OAuth 2.0 authorization using blockchain-based tokens
This addresses security and management issues in OAuth 2.0 authorization for integrators and users, though it is incremental as it builds on existing protocols.
The paper tackles the problem of OAuth 2.0 access tokens lacking standardized security features by proposing a blockchain-based token that supports proof-of-possession, auditing, and accountability, with a proof-of-concept implemented using Ethereum smart contracts and ERC-721.
OAuth 2.0 is the industry-standard protocol for authorization. It facilitates secure service provisioning, as well as secure interoperability among diverse stakeholders. All OAuth 2.0 protocol flows result in the creation of an access token, which is then used by a user to request access to a protected resource. Nevertheless, the definition of access tokens is transparent to the OAuth 2.0 protocol, which does not specify any particular token format, how tokens are generated, or how they are used. Instead, the OAuth 2.0 specification leaves all these as design choices for integrators. In this paper, we propose a new type of OAuth 2.0 token backed by a distributed ledger. Our construction is secure, and it supports proof-of-possession, auditing, and accountability. Furthermore, we provide added-value token management services, including revocation, delegation, and fair exchange by leveraging smart contracts. We realized a proof-of-concept implementation of our solution using Ethereum smart contracts and the ERC-721 token specification.