Capability-based access control for multi-tenant systems using OAuth 2.0 and Verifiable Credentials

TL;DR

This paper introduces a capability-based access control method for web resources that integrates Verifiable Credentials into OAuth 2.0, enhancing interoperability and simplifying verification using JWT and JSON Web Signatures.

Contribution

It presents a novel OAuth 2.0 access token format based on VCs, enabling secure, standardized, and interoperable capability sharing with minimal code changes.

Findings

Efficient encoding of VCs within OAuth 2.0 tokens

Simplified verification process using JSON Web Signatures

Protocol for VC generation via OAuth 2.0 client credentials grant

Abstract

We propose a capability-based access control technique for sharing Web resources, based on Verifiable Credentials (VCs) and OAuth 2.0. VCs are a secure means for expressing claims about a subject. Although VCs are ideal for encoding capabilities, the lack of standards for exchanging and using VCs impedes their adoption and limits their interoperability. We mitigate this problem by integrating VCs into the OAuth 2.0 authorization flow. To this end, we propose a new form of OAuth 2.0 access token based on VCs. Our approach leverages JSON Web Tokens (JWT) to encode VCs and takes advantage of JWT-based mechanisms for proving VC possession. Our solution not only requires minimum changes to existing OAuth 2.0 code bases, but it also removes some of the complexity of verifying VC claims by relying on JSON Web Signatures: a simple, standardized, and well supported signature format. Additionally, we fill the gap of VC generation processes by defining a new protocol that leverages the OAuth 2.0 "client credentials" grant.