Delegation Authorization Framework Based on OAuth 2.0

doi:10.3969/j.issn.1006-2475.2016.08.022

Abstract

Abstract: Authentication and authorization are the important technologies to ensure the secure access to the Web resources, and the delegation can strengthen the dynamicity, flexibility and scalability of authorization mechanism. OAuth (open authorization) 2.0 specification defines an open delegation authorization framework and is used in a wide variety of applications, but it is not applicative to the scenarios that require stronger security properties. By extending the functionalities of the OAuth 2.0, a secure delegation authorization framework for the Web application environment is proposed. In the proposed framework, the scheme of client authentication to the resource server is proposed based on the proof-of-possession (PoP) security mechanism, and the method to bind PoP key to PoP token is described. Finally, the related issues in the framework such as the overall architecture, the abstract implementation flow and the revocation of delegation are discussed in detail.

Key words: open authorization (OAuth) framework, delegation, authorization, authentication, proof-of-possession

CLC Number:

TP309

SHEN Hai-bo. Delegation Authorization Framework Based on OAuth 2.0[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2016.08.022.

References

[1] 郭亚军,宋建华李莉. 信息安全原理与技术[M]. 北京:清华大学出版社, 2008:160-175.,

[2] 常彦德基于角色的访问控制技术研究进展[J]. 计算机与现代化, 2011(12):5-8..

[3] 沈海波,洪帆. 基于属性的授权和访问控制研究[J]. 计算机应用, 2007,27(1):114-117.

[4] Gusmeroli S, Piccione S, Rotondi D. A capability-based security approach to manage access control in the Internet of Things[J]. Mathematical and Computer Modelling, 2013,58(5-6):1189-1205.

[5] Pham Q, Reid J, McCullagh A, et al. On a taxonomy of delegation[J]. Computers and Security, 2010,29(5):565-579.

[6] 袁家斌,魏利利,曾青华. 面向移动终端的云计算跨域访问委托模型[J]. 软件学报, 2013,24(3):564-574.

[7] 吴槟,冯登国. 多域环境下基于属性的授权委托模型[J]. 软件学报, 2011,22(7):1661-1675.

[8] RFC 6749, The OAuth 2.0 Authorization Framework[S].

[9] 时子庆,刘金兰,谭晓华. 基于OAuth2.0的认证授权技术[J]. 计算机系统应用, 2012,21(3):260-264.

[10] 卢慧锋,赵文涛,孙志峰,等. 社会化网络服务中OAuth 2.0的应用研究与实现[J]. 计算机应用, 2014,34(S1):50-54.

[11] RFC 6750, The OAuth 2.0 Authorization Framework: Bearer Token Usage[S].

[12] RFC 6819, OAuth 2.0 Threat Model and Security Considerations[S].

[13] WS-Trust 1.4, Web Services Trust Language (WS-Trust) 1.4[S].

[14] Hunt P, Richer J, Mills W, et al. OAuth 2.0 Proof-of-Possession (PoP) Security Architecture[EB/OL]. https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/, 2015-12-01.

[15] RFC 7159, The JavaScript Object Notation (JSON) Data Interchange Format[S].

[16] RFC 7523, JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants[S].

[17] RFC 7517, JSON Web Key (JWK)[S].

[18] RFC 7518, JSON Web Algorithms (JWA)[S].