OAuth 2.0: A Framework to Secure the OAuth-Based Service for Packaged Web Application

OAuth 2.0: A Framework to Secure the OAuth-Based Service for Packaged Web Application

Shawon S. M. Rahman (University of Hawaii at Hilo, USA), Nazmul Hossain (Jashore University of Science and Technology, Bangladesh), Md Alam Hossain (Jashore University of Science and Technology, Bangladesh), Md Zobayer Hossain (Jashore University of Science and Technology, Bangladesh) and Md Hassan Imam Sohag (Jashore University of Science and Technology, Bangladesh)
DOI: 10.4018/978-1-7998-3355-0.ch005

Abstract

OAuth is an open security standard that enables users to provide specific and time-bound rights to an application to access protected user resources. It stored on some external resource servers without needing them to share their credentials with the application. Unlike websites, for locally installed packaged web applications, the main security challenge is to handle the redirect response. The OAuth flow initiated from packaged web apps is similar to the OAuth flows explained in the current literature. However, for packaged web apps, it is difficult to define an HTTP endpoint as redirection endpoint since these apps are locally installed. The authors have proposed a novel method to execute OAuth flow from such applications with the help of a web runtime framework that manages the life cycle of these applications. They have compared their approach with another two existing approaches. After conducting experiments, they have found their approach blocking all illegal OAuth flow executions. The approach also delivers better OAuth response handling time and power consumption performance.
Chapter Preview
Top

Introduction

OAuth 2.0 is an authorization framework that enables applications to gain restricted access to user accounts on an HTTP service, like as GitHub, Facebook, Twitter, and Digital Ocean. OAuth 2.0 is working by delegating user authentication to the service which is hosting the user account and authorizing 3rd party applications to access user account. OAuth 2.0 gives authorization flows (Hardt Ed., 2012) for desktop and web applications, and mobile devices.

A packaged app is a zip file that contains all the resources and it enables a Browser Operating System app to function, with an app explicit in the zip's primary directory. The app explicit gives niceties about the app like as its description, icons are used to recognize the installed app and like this. The package is then used to install the app to Firefox Operating System devices. Once installed the app runs on the device but it is still able to access resources on the Web, like as a database on a web server.

The principle aim of this dissertation is to handle the illegal OAuth flows in a packaged web application system to secure the OAuth protocol. Considering the major security problems of OAuth flow, we designed and develop a packaged web application with a Web Runtime feature that gives more security facilities than other existing approaches. We developed the packaged web application with the help of app packaging which is a secure app development process. As the app package contains web resources like HTML files, JavaScript files, CSS files, media assets (icon image, audio files, etc.) along with an installation descriptor file (or referred to as configuration document). The JavaScript files inside these packages are special, in the sense; those can make calls to standardized web APIs and to custom JavaScript APIs (Charlie, C., Ben, L., Benjamin, G. Z. & Christian, S., 2011) available on the underlying platform. These custom APIs provide access to various platform services from web content enabling these kinds of web apps to implement various use cases on that platform, like the native apps running on it. We created a special web framework or runtime, W, of the platform manages the lifecycle of such packaged web apps. Here managing lifecycle refers to the cycle of installation, instantiation, and uninstallation of an app. When a packaged web app is instantiated, W creates a web view: a window where the web contents of the app are rendered on to using a web rendering engine. Within the context of the web view the app invokes various standard and custom JavaScript APIs. The runtime framework W also takes care of ensuring secure access to platform services using JavaScript API calls. During execution W may create more than one web view as per the JavaScript API call from the app code. This approach will give both the security and better performance factor.

The problem can be stated in short as from existing approaches of OAuth protocol, we selected better twos to compare with our new developed architecture OAuth for packaged web application with respect to different security and performance scenarios. The steps of the methodology are depicted as follows:

Figure 1.

Steps of methodology

978-1-7998-3355-0.ch005.f01

Each OAuth based systems have their own mechanism for OAuth flow. The existing approaches have their own architecture, OAuth flow, security mechanism, etc. So, we found the similarities and dissimilarities of those existing approaches to find out the problems and vulnerabilities.

To find out the architectural requirements of an OAuth based system for a client-side web application, we have analyzed the architectures of two existing systems. We gathered some useful information by studying and browsing the internet about those approaches. For more information, we tested them on the internet and analyzed the various sections of those systems. From all that information, we have tried to draw the general architectures of those approaches mentioned above. As, in this research our task is to propose, design and develop a new OAuth architecture, we must derive some architectural requirements.

Complete Chapter List

Search this Book:
Reset