A Client Authorization Scheme Based on OAuth 2.0 and PoP Token for Internet of Things

Abstract

With the increase of things deployments, the need for a better user experience for handling the authentication and authorization tasks in IoT scenario increases. The OAuth 2.0 Protocol can satisfy the needs of requirements for a better user experience in the authorization procedure. OAuth 2.0 is an open standard authorization protocol which allows users to grant a third-party applications access to protected resources without providing their credentials. But there are some vulnerabilities in standard OAuth 2.0 protocol. To improve the security of OAuth 2.0 access token transportation and satisfy the challenge of resources constraint caused by the bearer token access mechanism of the OAuth 2.0, we proposed an extensional client authentication scheme that is based on the Proof-of-Possession (PoP) token mechanism. By improving the integrity of PoP token, we bind a PoP key of a public/private key pair to the PoP token. The authorization server and the resource server can authenticate the identity of the client by verifying whether the client has the possession of the PoP token. If the client can prove that it has a PoP key that matches the PoP token, then the identity of the client can be authenticated. The experimental evaluation can confirm that this scheme effectively dealing with the issue of client identity authentication and reduce resources consumption. In particular, storage space for secure storage of refresh tokens is reduced. Meanwhile, uses the signature to prevents the different attacks which are highly occurred in IoT open platform.