Broker-based authentication system architecture and design

What is claimed is: 1. A computer-implemented method comprising: receiving, with one or more processors, a response from an identity provider in a second domain responsive to a first request from a user to access an application provided by an application server in a first domain, the response indicating the authenticity of the user in the second domain; randomly selecting a first key and a second key from a key store; generating, with the one or more processors, a secret by randomly permuting the first key and the second key; generating, with the one or more processors, a signature by signing user information associated with the user using the secret; determining whether there is a user role associated with the user in the first domain; responsive to determining that there is the user role associated with the user in the first domain, generating an authentication token including the signature and index information for generating a refresh token associated with the authentication token, the authentication token being associated with a time frame; dividing the time frame associated with the authentication token into a plurality of time slots; receiving a request for the refresh token from the application server in the first domain; determining whether a receiving time of the request for the refresh token is within a first time slot in the plurality of time slots; and responsive to determining that the receiving time of the request for the refresh token is within the first time slot in the plurality of time slots, generating the refresh token associated with the authentication token using the index information, the refresh token being valid during the first time slot. 2. The method of claim 1 , wherein the authentication token is used for both session-based and session-less authentication. 3. The method of claim 1 , wherein generating the authentication token including the signature is independent from an authentication scheme utilized by the identity provider. 4. The method of claim 1 , comprising: determining, at the application server, whether the authentication token is valid; and responsive to determining that the authentication token is valid, granting, at the application server, access to the application to the user based on the authentication token. 5. The method of claim 4 , wherein determining, at the application server, whether the authentication token is valid comprises: reforming a secret based on first information included in the authentication token; reforming a signature by signing second information included in the authentication token using the reformed secret; comparing, with the one or more processors, the reformed signature with the signature included in the authentication token; and determining whether the authentication token is valid based on the comparison. 6. The method of claim 4 , wherein determining, at the application server, whether the authentication token is valid comprises comparing a current token time with a token presenting time included in the authentication token. 7. The method of claim 1 , comprising updating a version of the key store, and wherein randomly selecting the first key and the second key is based on the updated version of the key store. 8. The method of claim 1 , wherein the key store is shared with a trusted group using a two-way transport layer security protocol. 9. The method of claim 1 , comprising: authenticating the user in the second domain at the identity provider; generating, by the identity provider, the response indicating the authenticity of the user in the second domain; and redirecting the response from the identify provider to an authentication server. 10. The method of claim 9 , wherein authenticating the user in the second domain is based on a federated identity authentication approach. 11. The method of claim 1 , wherein the user role represents a level of access in the application provided by the application server in the first domain. 12. The method of claim 1 , wherein the first request is received from the user using a browser and the refresh token is generated for a second request received from the user via the browser, the method further comprising: determining whether the refresh token is valid; and responsive to determining that the refresh token is valid, granting access to the user for the second request. 13. A system comprising: one or more processors; the one more processors configured to: receive a response from an identity provider in a second domain responsive to a first request from a user to access an application provided by an application server in a first domain, the response indicating the authenticity of the user in the second domain; randomly select a first key and a second key from a key store; generate a secret by randomly permuting the first key and the second key; generate a signature by signing user information associated with the user using the secret; determine whether a user role associated with the user is present in the first domain; responsive to determining that the user role associated with the user is present in the first domain, generate an authentication token including the signature and index information for generating a refresh token associated with the authentication token, the authentication token being associated with a time frame; divide the time frame associated with the authentication token into a plurality of time slots; receive a request for the refresh token from the application server in the first domain; determine whether a receiving time of the request for the refresh token is within a first time slot in the plurality of time slots; and responsive to determining that the receiving time of the request for the refresh token is within the first time slot in the plurality of time slots, generate the refresh token associated with the authentication token using the index information, the refresh token being valid during the first time slot. 14. The system of claim 13 , wherein the application server having a processor and memory, the application server configured to: determine whether the authentication token is valid; and responsive to determining that the authentication token is valid, grant access to the application to the user based on the authentication token. 15. The system of claim 13 , wherein the application server is also configured to determine whether the authentication token is valid by: reforming a secret based on first information included in the authentication token; reforming a signature by signing second information included in the authentication token using the reformed secret; comparing the reformed signature with the signature included in the authentication token; and determining whether the authentication token is valid based on the comparison. 16. The system of claim 13 , wherein the application server is also configured to determine whether the authentication token is valid by comparing a current token time with a token presenting time included in the authentication token. 17. The system of claim 13 , wherein the one or more processors are further configured to update a version of the key store, and wherein randomly selecting the first key and the second key is based on the updated version of the key store. 18. The system of claim 13 , wherein the identity provider having a processor and memory, the identity provider configured to: authenticate the user in the second domain; generate the response indicating the authenticity of the user in the second domain; and s