Capability-based access control for multi-tenant systems using OAuth 2.0 and Verifiable Credentials

04/23/2021
by   Nikos Fotiou, et al.
0

We propose a capability-based access control technique for sharing Web resources, based on Verifiable Credentials (VCs) and OAuth 2.0. VCs are a secure means for expressing claims about a subject. Although VCs are ideal for encoding capabilities, the lack of standards for exchanging and using VCs impedes their adoption and limits their interoperability. We mitigate this problem by integrating VCs into the OAuth 2.0 authorization flow. To this end, we propose a new form of OAuth 2.0 access token based on VCs. Our approach leverages JSON Web Tokens (JWT) to encode VCs and takes advantage of JWT-based mechanisms for proving VC possession. Our solution not only requires minimum changes to existing OAuth 2.0 code bases, but it also removes some of the complexity of verifying VC claims by relying on JSON Web Signatures: a simple, standardized, and well supported signature format. Additionally, we fill the gap of VC generation processes by defining a new protocol that leverages the OAuth 2.0 "client credentials" grant.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
11/09/2022

A Capability-based Distributed Authorization System to Enforce Context-aware Permission Sequences

Controlled sharing is fundamental to distributed systems. We consider a ...
research
01/28/2020

OAuth 2.0 authorization using blockchain-based tokens

OAuth 2.0 is the industry-standard protocol for authorization. It facili...
research
06/17/2019

Supporting Web Archiving via Web Packaging

We describe challenges related to web archiving, replaying archived web ...
research
08/21/2022

Zeno: A Scalable Capability-Based Secure Architecture

Despite the numerous efforts of security researchers, memory vulnerabili...
research
11/12/2020

Turning Transport Data to Comply with EU Standards while Enabling a Multimodal Transport Knowledge Graph

Complying with the EU Regulation on multimodal transportation services r...
research
06/02/2020

Uninitialized Capabilities

This technical report describes a new extension to capability machines. ...

Please sign up or login with your details

Forgot password? Click here to reset