A Survey Paper On Social Sign-On Protocol Oauth 2.0
A Survey Paper On Social Sign-On Protocol Oauth 2.0
A Survey Paper On Social Sign-On Protocol Oauth 2.0
Volume 2, No.6, June 2013
_________________________________________________________________________________
A Survey Paper on Social Sign-On Protocol OAuth 2.0
Er. Gurleen Kaur, Research Scholar, BBSBEC Fatehgarh Sahib(Punjab)
Er. Deepak Aggarwal, Professor, BBSBEC, Fatehgarh Sahib (Punjab)
ABSTRACT
This paper presents the amalgamation of different social sites and the concept of social sign-on. Latest Trends of
using Facebook Platform, Google Friend Connect, Twitter etc have elevated the concept of social sign-on. These
social-networks connect services increase access to and enrich user data in the Social Web, although they also
present several security and privacy challenges. It enables a third-party application to obtain limited access to an
HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource
owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. In this
paper, we have presented the basic concept of the social sign-on protocol OAuth 2.0 and few challenges faced by
this protocol.
Keywords: Social sign-on, OAuth 2.0, third party, Resource server, token
www.borjournals.com Blue Ocean Research Journals 93
Journal of En
ngineering, C
Computers & Applied Scien nces (JEC&ASS) ISSN No: 23 319‐5606
Volume 2, N 13
No.6, June 201
___________ ___________ ___________ ____________ ___________________________________________
1. Roles in OAuth 2..0 rrequest authoriization and thee types supporrted by
OAuth deffines four roles: tthe authorizatioon server.
3. TThe client rrequests an access tokeen by
1. Resou urce owner aauthenticating with the authhorization server and
An entity capable of graanting access to a protected d ppresenting the authorization ggrant.
resource. When
W the resource owner is a person, it iss 4. TThe authorizattion server autthenticates the client
referred to as an end-userr. aand validates tthe authorizatioon grant, and if valid
iissues an accesss token.
2. Resou urce server 5. TThe client reqquests the prottected resourcee from
The serverr hosting the prrotected resources, capable off tthe resource server andd authenticatees by
accepting and respond ding to proteected resourcee ppresenting the access token.
requests ussing access tok
kens. 6. TThe resource server validatees the access token,
aand if valid, seerves the request.
3. Clientt
An applicaation making prrotected resourrce requests on
n 3. Authorizatioon Grant
behalf off the resourrce owner and a with itss An aauthorization grrant is a credenntial representiing the
authorizatiion. resouurce owner's auuthorization (too access its prootected
resouurces) used byy the client tto obtain an access
4. Autho orization serveer tokenn.
The serverr issuing access tokens to thet client afterr
successfullly authenticatiing the resourrce owner andd Therre are four graant types:
obtaining authorization.
a 1. AAuthorization code,
2. IImplicit,
2. Proto
ocol Flow 3. RResource owneer password crredentials, and
4. CClient credentiials.
rjournals.com
www.borj m Blue Ocean Resea
arch Journals 94
Journal of Engineering, Computers & Applied Sciences (JEC&AS) ISSN No: 2319‐5606
Volume 2, No.6, June 2013
_________________________________________________________________________________
Resource Owner Password Credentials tokens with identical or narrower scope (access
The resource owner password credentials (i.e. tokens may have a shorter lifetime and fewer
username and password) can be used directly as an permissions than authorized by the resource owner).
authorization grant to obtain an access token. The Issuing a refresh token is optional at the discretion of
credentials should only be used when there is a high the authorization server. If the authorization server
degree of trust between the resource owner and the issues a refresh token, it is included when issuing an
client (e.g. the client is part of the device operating access token (i.e. step (D) in Fig. 1). A refresh token
system or a highly privileged application), and when is a string representing the authorization granted to
other authorization grant types are not available (such the client by the resource owner. The string is usually
as an authorization code). opaque to the client. The token denotes an identifier
used to retrieve the authorization information. Unlike
Client Credentials access tokens, refresh tokens are intended for use
The client credentials (or other forms of client only with authorization servers and are never sent to
authentication) can be used as an authorization grant resource servers.
when the authorization scope is limited to the
protected resources under the control of the client, or Challenges Faced By Protocol
to protected resources previously arranged with the However, with the emergence of new OAuth
authorization server. Client credentials are used as an Protocol 2.0, simplicity and performance increased,
authorization grant typically when the client is acting but also many limitations of OAuth 2.0 came into
on its own behalf (the client is also the resource existence:
owner), or is requesting access to protected resources
based on an authorization previously arranged with 1. CSRF Attack
the authorization server. OAuth 2.0 is prone to CSRF (cross-site request
forgery) attack. It’s also known as session riding or
4. Access Token XSRF.
Access tokens are credentials used to access
protected resources. An access token is a string 2. Unbounded tokens
representing an authorization issued to the client. The In 1.0, the client has to present two sets of credentials
string is usually opaque to the client. Tokens on each protected resource request, the token
represent specific scopes and durations of access, credentials and the client credentials. In 2.0, the client
granted by the resource owner, and enforced by the credentials are no longer used. This means that
resource server and authorization server. The token tokens are no longer bound to any particular client
may denote an identifier used to retrieve the type or instance.
authorization information, or self contain the
authorization information in a verifiable manner (i.e. 3. Bearer tokens
a token string consisting of some data and a 2.0 got rid of all signatures and cryptography at the
signature). The access token provides an abstraction protocol level. Instead it relies solely on TLS
layer, replacing different authorization constructs (Transport Layer Security).
(e.g. username and password) with a single token
understood by the resource server. This abstraction 4. Expiring tokens
enables issuing access tokens more restrictive than 2.0 tokens can expire and must be refreshed. This is
the authorization grant used to obtain them, as well as the most significant change for client developers
removing the resource server's need to understand a from 1.0 as they now need to implement token state
wide range of authentication methods. Access tokens management. The reason for token expiration is to
can have different formats, structures, and methods of accommodate self-encoded tokens – encrypted tokens
utilization (e.g. cryptographic properties) based on which can be authenticated by the server without a
the resource server security requirements. database look-up. Because such tokens are self-
encoded, they cannot be revoked and therefore must
5. Refresh Token be short-lived to reduce their exposure. Whatever is
Refresh tokens are credentials used to obtain access gained from the removal of the signature is lost twice
tokens. Refresh tokens are issued to the client by the in the introduction of the token state management
authorization server and are used to obtain a new requirement.
access token when the current access token becomes
invalid or expires, or to obtain additional access
www.borjournals.com Blue Ocean Research Journals 95
Journal of Engineering, Computers & Applied Sciences (JEC&AS) ISSN No: 2319‐5606
Volume 2, No.6, June 2013
_________________________________________________________________________________
5. Grant types [9] Eran Hammer, " OAuth 2.0 and the Road to
In 2.0, authorization grants are exchanged for access Hell", http://hueniverse.com/2012/07/oauth-
tokens. Grant is an abstract concept representing the 2-0-and-the-road-to-hell/ , July 26, 2012
end-user approval. It can be a code received after the [10] Jeremiah Blatz, "CSRF: Attack and
user clicks ‘Approve’ on an access request, or the Defense",
user’s actual username and password. The original http://www.mcafee.com/us/resources/white-
idea behind grants was to enable multiple flows. 1.0 papers/wp-csrf-attack-defense.pdf
provides a single flow which aims to accommodate
multiple client types. 2.0 adds significant amount of
specialization for different client type.
Conclusion
OAuth 2.0 presents an exalted concept of social sign-
on by providing more security than traditional
concepts. But, it can be more secure if all the
confrontation faced by this protocol are met. Issues
like CSRF attack should be construed for developing
an enhanced protocol.
References
[1] San-Tsai Sun , “Simple But Not Secure: An
Empirical Security Analysis of OAuth 2.0-
Based Single Sign-On Systems” ,
http://blogs.ubc.ca/computersecurity/files/20
12/04/San-Tsai.pdf
[2] Barry Leiba, " OAuth Web Authorization
Protocol ", www.computer.org/internet
computing, Vol. 16, No. 1.
January/February, 2012
[3] Bhagyaraj Gowrigolla, Sathyalakshmi sivaji,
" Design and auditing of Cloud computing
security", Information and Automation for
Sustainability (ICIAFs), 2010 5th
International Conference, Dec. 2010, pp.
292 - 297
[4] Chetan Bansal, Karthikeyan Bhargavan,
Sergio Maffeis, "Discovering concrete
attacks on website authorization by formal
analysis",
http://www.doc.ic.ac.uk/~maffeis/csf12.pdf
[5] M. Noureddine, " A provisioning model
towards OAuth 2.0 performance
optimization", Cybernetic Intelligent
Systems (CIS), 2011 IEEE 10th
International ConferenceSept. 2011, pp. 76-
80
[6] D. Hardt, http://tools.ietf.org/html/draft-ietf-
oauth-v2
[7] OAuth Community site, http://oauth.net
[8] Eran Hammer, "Introduction to OAuth 2.0",
http://hueniverse.com/2010/05/introducing-
oauth-2-0/ , May 15, 2010
www.borjournals.com Blue Ocean Research Journals 96