We propose a capability-based access control technique for sharing Web
resources, based on Verifiable Credentials (VCs) and OAuth 2.0. VCs are a
secure means for expressing claims about a subject. Although VCs are ideal for
encoding capabilities, the lack of standards for exchanging and using VCs
impedes their adoption and limits their interoperability. We mitigate this
problem by integrating VCs into the OAuth 2.0 authorization flow. To this end,
we propose a new form of OAuth 2.0 access token based on VCs. Our approach
leverages JSON Web Tokens (JWT) to encode VCs and takes advantage of JWT-based
mechanisms for proving VC possession. Our solution not only requires minimum
changes to existing OAuth 2.0 code bases, but it also removes some of the
complexity of verifying VC claims by relying on JSON Web Signatures: a simple,
standardized, and well supported signature format. Additionally, we fill the
gap of VC generation processes by defining a new protocol that leverages the
OAuth 2.0 “client credentials” grant.

By admin