DOAuth 2.0: A Decentralized Authorization Protocol based on OAuth 2.0

Abstract

Authorization problems deal with how to give third parties access to specific resources. OAuth 2.0 is an open standard protocol for authorization that is widely used in industry. OAuth 2.0 enables a resource owner, i.e. a user, to grant a client access to user resources without disclosing his user credentials. However, OAuth 2.0 has several problems: (1) it is complicated to meet security requirements because so many parts in the OAuth 2.0 core specification, i.e. RFC 6749, are left optional for flexibility; (2) it depends on centralized authorization servers, e.g. Google, Facebook or Yahoo, so that if authorization servers are compromised, the compromise cascades throughout clients; (3) it is inefficient because a user should grant each client access to the same resources every time. Moreover, there are strong trends to strengthen user sovereignty over user resources such as GDPR (General Data Protection Regulation) and SSI (Self-Sovereign Identity). In this thesis, we propose DOAuth 2.0, a decentralized authorization protocol that applies blockchain technology to OAuth 2.0. It is shown that DOAuth 2.0 solves the problems of OAuth 2.0 while keeping the open standard of OAuth 2.0. In addition, DOAuth 2.0 fits well with the current trends to strengthen user sovereignty over user resources.