A Review OAuth-based Authorization Service Architecture in IoT Scenarios

Krittika KD Singh, Anurag Jain


OAuth 2.0 protocol has enjoyed wide adoption by on-line Social Network (OSN) suppliers since its origination. Though the safety guideline of OAuth two.0 is well mentioned in RFC6749 and RFC6819, many real-world attacks because of the implementation speciVcs of OAuth 2.0 in varied OSNs are discovered. According to our information, previously discovered loopholes square measure all supported the misuse of OAuth and many of them deem supplier facet or application facet vulnerabilities/faults on the far side the scope of the OAuth protocol. It was generally believed that correct use of OAuth two.0 is secure. During this paper OAuth is studied with its varied aspects and characteristics.


R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, “Hypertext Transfer Protocol – HTTP/1.1,” RFC 2616 (Draft Standard), Internet Engineering Task Force, June 1999, obsoleted by RFCs 7230, 7231, 7232, 7233, 7234, 7235, updated by RFCs 2817, 5785, 6266, 6585. [Online]. Available: http://www.ietf.org/rfc/rfc2616.txt

E. Hammer-Lahav, “The OAuth 1.0 Protocol,” RFC 5849 (Informational), Internet Engineering Task Force, April 2010, obsoleted by RFC 6749. [Online]. Available: http://www.ietf.org/rfc/rfc5849.txt

T. Dierks and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” RFC 5246 (Proposed Standard), Internet Engineering Task Force, August 2008, updated by RFCs 5746, 5878, 6176. [Online]. Available: http://www.ietf.org/rfc/rfc5246.txt

D. Hardt, “The OAuth 2.0 Authorization Framework,” RFC 6749 (Proposed Standard), Internet Engineering Task Force, October 2012. [Online]. Available: http://www.ietf.org/rfc/rfc6749.txt

“IPSO Alliance.” [Online]. Available: http://www.ipso-alliance.org/

“Connect All IP-based Smart Objects (CALIPSO) - FP7 EU Project.” [Online]. Available: http://www.ict-calipso.eu/

Z. Shelby, K. Hartke, and C. Bormann, “The Constrained Application Protocol (CoAP),” RFC 7252 (Proposed Standard), Internet Engineering Task Force, June 2014. [Online]. Available: http://www.ietf.org/rfc/ rfc7252.txt

“Worldsensing,” Barcelona, Spain. [Online]. Available: http://www. worldsensing.com/

S. Cirani, G. Ferrari, and L. Veltri, “Enforcing Security Mechanisms in the IP-Based Internet of Things: An Algorithmic Overview,” Algorithms, vol. 6, no. 2, pp. 197–226, 2013. [Online]. Available: http://www.mdpi.com/1999-4893/6/2/197

H. Ning, H. Liu, and L. Yang, “Cyberentity Security in the Internet of Things,” Computer, vol. 46, no. 4, pp. 46–53, April 2013.

X. Yao, X. Han, X. Du, and X. Zhou, “A Lightweight Multicast Authentication Mechanism for Small Scale IoT Applications,” Sensors Journal, IEEE, vol. 13, no. 10, pp. 3693–3701, Oct 2013.

C. Lai, H. Li, X. Liang, R. Lu, K. Zhang, and X. Shen, “CPAL: A Conditional Privacy-Preserving Authentication With Access Linkability for Roaming Service,” Internet of Things Journal, IEEE, vol. 1, no. 1, pp. 46–57, Feb 2014.

F. Li and P. Xiong, “Practical Secure Communication for Integrating Wireless Sensor Networks Into the Internet of Things,” Sensors Journal, IEEE, vol. 13, no. 10, pp. 3677–3684, Oct 2013.

