ROAuth: Recommendation Base Open Authorization
Many major online platforms such as Facebook, Google, and Twitter, provide an open Application Programming Interface which allows third party applications to access user resources. The Open Authorization protocol (OAuth) was introduced as a secure and efficient method for authorizing third party applications without releasing a user’s access credentials. However, OAuth implementations don’t provide the necessary fine-grained access control, nor any recommendations vis-a-vis which access control decisions are most appropriate. We propose an extension to the OAuth 2.0 authorization that enables the provisioning of ne-grained authorization recommendations to users when granting permissions to third party applications. We propose a mechanism that computes permission ratings based on a multi-criteria recommendation model which utilizes previous user decisions, and application requests to enhance the privacy of the overall site’s user population. We implemented our proposed OAuth extension as a browser extension (both Firefox and Google Chrome) that allows users to easily congure their privacy settings at application installation time, provides recommendations on requested privacy attributes, and collects data regarding user decisions. Download our FBSecure Firefox or Google Chrome Plugin.
- Mohamed Shehab, Said Marouf, Christopher Hudel, ROAuth: Recommendation Based Open Authorization, Proceedings of the 7th Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, July, 2011. [SOUPS 2011 PDF]
- Google Research Award, “Third Party Application Policy Management in Social Networks”, PI: Mohamed Shehab, 2011-2012.