AURA Security Plug-in

Abstract

The OAuth 2.0 protocol is one of the most broadly deployed authorization protocols and it also fills in as the foundation for the new SSO standard OpenID Connect. Regardless of the popularity of OAuth, so far analysis efforts were for the most part focused at understanding the concept of OAuth and the exact workflow of how does it provides security to our protected resources. In this report, we carry out the analysis of the OAuth 2.0 standard in an demonstrative web model. Our analysis basically focuses at establishing secure authorization and authentication for which we provide formal definitions. In the analysis, all the four OAuth grant types i.e. authorization code grant, implicit grant, resource owner password credentials grant, and the client credentials grant are covered. They might even run simultaneously in the same and different relying parties and identity providers, where relying parties, identity providers, and browsers are considered as well. Our analysis of the OAuth 2.0 standard assumes that security recommendations and best practices are followed in order to avoid obvious and known attacks.