component and being forwarded unchanged from the first component to the second component; determining, by the second component, a first client identifier associated with the first component, the first client identifier being determined from the first client certificate; and determining, by the second component, that the first client identifier is included in the manifest of the token, and in response, executing functionality responsive to the first call, wherein executing functionality responsive to the first call at least partially comprises transmitting, from the second component and to a third component, a second call with the token, wherein the token is provided to the first component in response to a request from the first component to a central identity and authentication service (IAS) of the cloud platform, the request including the first client certificate, and wherein the token comprises an open authentication (OAuth) client and the field comprises an audience field, and the first client certificate comprises a X.509 client certificate. 6 . The non-transitory computer-readable storage medium of claim 5 , wherein the token is received by the first component from a third component. 7 . The non-transitory computer-readable storage medium of claim 5 , wherein at least one client identifier in the set of client identifiers of the manifest represents an immediate dependency that is declared as an intent to use a component identified by the at least one client identifier. 8 . The non-transitory computer-readable storage medium of claim 5 , wherein the first client certificate is provided during execution of a process to generate the token. 9 . A system, comprising: a computing device; and a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations for natural language explanations for secure access token forwarding between components in cloud platforms, the operations comprising: receiving, from a first component and by a second component in a cloud platform, a first call, a token, and a first client certificate, the token comprising a field populated with a manifest as a set of client identifiers, the manifest being generated by a central identity and authentication service (IAS) of the cloud platform during creation of the token and defining legs of allowed communication paths between components within the cloud platform, at least one leg defined in the manifest comprising the first component and the second component, the token being received by the first component and being forwarded unchanged from the first component to the second component; determining, by the second component, a first client identifier associated with the first component, the first client identifier being determined from the first client certificate; and determining, by the second component, that the first client identifier is included in the manifest of the token, and in response, executing functionality responsive to the first call, wherein executing functionality responsive to the first call at least partially comprises transmitting, from the second component and to a third component, a second call with the token, wherein the token is provided to the first component in response to a request from the first component to a central identity and authentication service (IAS) of the cloud platform, the request including the first client certificate, and wherein the token comprises an open authentication (OAuth) client and the field comprises an audience field, and the first client certificate comprises a X.509 client certificate. 10 . The system of claim 9 , wherein the token is received by the first component from a third component. 11 . The system of claim 9 , wherein at least one client identifier in the set of client identifiers of the manifest represents an immediate dependency that is declared as an intent to use a component identified by the at least one client identifier. 12 . The system of claim 9 , wherein the first client certificate is provided during execution of a process to generate the token.