Building secure healthcare services using OAuth 2.0 and JSON web token in IOT cloud scenario

OAuth 2.0 is a delegated authorization framework enabling secure authorization for applications running on various kinds of platforms. In healthcare services, OAuth allows the patient (resource owner) seeking real time clinical care to authorize automatic monthly payments from his bank account (resource server) without the patient being required to supply his credentials to the clinic (client app). OAuth 2.0 achieves this with the help of tokens issued by an authorization server which enables validated access to a protected resource. To ensure security, access tokens have an expiry time and are short-lived. So the clinical app may use a refresh token to obtain a new access token to cash monthly payments for rendering real time health care services. Refresh tokens need secure storage to ensure they are not leaked, since any malicious party can use them to obtain new access and refresh tokens. Since OAuth 2.0 has dropped signatures and relies completely on SSL/TLS, it is vulnerable to phishing attack when accessing interoperable APIs. In this paper, we develop an approach that combines JSON web token (JWT) with OAuth 2.0 to request an OAuth access token from authorization server when a client wishes to utilize a previous authentication and authorization. Experimental evaluation confirms that the proposed scheme is practically efficient, removes secure storage overhead by removing the need to have or store refresh token, uses signature and prevents different security attacks which is highly desired in health care services using an IOT cloud platform.

[1]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[2]  Kiseok Choi,et al.  The Extended Authentication Protocol using E-mail Authentication in OAuth 2.0 Protocol for Secure Granting of User Access , 2015 .

[3]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[4]  Kyung-Sup Kwak,et al.  The Internet of Things for Health Care: A Comprehensive Survey , 2015, IEEE Access.

[5]  Ki-Hyung Kim,et al.  An OAuth based authentication mechanism for IoT networks , 2015, 2015 International Conference on Information and Communication Technology Convergence (ICTC).

[6]  Abdelkader H. Ouda,et al.  A cloud-based secure authentication (CSA) protocol suite for defense against Denial of Service (DoS) attacks , 2015, J. Inf. Secur. Appl..

[7]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[8]  Cem Ersoy,et al.  Wireless sensor networks for healthcare: A survey , 2010, Comput. Networks.

[9]  Feng Yang,et al.  A security analysis of the OAuth protocol , 2013, 2013 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM).

[10]  Ryan Boyd Getting Started with OAuth 2.0 - Programming Clients for Secure Web API Authorization and Authentication , 2012 .

[11]  Abdelkader H. Ouda,et al.  Evaluation of an OAuth 2.0 protocol implementation for web server applications , 2015, 2015 International Conference and Workshop on Computing and Communication (IEMCON).

[12]  Ilias Maglogiannis,et al.  Bringing IoT and Cloud Computing towards Pervasive Healthcare , 2012, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[13]  Irena Bojanova,et al.  OAuth Standard for User Authorization of Cloud Services , 2016 .