OAuth 2.0 authorization using blockchain-based tokens Nikos - - PowerPoint PPT Presentation

▶

Oct 24, 2022 911 likes •1.11k views

OAuth 2.0 authorization using blockchain-based tokens Nikos Fotiou, Iakovos Pittaras, Vasilios A. Siris, Spyros Voulgaris, George C. Polyzos Resource sharing Authorization Client Resource owner Resource storage Resource access Resource

SLIDE 1

OAuth 2.0 authorization using blockchain-based tokens

Nikos Fotiou, Iakovos Pittaras, Vasilios A. Siris, Spyros Voulgaris, George C. Polyzos

SLIDE 2

Resource sharing

Client Resource server Resource owner Authorization Resource storage Resource access

SLIDE 3

OAuth 2.0-based authorization

Client Resource owner Authorization request Authorization grant

SLIDE 4

OAuth 2.0-based authorization

Authorization server Client Authorization grant Access token Resource owner Authorization request Authorization grant

SLIDE 5

OAuth 2.0-based authorization

Authorization server Client Resource server Authorization grant Access token Resource Resource owner Authorization request Authorization grant Resource request, token

SLIDE 6

Our work

Authorization server Client Resource server Authorization grant Access token Resource Resource owner Authorization request Authorization grant Resource request, token

SLIDE 7

The Ethereum blockchain

Data “recorded” in the ledger are immutable
Decentrilized “smart contract” can be executed by

untrusted nodes in a deterministic way

SLIDE 8

ERC-721

ERC-721 tokens

Token Id
Owner Id
Metadata

SLIDE 9

ERC-721

ERC-721 token management contract

ownerOf()
transferFrom()
tokenURI()
approve()
getApproved()

ERC-721 tokens

Token Id
Owner Id
Metadata

SLIDE 10

JWT

Access token Authorization server Client { “iss”: Authorization Server “aud”: Resource URI “sub”: Client Key “exp”: Expiration Time “jti” : Token identifier }

SLIDE 11

JWT + ERC-721

Access token Authorization server Client { “iss”: Authorization Server “aud”: Resource URI “sub”: Client Key “exp”: Expiration Time “jti” : Token identifier } ERC-721 token Token Id : jti Owner Id : Client key Metadata: JWT

SLIDE 12

Accessing legacy resource servers

It facilitates logging and auditing services
Clients can at any time retrieve their access token

from the blockchain

Resource server Resource Resource request, token Client Verify Client key ownership

SLIDE 13

Accessing resource servers with BC read access

Resource server Resource Resource request, token Client Verify Client key ownership

wnerOf(), tokenURI()

SLIDE 14

Revocation

Resource server Resource request, token Client

wnerOf(), tokenURI()

Authorization server transferFrom()

Revocation is asynchronous
Authorization server does not have to be online

SLIDE 15

Delegation

Resource server Resource Resource request, token Client A Verify Client key ownership getApproved(), tokenURI() Client B Approve(Client B)

Delegation is not transitive
Revocation is not affected

SLIDE 16

Fair exchange

Access token Authorization server Client ERC-721 token Token identifier Owner : Authorization server Metadata: JWT Payment transferFrom()

SLIDE 17

Discussion

Existing OAuth 2.0 code-base can be re-used
In some cases our approach is transparent to OAuth

endpoints

In no payments are involved then private, or testing

chains can be used.

If the client does not interact with the blockchain,

then ownerOf() may return any type of identifier.

(Public) blockchains have privacy issues, introduce

delays (~13sec per transaction) and monetary costs (~$0.10 to create a token, $0.02 to revoke or delegate)

SLIDE 18

Thank you

fotiou@aueb.gr https://mm.aueb.gr/blockchains