Decentralized Authorization in Web Services Using Public Blockchain

Abstract

AbstractWeb services often determine whether to provide access on their resources to a service requesting entity based on the latter’s credentials, which may not always be available with a single authority. More commonly, there is a need for getting them verified from multiple external sources in a decentralized manner. This kind of architecture is also more robust against security and privacy attacks as compared to a centralized system. However, it is imperative that authorization by the independent sources be done in a transparent and verifiable manner. In this paper, we propose a method for decentralized authorization using the Ethereum blockchain. We consider the underlying authorization model to be Attribute-based Access Control (ABAC) and hence, the credentials to be verified are the attributes of the users making access requests to the web service. In ABAC, a user is granted or denied access to an object based on her attributes as well as those of the requested object using a set of rules (called the ABAC policy). We use a public blockchain, namely Ethereum, for transparent authorization of attributes by multiple sources to allow the web service to take an access decision. It ensures that the authorization data is immutable and helps in building trust between the users, web service providers and attribute certifying authorities. We have made a prototype implementation of our proposed architecture on the Rinkeby Ethereum test network. Extensive experiments show its scalability in realistic scenarios.KeywordsDecentralized authorizationWeb servicesSmart contractEthereumAttribute-based Access Control (ABAC)