Abstract
The widespread adoption of smartphones and the new-generation wireless networks have changed the way that people interact among themselves and with their environment. The use of messaging platforms, such as WhatsApp, has become deeply ingrained in peoples’ lives, and many digital services have started to be delivered using these communication channels. In this work, we propose a new OAuth grant type to be used when the interaction between the resource owner and the client takes place through a messaging platform. This new grant type firstly allows the authorization server to be sure that no Man-in-the-Middle risk exists between the resource owner and the client before issuing an access token. Secondly, it allows the authorization server to interact with the resource owner through the same user-agent already being used to interact with the client, i.e., the messaging platform, which is expected to improve the overall user experience of the authorization process. To verify this assumption, we conducted a usability study in which subjects were required to perform the full authorization process using both the standard authorization code grant type (through a web-browser) and the new grant type defined in this work. They have also been required to fill in a small questionnaire including some demographic information and their impressions about both authorization flows. The results suggest that the proposed grant type eases the authorization process in most cases.
Highlights
The way users interact among themselves and with their environment is constantly changing, and the delivery of digital services continuously evolves to keep pace with these changes
We propose a new Open Authorization (OAuth) grant type to be used when the interaction between the client and the resource owner is done through a messaging platform
The second group includes those attacks that are exploited taking advantage of the Hypertext Transfer Protocol (HTTP) redirection mechanism or any feature related with the web-browser
Summary
The way users interact among themselves and with their environment is constantly changing, and the delivery of digital services continuously evolves to keep pace with these changes. OAuth includes all the required elements to empower the end-user, allowing him to authorize the client to act on his behalf, without having to show his credentials Among other things, it defines a protocol (grant type) that allows the authorization server to directly interact with the resource owner, verifying his identity and gathering his consent to let the client act on his behalf. It defines a protocol (grant type) that allows the authorization server to directly interact with the resource owner, verifying his identity and gathering his consent to let the client act on his behalf This grant type was designed with a concrete type of client profile in mind, that is, web-applications that are served by a web server and accessed by end-users using a web-browser as useragent.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
