A Capability-based Distributed Authorization System to Enforce Context-aware Permission Sequences

TL;DR

This paper introduces a secure, capability-based distributed authorization system that enforces permission sequences and context-awareness, enhancing control over resource access in distributed environments.

Contribution

It presents a novel system supporting permission sequences and context, proves its safety, and integrates it into OAuth 2.0 with performance evaluation.

Findings

The system enforces finite permission sequences with context.

Safety property of the system is formally proven.

Implementation shows improved authorization time over plain OAuth.

Abstract

Controlled sharing is fundamental to distributed systems. We consider a capability-based distributed authorization system where a client receives capabilities (access tokens) from an authorization server to access the resources of resource servers. Capability-based authorization systems have been widely used on the Web, in mobile applications and other distributed systems. A common requirement of such systems is that the user uses tokens of multiple servers in a particular order. A related requirement is the token may be used if certain environmental conditions hold. We introduce a secure capability-based system that supports "permission sequence" and "context". This allows a finite sequence of permissions to be enforced, each with their own specific context. We prove the safety property of this system for these conditions and integrate the system into OAuth 2.0 with proof-of-possession tokens. We evaluate our implementation and compare it with plain OAuth with respect to the average time for obtaining an authorization token and acquiring access to the resource.