D. Forsberg, Y. Ohba, B. Patil, H. Tschofenig, and A. Yegin, “Protocol for Carrying Authentication for Network Access (PANA),” RFC 5191 (Proposed Standard), Internet Engineering Task Force, May 2008, updated by RFC 5872. [Online]. Available: http: //www.ietf.org/rfc/rfc5191.txt

B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, “Extensible Authentication Protocol (EAP),” RFC 3748 (Proposed Standard), Internet Engineering Task Force, June 2004, updated by RFCs 5247, 7057. [Online]. Available: http://www.ietf.org/rfc/rfc3748.txt

P. Moreno-Sanchez, R. Marin-Lopez, and F. Vidal-Meca, “An open source implementation of the protocol for carrying authentication for network access: OpenPANA,” Network, IEEE, vol. 28, no. 2, pp. 49–55, March 2014.

U. S. D. of Defense, “Department of Defense Trusted Computer System Evaluation Criteria,” United States Department of Defense, Tech. Rep., December 1985. [Online]. Available: http://csrc.nist.gov/ publications/history/dod85.pdf

D. Ferraiolo and R. Kuhn, “Role-Based Access Control,” in Proceedings of the 15th NIST-NCSC National Computer Security Conference, Baltimore, MD, USA, October 1992, pp. 554–563.

D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli, “Proposed NIST standard for role-based access control,” ACM Trans. Inf. Syst. Secur., vol. 4, no. 3, pp. 224–274, August 2001. [Online]. Available: http://doi.acm.org/10.1145/501978.501980

R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, “Role-based access control models,” Computer, vol. 29, no. 2, pp. 38 –47, February 1996.

E. Yuan and J. Tong, “Attributed based access control (ABAC) for Web services,” in Proceedings of the 2005 IEEE International Conference on Web Services, 2005 (ICWS 2005)., July 2005, pp. 2 vol. (xxxiii+856).

J. Schiffman, X. Zhang, and S. Gibbs, “DAuth: Fine-Grained Authorization Delegation for Distributed Web Application Consumers,” in Proceedings of the 2010 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), July 2010, pp. 95–102.

O. Garcia-Morchon and K. Wehrle, “Modular context-aware access control for medical sensor networks,” in Proceedings of the 15th ACM symposium on Access control models and technologies, ser. SACMAT ’10. New York, NY, USA: ACM, 2010, pp. 129–138. [Online]. Available: http://doi.acm.org/10.1145/1809842.1809864

S. Gerdes, O. Bergmann, and C. Bormann, “Delegated CoAP Authentication and Authorization Framework (DCAF),” IETF Internet Draft draft-gerdes-ace-dcaf-authorize-00, Tech. Rep., July 2014. [Online]. Available: http://tools.ietf.org/html/draft-gerdes-ace-dcaf-authorize-00

“OpenID Authentication 2.0 - Final,” OpenID Foundation, Tech. Rep., December 2007. [Online]. Available: http://openid.net/specs/ openid-authentication-2 0.html

E. Rescorla and N. Modadugu, “Datagram Transport Layer Security Version 1.2,” RFC 6347 (Proposed Standard), Internet Engineering Task Force, January 2012. [Online]. Available: http://www.ietf.org/rfc/ rfc6347.txt

S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol,” RFC 2401 (Proposed Standard), Internet Engineering Task Force, November 1998, obsoleted by RFC 4301, updated by RFC 3168. [Online]. Available: http://www.ietf.org/rfc/rfc2401.txt

“The Contiki Operating System.” [Online]. Available: http://www. contiki-os.org

S. Raza, S. Duquennoy, T. Chung, D. Yazar, T. Voigt, and U. Roedig, “Securing Communication in 6LoWPAN with Compressed IPsec,” in Proceedings of the International Conference on Distributed Computing in Sensor Systems (IEEE DCOSS 2011), Barcelona, Spain, June 2011.

S. Raza, D. Trabalza, and T. Voigt, “6LoWPAN Compressed DTLS for CoAP,” in Proceedings of the 8th IEEE International Conference on Distributed Computing in Sensor Systems (IEEE DCOSS 2011), Hangzhou, China, May 2012.

DOI: https://doi.org/10.23956/ijarcsse.v7i8.83


  • There are currently no refbacks.

© International Journals of Advanced Research in Computer Science and Software Engineering (IJARCSSE)| All Rights Reserved | Powered by Advance Academic Publisher.