CRAug 31, 2018
Role of Trust in OAuth 2.0 and OpenID ConnectKavindu Dodanduwa, Ishara Kaluthanthri
OAuth 2.0 is a framework for authorization. Being a framework, OAuth 2.0 allows extensions to build on top of it. OpenID Connect is one such extension which adds authentication layer using identity details. OAuth 2.0 define several roles that are required to complete the protocol. Both OAuth 2.0 and OpenID Connect involve interactions between these roles. These interactions require a pre-established trust or a trust establishment while protocol operate. This paper analyzes trust establishments between OAuth 2.0 roles and discuss important aspects of them. Such analysis is required for proper understanding of the protocols.
CRJul 29, 2018
Trust-Based Identity Sharing For Token GrantsKavindu Dodanduwa, Ishara Kaluthanthri
Authentication and authorization are two key elements of a software application. In modern day, OAuth 2.0 framework and OpenID Connect protocol are widely adopted standards fulfilling these requirements. These protocols are implemented into authorization servers. It is common to call these authorization servers as identity servers or identity providers since they hold user identity information. Applications registered to an identity provider can use OpenID Connect to retrieve ID token for authentication. Access token obtained along with ID token allows the application to consume OAuth 2.0 protected resources. In this approach, the client application is bound to a single identity provider. If the client needs to consume a protected resource from a different domain, which only accepts tokens of a defined identity provider, then the client must again follow OpenID Connect protocol to obtain new tokens. This requires user identity details to be stored in the second identity provider as well. This paper proposes an extension to OpenID Connect protocol to overcome this issue. It proposes a client-centric mechanism to exchange identity information as token grants against a trusted identity provider. Once a grant is accepted, resulting token response contains an access token, which is good enough to access protected resources from token issuing identity provider's domain.