OAuth2.0 and VCs

I would like to share with you a paper we have written and it will be presented at IEEE ICCCN 2021 (http://www.icccn.org/). You can find the paper here https://arxiv.org/abs/2104.11515 We tried to couple OAuth 2.0 flows with JWT/JWS and VCs in order to implement capabilities-based access control. Our goal was to show gains with minimal changes. Some things that might be of interest:

* We used Proof-of-Possession Key Semantics for JSON Web Tokens (RFC 7800) instead of credentialSubject `id`
* We used OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP),(https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/) for proving VC ownership
* We discuss how Revocation list 2020 has better privacy properties compared to RFC 7662 (which can be used for examining the status of an access token)

Moreover, I have to clarify that JTW/JWS encoding was just a design choice and Linked-Data proofs can be used instead. Moreover, and as we discuss in the paper, zcaps can be used instead of VCs. I believe that examining the use of OAuth 2.0 for granting VCs/zcaps has value, especially if the subjects are not humans. e.g, for issuing VCs/zcaps for IoT devices.


Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business

Received on Monday, 26 April 2021 11:23:01 UTC