OAuth 2.0 : Architectural design augmentation for mitigation of common security vulnerabilities

Abstract

OAuth 2.0 is a widely used authorization protocol for cloud based web services and is used by many big firms such as Google, Facebook, Microsoft for granting limited access to the data. OAuth 2.0 has a flexible design and can be implemented and configured in a number of ways according to the use case. However, each of these implementation decisions and configuration choices come with their respective security implications. In our research, we carry out a simulation of the OAuth 2.0 protocol and suggest additional features which can augment the architectural design and enhance overall security effectiveness of the protocol. The protocol classifies third-party client apps based on their ability to maintain the confidentiality of the secret keys and the method used by them to register with the authorization servers. The protocol further offers various options to send access tokens to third-party client apps. In our research, we suggest converging these different third-party client app types and implementation options into a single uniform client app type and operational flow, thereby reducing the complexity in decision making, implementation, security misconfigurations and maintenance of different codebases. We also propose incorporating 2FA (Two Factor Authentication) as a feature for authentication of third-party client apps in addition to the existing mechanism of basic authentication through client secret. We also advocate measures to utilize digital signatures and cryptography to mitigate the common risks and vulnerabilities associated with misuse of tokens, which are issued and exchanged at various stages of the OAuth process including access to protected resources.