Abstract
OAuth 2.0 is a recent IETF standard devoted to providing authorization to clients requiring access to specific resources over HTTP. It has been pointed out that this framework is potentially subject to security issues, as well as difficulties concerning the interoperability between protocol participants and application evolution. As we show in this paper, there are indeed multiple reasons that make this protocol hard to implement and impede interoperability in the presence of different kinds of client. Our main contribution consists in a framework that harnesses a type-based policy language and aspect-based support for protocol adaptation through flexible reference monitors in order to handle security, interoperability and evolution issues of OAuth 2.0. We apply our framework in the context of three scenarios that make explicit variations in the protocol and show how to handle those issues.
This work has been partially supported by the CESSA ANR project (ANR 09-SEGI-002-01, http://cessa.gforge.inria.fr) and the A4Cloud project (FP7 317550, http://www.a4cloud.eu/).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
See, e.g., Hammer: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell.
References
Aktug, I., Naliuka, K.: Conspec - a formal language for policy specification. ENTCS 197(1), 45–58 (2008). (Proceedings of REM 2007)
Allam, D., Douence, R., Grall, H., Royer, J.-C., Südholt, M.: Well-typed services cannot go wrong. Rapport de recherche RR-7899, INRIA, May 2012
Ascola team. An aspect framework for CXF. http://a4cloud.gforge.inria.fr/doku.php?id=start:aspect4cxf, January 2013
Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: CSF 2012, Cambridge, MA, USA, pp. 247–262. IEEE (2012)
Castagna, G., Frisch, A.: A gentle introduction to semantic subtyping. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 30–34. Springer, Heidelberg (2005)
Castagna, G., De Nicola, R., Varacca, D.: Semantic subtyping for the pi-calculus. Theor. Comput. Sci. 398(1–3), 217–242 (2008)
Charfi, A., Mezini, M.: Aspect-oriented web service composition with AO4BPEL. In: (LJ) Zhang, L.-J., Jeckle, M. (eds.) ECOWS 2004. LNCS, vol. 3250, pp. 168–182. Springer, Heidelberg (2004)
Chebaro, O., Allam, D., Grall, H., et al.: Mechanisms for property preservation. Technical Report Deliverable D2.4, CESSA Project, July 2012
Cherrueau, R.-A., Chebaro, O., Südholt, M.: Flexible and expressive aspect-based control over service compositions in the cloud. In: 4th International Workshop on Variability & Composition (VariComp). ACM DL, March 2013
Dell’Amico, M., Serme, G., Idrees, M.S., de Oliveira, A.S., Roudier, Y.: Hipolds: a hierarchical security policy language for distributed systems. Information Security Technical Report (2012)
OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0. Technical report, OASIS, January 2013
Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of oauth 2.0 using alloy framework. In: CSNT ’11, pp. 655–659. IEEE Computer Society, Washington DC (2011)
Pu, K.Q.: Service description and analysis from a type theoretic approach. In: ICDE Workshops, pp. 379–386 (2007)
Ribeiro, C., Ferreira, P.: A policy-oriented language for expressing security specifications. Int. J. Netw. Secur. 5(3), 299–316 (2007)
Riely, J., Hennessy, M.: Trust and partial typing in open systems of mobile agents. J. Autom. Reasoning 31(3–4), 335–370 (2003)
Paul, R.: Compromising twitter’s oauth security system. Technical report, Ars Technica (2010)
Sans, T., Cervesato, I.: QWeSST for type-safe web programming. In: 3rd International Workshop on Logics, Agents, and Mobility (2010)
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Costa Seco, J., Caires, L.: A basic model of typed components. In: Bertino, E. (ed.) ECOOP 2000. LNCS, vol. 1850, pp. 108–128. Springer, Heidelberg (2000)
Serban, C., Zhang, W., Minsky, N.: A decentralized mechanism for application level monitoring of distributed systems. In: Proceedings of CollaborateCom 2009, pp. 1–10. IEEE (2009)
IETF Web Authorization (OAuth) Working Group. SAML 2.0 profile for OAuth 2.0 client authentication and authorization grants. Technical Report V 17, Internet Engineering Task Force (IETF)
IETF Web Authorization (OAuth) Working Group. The OAuth 2.0 authorization framework. Technical Report RFC 6749, Internet Engineering Task Force (IETF), October 2012
IETF Web Authorization (OAuth) Working Group. The OAuth 2.0 authorization framework: bearer token usage. Technical Report RFC 6750, Internet Engineering Task Force (IETF), October 2012
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Subtyping Rules and Endpoint Types Tables
Subtyping Rules and Endpoint Types Tables
Table 1 presents the main subtyping rules required in this paper and we give in Table 2 the endpoint types (without the refresh token option) in ACF. In these tables X.name denotes a provided service named name from agent X. The notation \(\mathtt{X.name~({<}numbering{>}) }\) corresponds to a required endpoint connected to X.name.
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cherrueau, RA. et al. (2014). Reference Monitors for Security and Interoperability in OAuth 2.0. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2013 2013. Lecture Notes in Computer Science(), vol 8247. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54568-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-54568-9_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54567-2
Online ISBN: 978-3-642-54568-9
eBook Packages: Computer ScienceComputer Science (R0)