Abstract
OAuth was created to simplify authentication procedure. OAuth is a protocol that allows access to the user’s assets in 3rd party web sites or applications without exposing the user’s identity and credential. OAuth can be used to grant the access rights for the user without exposing the user’s information to third parties. By utilizing the Token issued by the Authorization Server, client is able to gain access to the resources in the Resource Server. However, in current standards, the restrictions of token usage are not clearly defined. Although it specified Token expiration time, in reality, malicious client can reuse the Token to access Resource server. The existing Token Revocation operation has been carried out in a way that the client performs Revocation by requesting to the Authorization Server when special cases occur such as logout or identity change by resource owner. The revocation does not happen for the case that malicious code targets the Resource Server. This paper proposes a method for revoking the Token by requesting Revocation when the Resource Server performs abnormal behaviors by using Token.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Pai, S., et al.: Formal verification of oauth 2.0 using alloy framework. In: International Conference on Communication Systems and Network Technologies (CSNT). IEEE (2011)
Yang, F., Manoharan, S.: A security analysis of the OAuth protocol. In: IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM). IEEE (2013)
Campbell, B., et al.: OAuth working group internet-draft intended status: standards track (2012)
Hardt, D.: The OAuth 2.0 authorization framework. RFC 6749, October 2012
Tassanaviboon, A., Gong, G.: Oauth and abe based authorization in semi-trusted cloud computing: aauth. In: Proceedings of the Second International Workshop on Data Intensive Computing in the Clouds. ACM (2011)
Lodderstedt, T., et al.: OAuth 2.0 token revocation. RFC 7009, August 2013
Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of oauth sso systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM (2012)
Jones, M., et al.: JSON Web Token (JWT). RFCC 7519, May 2015
Lodderstedt, T., et al.: OAuth 2.0 threat model and security considerations. RFC 6819, January 2013
Acknowledgement
This research was supported by the MSIP(Ministry of Science, ICT and Future Planning), Korea, under the ITRC(Information Technology Research Center) support program (IITP-2015-H8501-15-1008) supervised by the IITP(Institute for Information & communications Technology Promotion).
This work was supported by the IT R&D program of ATC under the MOTIE/KEIT. [10045904, The development of Fundamental Technology for Security as a Service(SecaaS) Framework under cloud computing environment and the implementation of 1 Gbps mobile data loss prevention(DLP) service based on the SecaaS Framework.]
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Park, J., Kim, J., Park, M., Jung, S. (2016). A Study of OAuth 2.0 Risk Notification and Token Revocation from Resource Server. In: Kim, Hw., Choi, D. (eds) Information Security Applications. WISA 2015. Lecture Notes in Computer Science(), vol 9503. Springer, Cham. https://doi.org/10.1007/978-3-319-31875-2_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-31875-2_23
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31874-5
Online ISBN: 978-3-319-31875-2
eBook Packages: Computer ScienceComputer Science (R0)