OAuth 2.0 meets Verifiable Credentials and Ethereum-based tokens
by Nikos Fotiou
In this talk we will discuss the integration of W3C’s Verifiable Credentials (VCs) and blockchain-based tokens, into OAuth 2.0 workflow. Both these technologies encourage decentralization, facilitate self-sovereignty, and enable novel services. We will present a solution, which has been developed in the context of the H2020 project SOFIE that implements an OAuth 2.0 authorization server that uses VCs as “authorization grant” and supports the generation of JSON Web Tokens (JWT), complemented by blockchain-based ones. The use of VCs as an authorization grant offers some intriguing advantages. For instance, VCs facilitate access control enforcement since they encode the attributes of a “prover” in a machine readable and cryptographically verifiable format and allow “verifiers” to be pre-configured with “proof requests”, which can be easily evaluated without any knowledge of the underlay semantics. Furthermore, VCs can be used as privacy-preserving mechanisms and they facilitate interoperability. Similarly, blockchain-based tokens enable auditability and accountability, and they allow the modification of a JWT even after it has been issued (for example it can be revoked). This is achieved by recording auxiliary information in the blockchain, which is accessed at the time a JWT is validated by the resource server. Using this approach, the smart contract becomes an asynchronous communication channel between the authorization server and the resource server; clients do not have to be aware of this channel, therefore many of the proposed advantages are achieved even if clients are oblivious about the existence of the blockchain. Furthermore, blockchain-based tokens enable novel services, such as fair exchange and token delegation. We will discuss implementation and deployment issues, as well as performance measurements, based on our experience from implementing the proposed approach using Hyperledger Indy, an open source solution for generating and consuming VCs, supported by the Linux foundation, and Ethereum’s ERC-721, a specification for generating non-tangible tokens, already supported by many Ethereum “wallets”.