Skip to main content

Access Control and Authorization Techniques w.r.t. Client Applications

  • 258 Accesses

Part of the Algorithms for Intelligent Systems book series (AIS)

Abstract

This paper talks about multiple security requirements to provision, authenticate and authorize client applications, before allowing external client applications to access business critical applications. Paper provides insights on how an access-request should be authenticated, authorized, and honored, i.e., once the request is received by business applications (from external client application), how these requests should be securely processed by business applications before sending an access-response (back to external client application). Paper provides numerous security best practices to provision, authenticate and authorize client applications. Paper specifically emphasizes on mobile native applications that are stateless in nature and covers various implementation techniques of oAuth2.0 specification workflow.

Keywords

  • Public clients
  • Stateless applications
  • Mobile native applications
  • Single page applications (SPA)
  • Signing jwt tokens
  • Self-contained access tokens
  • Public key infrastructure (PKI)
  • Mutual tls authenticated certificate-bound access tokens
  • Proof key for code exchange (PKCE)
  • Device code authorization grant
  • Secure identity provisioning
  • Authenticating public clients
  • Authorizing public clients
  • Identity and access management (Org. IAM)

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-981-16-6460-1_2
  • Chapter length: 22 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   229.00
Price excludes VAT (USA)
  • ISBN: 978-981-16-6460-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   299.99
Price excludes VAT (USA)
Fig. 1

(Source References [6, 12, 13, 15], Microsoft Threat Model Prepared by Author [Unpublished Manuscript])

Fig. 2

(Source references [3, 5,6,7,8, 13, 15])

Fig. 3

(Source References [4, 15])

Fig. 4

(Source References [2, 9, 15])

Fig. 5

(Source References [1, 10, 14, 15])

References

  1. OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens—IETF RFC 8705 by B. Campbell Ping Identity, J. Bradley Yubico, N. Sakimura Nomura Research Institute, T. Lodderstedt YES.com AG [February 2020]. https://tools.ietf.org/

  2. OAuth 2.0 Device Authorization Grant—IETF RFC 8628 by W. Denniss Google, J. Bradley Ping Identity, M. Jones Microsoft, H. Tschofenig ARM Limited [August 2019]. https://tools.ietf.org/

  3. OAuth 2.0 for Native Apps—IETF RFC 8252 by W. Denniss Google, J. Bradley Ping Identity [October 2017]. https://tools.ietf.org/

  4. Proof Key for Code Exchange by OAuth Public Clients—IETF RFC 7636 by N. Sakimura, Ed. Nomura Research Institute, J. Bradley Ping Identity, N. Agarwal Google [September 2015]. https://tools.ietf.org/

  5. JSON Web Signature (JWS)—IETF RFC 7515 by M. Jones Microsoft, J. Bradley Ping Identity, N. Sakimura NRI [May 2015]. https://tools.ietf.org/

  6. The OAuth 2.0 Authorization Framework—IETF RFC 6749 by D. Hardt, Ed. Microsoft [October 2012]. https://tools.ietf.org/

  7. A Primer on OAuth 2.0 for Client-Side Applications by Nallathamby, Johann [25 May 2020]. https://wso2.com/library/articles

  8. Deconstructing REST Security by Blevins, David (Tomitribe Resources) [11 April 2017]. https://www.tomitribe.com/resources/

  9. An Introduction to the OAuth Device Flow by Brady, Scott [27 March 2018]. https://www.scottbrady91.com/OAuth/An-Introduction-to-the-OAuth-Device-Flow

  10. Issuing mutual-TLS certificate-bound access tokens (Authlete Knowledge Base). https://kb.authlete.com/

  11. JSON Web Token (JWT): An overview—siddha development research and consultancy (SDRC)—enabling social change

    Google Scholar 

  12. Microsoft Threat Modeling Tool—Microsoft Threat Modeling Tool overview—Azure | Microsoft Docs [16 February 2017]

    Google Scholar 

  13. Third-Party Token-Based Authentication and Authorization for Session Initiation Protocol (SIP)—IETF RFC 8898 by R. Shekh-Yusef Auth0, C. Holmberg Ericsson, V. Pascual Nokia [September, 2020]. https://tools.ietf.org/

  14. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile—IETF RFC 5280 by D. Cooper NIST, S. Santesson Microsoft, S. Farrell Trinity College Dublin, S. Boeyen Entrust, R. Housley Vigil Security, W. Polk NIST [May 2008]. https://tools.ietf.org/

  15. JSON Web Token (JWT)—IETF RFC 7519 by M. Jones Microsoft, J. Bradley Ping Identity, N. Sakimura NRI [May 2015]. https://tools.ietf.org/

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Goel, A. (2022). Access Control and Authorization Techniques w.r.t. Client Applications. In: Jacob, I.J., Kolandapalayam Shanmugam, S., Bestak, R. (eds) Data Intelligence and Cognitive Informatics. Algorithms for Intelligent Systems. Springer, Singapore. https://doi.org/10.1007/978-981-16-6460-1_2

Download citation