Continuous authorization over HTTP using Verifiable Credentials and OAuth 2.0

We design, implement, and evaluate a solution for achieving continuous authorization of HTTP requests exploiting Verifiable Credentials (VCs) and OAuth 2.0. Specifically, we develop a VC issuer that acts as an OAuth 2.0 authorization server, a VC verifier that transparently protects HTTP-based resources, and a VC wallet implemented as a browser extension capable of injecting the necessary authentication data in HTTP requests without needing user intervention. Our approach is motivated by recent security paradigms, such as the Zero Trust architecture, that require authentication and authorization of every request and it is tailored for HTTP-based services, accessed using a web browser. Our solution leverages JSONWeb Tokens and JSONWeb Signatures for encoding VCs and protecting their integrity, achieving this way interoperability and security. VCs in our system are bound to a user-controlled public key or a Decentralized Identifier, and mechanisms for proving possession are provided. Finally, VCs can be easily revoked.

Fotiou, Nikos; Faltaka, Evgenia; Kalos, Vasilis; Kefala, Anna; Pittaras, Iakovos; Siris, Vasilios A.; Polyzos, George C. (2022): Continuous authorization over HTTP using Verifiable Credentials and OAuth 2.0. Open Identity Summit 2022. DOI: 10.18420/OID2022_03. Bonn: Gesellschaft für Informatik e.V.. PISSN: 1617-5468. ISBN: 978-3-88579-719-7. pp. 39-50. Regular Research Papers. Copenhagen, Denmark. 07.-08. July 2022

Schlagwörter

Access control , Authentication , Zero Trust

DOI

10.18420/OID2022_03

Sammlungen

P325 - Open Identity Summit 2022

Komplettanzeige

Continuous authorization over HTTP using Verifiable Credentials and OAuth 2.0

Volltext URI

Dokumententyp

Dateien

Zusatzinformation

Datum

Autor:innen

Zeitschriftentitel

ISSN der Zeitschrift

Bandtitel

Quelle

Verlag

Zusammenfassung

Beschreibung

Schlagwörter

Zitierform

DOI

Tags

Sammlungen