A Secure Token-Based Communication for Authentication and Authorization Servers
Today, software projects often have several independent subsystems which provide resources to clients. To protect all subsystems from unauthorized access, the mechanisms proposed in the OAuth2.0 framework and the OpenID Standard are often used. The communication between the servers, described in the OAuth2.0 framework, must be encrypted. Usually, this is achieved using Transport Layer Security (TLS), but administrators can forget to activate this protocol in the server configuration. This makes the whole system vulnerable. Neither the developer, nor the user of the system is able to check whether the communication between servers is safe. This paper presents a way to ensure secure communication between authentication-, authorization-, and resource servers without relying in on a correct server configuration. For this purpose, this paper introduces an additional encryption of the transmitted tokens to secure the transmission independently from the server configuration. Further this paper introduces the Central Authentication & Authorization System (CAAS), an implementation of the OpenId standard and the OAuth2.0 framework that uses the token encryption presented in this paper.
KeywordsOpenID OAuth2.0 Security Authentication Authorization Token Encryption
This work was done as part of several projects by the authors during their stay at the Institute for Application Oriented Knowledge Processing at the Johannes Kepler University in Linz.
The research leading to these results has partly received funding from the European Union Seventh Framework Programme (FP7/2007–2013) under grant agreement no. 604659.
- 1.Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management. DIM 2006, pp. 11–16. ACM, New York (2006)Google Scholar
- 2.Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749, RFC Editor, October 2012Google Scholar
- 3.The Apache Software Foundation: SSL/TLS Configuration HOW-TO (2016). https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html#Introduction_to_SSL. Accessed 3 Sept 2016
- 4.Trustworthy Internet Movement: SSL Pulse - Survey of the SSL Implementation of the Most Popular Web Sites. https://www.trustworthyinternet.org/ssl-pulse. Accessed 3 Sept 2016
- 5.Yang, F., Manoharan, S.: A security analysis of the OAuth protocol. In: 2013 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM), pp. 271–276, August 2013Google Scholar
- 6.Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations. RFC 6819, RFC Editor, January 2013Google Scholar
- 7.Sakimura, N., Bradley, J., Jones, M.B., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. The OpenID Foundation, S3 (2014)Google Scholar
- 8.The Apache Software Foundation: Apache Oltu: An OAuth Open Source framework. https://cwiki.apache.org/confluence/display/OLTU/Index (2013). Accessed 3 Sept 2016
- 9.RestLet Inc.: RestLet Framework (2016). https://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/oauth. Accessed 3 Sept 2016
- 10.Harsta, O.: OAuth-Apis: OAuth Authorization as a Service (2012–2016). https://github.com/OAuth-Apis/apis. Accessed 3 Sept 2016
- 11.Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). http://bitcoin.org/bitcoin.pdf. Accessed 3 Sept 2016
- 12.Travis, P.: The Bitcoin Revolution: An Internet of Money. Travis Patron (2015) Accessed 3 Sept 2016Google Scholar
- 13.Jones, M.B., Hardt, D.: The OAuth 2.0 Authorization Framework: Bearer Token Usage. RFC 6750, RFC Editor, October 2012Google Scholar
- 14.Franks, J., Hallam-Baker, P.M., Hostetler, J.L., Lawrence, S.D., Leach, P.J., Luotonen, A., Stewart, L.C.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617, RFC Editor, June 1999Google Scholar
- 15.RSA Security: Information Security, Governance, Risk, and Compliance - EMC (2014). http://www.rsa.com. Accessed 3 Sept 2016
- 16.Barker, E., Barker, W., Burr, W., Polk, T., Smid, M., Zieglar, L.: NIST Special Publication 800-57 Revision 4 Recommendation for Key Management Part 1: General (2016). http://dx.doi.org/10.6028/NIST.Spp. 800-57pt1r4
- 17.CLAFIS Project: CLAFIS: crop, livestock and forests integrated system for intelligent automation (2013–2016). http://www.clafis-project.eu EU Seventh Framework Programme NMP.2013.3.0-2
- 18.Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, RFC Editor, August 2008Google Scholar