OAuth在多域中以角色為基礎存取控制延展

Abstract

隨著雲端運算、社群網路的快速發展，多域中的存取控制顯得越來越重要。而在我們的生活中，跨域中的存取控制也隨時隨地的在發生，不論是利用Facebook的授權做為身分驗證去加入一個新的網站，或是利用列印服務去列印放在雲端硬碟上的報告，都是多域中存取控制中一些明顯例子。 除了上述所說這些簡單的應用外，還有需多需要複雜的多域中的存取控制的案例，例如在各醫院間病人病歷的互通，和在緊急災難發生時逃生資訊的釋放。在這些情況，需要嚴格的控管哪些資料能授權，並且確保所有授權都能符合「最小許可權原則」。傳統的多域中的存取控制機制並不符合這些情況的需求。 有鑑於此，本論文提出一個在多域中符合最小許可權原則的存取控制機制。且為了相容於開放標準，我們選擇以OAuth 2.0授權協定做為基礎架構，並做了兩個延伸，加入強制性存取控制和角色的觀念，使OAuth2.0授權伺服器有執行以角色為基礎的存取控制機制的能力，並以此達到最小許可權原則。

With the rapid popularity of the cloud computing and social network, multi-domain access control has become more and more important. No matter you regis¬ter new web site with Facebook account, or use print service to print your photo in the cloud, you all need multi-domain access control.

In addition to these simple multi-domain access control, nowadays we have many complex multi-domain access control situations, for example, exchange of electronic medical records. The principle of least privilege must be applied to these complex situations to ensure that all of the protected data are rigorously regulated. However, the traditional multi-domain access control doesn't implement mandatory access control, so it couldn't handle these situations.

In this research, we propose a multi-domain access control mechanism that implement the principle of least privilege. And in order to be compatible with open standards, we use OAuth2.0 as our infrastructure and propose two extensions. We added a mandatory access control into OAuth2.0 and added role concept into OAuth2.0 scope parameter. With these extensions, the OAuth2.0 authorization server can have the prerogative to limit the scope of information accessible to the users