Article: Unified singular protocol flow for OAuth ecosystem Journal: International Journal of Information and Computer Security (IJICS) 2024 Vol.25 No.1/2 pp.53 - 77 Abstract: OAuth 2.0 is a popular authorisation framework that allows third-party clients such as websites and mobile apps to request limited access to a user's account on another application. The specification classifies clients into different types based on their ability to keep client credentials confidential. It also describes different grant types for obtaining access to the protected resources, with the authorisation code and implicit grants being the most commonly used. Each client type and associated grant type have their unique security and usability considerations. In this paper, we propose a new approach for OAuth ecosystem that combines different client and grant types into a unified singular protocol flow for OAuth (USPFO), which can be used by both confidential and public clients. This approach aims to reduce the vulnerabilities associated with implementing and configuring different client types and grant types. Additionally, it provides built-in protections against known OAuth 2.0 vulnerabilities such as client impersonation, token thefts and replay attacks through integrity, authenticity, and audience binding. The proposed USPFO is largely compatible with existing Internet Engineering Task Force (IETF) Proposed Standard Request for Comments (RFCs), OAuth 2.0 extensions and active internet drafts. Inderscience Publishers - linking academia, business and industry through research

Title: Unified singular protocol flow for OAuth ecosystem

Authors: Jaimandeep Singh; Naveen Kumar Chaudhary

Addresses: National Forensic Sciences University, Gandhinagar, India ' National Forensic Sciences University, Gandhinagar, India

Abstract: OAuth 2.0 is a popular authorisation framework that allows third-party clients such as websites and mobile apps to request limited access to a user's account on another application. The specification classifies clients into different types based on their ability to keep client credentials confidential. It also describes different grant types for obtaining access to the protected resources, with the authorisation code and implicit grants being the most commonly used. Each client type and associated grant type have their unique security and usability considerations. In this paper, we propose a new approach for OAuth ecosystem that combines different client and grant types into a unified singular protocol flow for OAuth (USPFO), which can be used by both confidential and public clients. This approach aims to reduce the vulnerabilities associated with implementing and configuring different client types and grant types. Additionally, it provides built-in protections against known OAuth 2.0 vulnerabilities such as client impersonation, token thefts and replay attacks through integrity, authenticity, and audience binding. The proposed USPFO is largely compatible with existing Internet Engineering Task Force (IETF) Proposed Standard Request for Comments (RFCs), OAuth 2.0 extensions and active internet drafts.

Keywords: OAuth 2.0; unified singular protocol flow for OAuth; USPFO; unified protocol flow; authorisation framework; client impersonation; security; vulnerabilities; authentication; OAuth extensions; internet standards; Proof Key for Code Exchange; PKCE; JSON Web Signature; JWS; Pushed Authorization Requests; PAR; Demonstrating Proof-of-Possession; DPoP.

DOI: 10.1504/IJICS.2024.142691

International Journal of Information and Computer Security, 2024 Vol.25 No.1/2, pp.53 - 77

Received: 16 Apr 2023
Accepted: 13 Nov 2023
Published online: 18 Nov 2024 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Unified singular protocol flow for OAuth ecosystem

Keep up-to-date