Cryptology ePrint Archive: Report 2011/526
Universally Composable Security Analysis of OAuth v2.0
Suresh Chari and Charanjit Jutla and Arnab Roy
Abstract: This paper defines an ideal functionality for delegation of web access to a third-party where the authentication mechanism is
password-based. We give a universally-composable (UC) realization of this ideal functionality assuming the availability of an SSL-like ideal functionality. We also show that this implementation can be further refined to give a browser based implementation whenever the browser supports https redirection. This implementation matches the
'Authorization Code' mode of the OAuth Version 2.0 Internet draft
proposal, with the additional requirement that the third-party along
with the Authorization Server must support an SSL-like functionality.
From the universally-composable perspective, our ideal functionality
definition is novel in the respect that it does not require the three
parties to decide on a session identifier in advance, which is usually assumed in a UC setting. This allows us to realize the ideal
functionality without any wrapper code, and thus exactly matching the
desired protocol in the OAuth standard.
Category / Keywords: OAuth, UC, SSL, TLS, Delegation, Password-based Key Exchange
Date: received 25 Sep 2011, last revised 26 Sep 2011
Contact author: csjutla at us ibm com
Available formats: Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation
Note: Minor edit on page 2.
Version: 20110926:183028 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]