PERFORMANCE EVALUATION OF THE SECURITY LEVEL OF OAUTH 2.0 IN THE IMPLEMENTATION OF AUTHORIZATION SYSTEMS FOR ACCESS TO WEB RESOURCES ON CLOUD-BASED PLATFORMS
Main Article Content
Abstract
The demand for remote access has experienced exponential growth., making it difficult for users to maintain different accounts for each service they use. In the traditional client-server authentication model, clients enter their credentials, usually usernames and passwords, to request a restricted access resource from servers. However, there are some drawbacks with these processes: decreased confidentiality, user sensitivity to phishing, full access to resources and limited reliability. The purpose of this paper was to assess the security level of access control over resources on cloud-based platforms by implementing two real scenarios, one with a traditional authentication system and the other implementing an access authorization system using the OAuth2 framework. To reach this goal, an infrastructure has been created, using virtualization approaches, which sends requests to the server that owns the resources and this in turn communicates through APIs to a database server in AWS. The OWASP project was used to analyze the vulnerabilities in these scenarios, studying the exposure of confidential information, level of access to resources, alert control, as well as system response time parameters to measure their efficiencies. The results showed that the implementation of OAuth2, as the basis for authorization systems, improves security in the exchange of client-server messages through the implementation of tokens, reduces the exposure of confidential information, facilitates access to resources on different platforms and even makes it easy to assign roles and levels of access to resources.
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
References
NIST, «National Institute of Standards and Tecnology,» 2020. [En línea]. Available: https://www.nist.gov/.
R. H. L. L. P. &. M. S. Hill, Guide to cloud computing: principles and practice., Springer Science & Business Media., 2012.
LinuxFoundationX, «Introduction to Cloud Foundry and Cloud Native Software Architecture (LFS132),» 2020. [En línea]. Available: https://training.linuxfoundation.org/training/introduction-to-cloud-foundry-and-cloud-native-software-architecture/.
K. Kiani, «Four Attacks on OAuth – How to Secure Your OAuth Implementation,» 2020.
Ping Identity, «The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs,» 2011.
Richer, «OAuth 2 in Action,» 2017.
Siriwardena, «Advanced API Security: OAuth 2.0 and Beyond,» 2019.
O'Raw, «Security Evaluation of the OAuth 2.0 Framework,» 2015.
E. C. H. T. D. T. P. &. B. K. Shernan, More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations., 2015.
L. S. G. W. E. E. S. &. T. H. Seitz, Authentication and authorization for constrained environments (ACE) using the OAuth 2.0 framework (ACE-OAuth)., 2018.
E. Hardt, «The OAuth 2.0 Authorization Framework,» 2012.
A. Lopez, Learning PHP 7, 2016.
DigitalOcean, «Una introducción a OAuth 2,» 2020. [En línea]. Available: https://www.digitalocean.com/community/tutorials/una-introduccion-a-oauth-2-es.
Boyd, «Getting Started with OAuth 2.0,» 2012.
Argyriou, «Security Flows in OAuth 2.0 Framework: A Case Study,» 2017.
Mozilla, «Generalidades del protocolo HTTP,» 2020. [En línea]. Available: https://developer.mozilla.org/es/docs/Web/HTTP/Overview.
Sheldon, M. R. (2009). INTRODUCTION TO PROBABILITY AND STATISTICS FOR ENGINEERS AND SCIENTISTS.
STHDA. (2020). Normality Test in R. Obtenido de http://www.sthda.com/english/wiki/normality-test-in-r
Google Developers. (2020). PageSpeed Insights. Obtenido de https://developers.google.com/speed/pagespeed/insights/?hl=es
Shernan, E. C. (2015). More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations.