fimbault's personal weblog

This article blog is a longer and preprint version of a peer-reviewed article co-authored with Justin Richer and Aaron Parecki, that has been accepted as a short paper at the Open Identity Summit 2021. The final paper shall be published by LNI.

The Grant Negotiation and Authorization Protocol, also known as GNAP, is currently being formulated in an IETF working group. Its objective is to take into account the experience from OAuth 2 and its large ecosystem. GNAP therefore gives the opportunity to reflect on the strengths and weaknesses of existing authorization frameworks (and OAuth 2 in particular), and highlights the new directions to improve digital access. We compare with the approach taken by OAuth 2 and show that designing authorization servers primarily as “token issuers” provides insightful consequences for security and privacy.

The year was 2012, and an authorization protocol called OAuth 2 (Open Authorization 2) swept the web, allowing users to use security providers to easily log in to websites. Coupled with OpenID, OAuth 2 enables an end-user to “authenticate with” one of its providers (google, facebook, github, etc.) to a completely different website or application, therefore reducing the need to define yet another password.

Leave a Comment