Go to DBLP homepagePutting Authorization Servers on User-Owned Devices in User-Managed Access
Abstract: When a user uses a third-party application that relies on data from another platform, the platform must authorize access by that application based on the user’s consent for privacy. Although OAuth 2.0 is widely used for such authorization, it is a troublesome task for the users to manage authorization. User-Managed Access (UMA) is a framework for asynchronous user-centric authorization management. UMA aims to reduce the burden of users for handling authorization requests from third-party applications. In UMA, transparency of the authorization server, usually operated by a (believed to be) trusted third-party, is important because the authorization server may behave maliciously, such as authorizing access against the authorization policy set by users. Some proposals use blockchain for improving transparency, but blockchain may not be suitable because it makes information public although authorization policies and decisions will be sensitive to user privacy. In this paper, we propose an architecture that improves UMA’s transparency by putting the UMA authorization server on user-owned devices. By making authorization decisions on the devices, our architecture improves transparency while reducing the users’ burden. We also use STRIDE-per-Element to discuss discovered threats and how to mitigate risks.
External IDs:dblp:conf/sec/HiraiKO24
Loading