A Study of OAuth 2.0 Risk Notification and Token Revocation from Resource Server

OAuth was created to simplify authentication procedure. OAuth is a protocol that allows access to the user’s assets in 3rd party web sites or applications without exposing the user’s identity and credential. OAuth can be used to grant the access rights for the user without exposing the user’s information to third parties. By utilizing the Token issued by the Authorization Server, client is able to gain access to the resources in the Resource Server. However, in current standards, the restrictions of token usage are not clearly defined. Although it specified Token expiration time, in reality, malicious client can reuse the Token to access Resource server. The existing Token Revocation operation has been carried out in a way that the client performs Revocation by requesting to the Authorization Server when special cases occur such as logout or identity change by resource owner. The revocation does not happen for the case that malicious code targets the Resource Server. This paper proposes a method for revoking the Token by requesting Revocation when the Resource Server performs abnormal behaviors by using Token.