-
A survey on security analysis of OAuth 2.0 framework
The OAuth 2.0 protocol is one of the most widely deployed authorization protocols. The authorization is the process for granting approval to an entity to access a resource. The authorization task itself can be described as granting access to a requesting client, for a resource hosted on the resource server (RS). This exchange is mediated by the authorization server (AS). Popular social networks such as Facebook, Google implement OAuth 2.0, allowing users to delegate access to specific functions to the third party (client). For example, Google (AS) uses OAuth to allow the email application (client) to add entries into users calendar on her behalf. It also allows a user to log in to a third-party application using her identity managed by an AS. Authorization and SSO solutions have found widespread adoption in the web over last years, with OAuth 2.0 being one of the most popular frameworks. This article contains the following components: (1) Introduction of OAuth 2.0 framework in technical details. (2) Presentation of significant attacks found in the protocol itself and in the implementation. (3)Description of implementation decisions that trade security for simplicity. (4) Providing Simple and practical fix against the aforementioned attacks. Some simple and practical recommendations will also be very helpful to mitigate attacks on extensions of OAuth 2.0. For example, some fixes would also be applicable to improve the security of OAuth based access control in the constrained environment (i.e.IoT).