Background

What is OAuth

From https://en.wikipedia.org/wiki/OAuth, "OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords."

Basically, users can grant a client application to acquire an access token (which represents a user’s permission for the client to access their data) which can be used to authenticate a request to an API endpoint.

Problems with OAuth

OAuth process is tedious

from https://tools.ietf.org/html/rfc6749. Users are redirected back and forth to complete OAuth login.

 +--------+                               +---------------+
 |        |--(A)- Authorization Request ->|   Resource    |
 |        |                               |     Owner     |
 |        |<-(B)-- Authorization Grant ---|               |
 |        |                               +---------------+
 |        |
 |        |                               +---------------+
 |        |--(C)-- Authorization Grant -->| Authorization |
 | Client |                               |     Server    |
 |        |<-(D)----- Access Token -------|               |
 |        |                               +---------------+
 |        |
 |        |                               +---------------+
 |        |--(E)----- Access Token ------>|    Resource   |
 |        |                               |     Server    |
 |        |<-(F)--- Protected Resource ---|               |
 +--------+                               +---------------+

Security concerns

Access tokens must be kept confidential in transit and in storage. Because anyone with the token can access the resource.

Solution - Blockchain Auth (BAuth)

Blockchain is ideal to provide identity service, thanks to public key cryptography and digital signature technology in blockchain.

Users can create Access Token with all necessary information(e.g. Client information, Scope, and Expiration Time) by themselves, and hand it over to clients. After that, clients can build requests and send to Cosmos network, attaching the Access Token. Cosmos application can verify the signature in the Access Token, and take actions only defined in it.

 +---------------------------------------------+  
 |                                             |  
 | Access Token Created by Resource Owner      | 
 | (including Client, Scope, Signature, etc.)  |  
 +---------------------------------------------+
 |                                             |
 | Message Sent by Client                      |
 |                                             |  
 +---------------------------------------------+ 

Simplified process

 +--------+                               +---------------+
 |        |                               |   Resource    |
 |        |                               |     Owner     |
 |        |<------ Access Token ----------|               |
 | Client |                               +---------------+
 |        |
 |        |                               +---------------+
 |        |---------- Access Token ------>|    Resource   |
 |        |                               |     Server    |
 |        |<------- Protected Resource ---|               |
 +--------+                               +---------------+

More secure, under control

In comparison to OAuth, the Access Token in BAuth defines who can use this token.

Future Work:

• to define signature verification in CustomSigVerify, with gas consumption
• to add timestamp and access token validation check

Built With

• golang