Mechanisms are provided for computing resource access security in which a credential of a user agent is authenticated to determine if the user agent is associated with an entity for which an attribute based encryption (ABE) key is to be generated. If so, an ABE key is generated and provided which corresponds to a set of attributes of the entity. Token issuance logic receives a token request and the ABE key from a relying party computing device and executes a decryption operation on locking metadata associated with at least one attribute value based on the ABE key. The token issuance logic, in response to the decryption operation successfully decrypting the locking metadata, issues a generated token to the relying party computing device based on the at least one attribute value. The relying party computing device accesses the computing resources using the generated token.