As a conventional service for delegating a login of a user, OAuth 2.0 is a standard authentication method for web, mobile, and desktop applications, and adopts an open protocol that can perform secure authentication. Prior to use of the OAuth, there was no authentication standard, so a basic form of authentication, i.e., a combination of an ID and a password, has been used, but this is a weak form of the authentication. In case of a non-basic form of the authentication, each application verifies the user using its own protocol, such as Google's AuthSub, AOL's OpenAuth, Yahoo's BBAuth, Amazon's Web Services API, etc. The OAuth is an authentication method that standardizes various authentication methods as such, and applications that use the OAuth authentication method do not need to authenticate each other. As a result, integrated use of multiple applications becomes possible, and the OAuth 2.0 is the latest version of the OAuth. This OAuth 2.0 approach is outlined as below.
When the user wishes to use a service provided by a service-providing server, an authentication request for login is transmitted to the service-providing server from a user device of the user, according to the user's operation.
The service-providing server that has received the authentication request transmits login information to an authentication server. Then the authentication server verifies the login information and if the verification is successfully completed, returns authorization information to the service-providing server.
According to the authorization information, the service-providing server transmits an authorization transfer information to the user device, and the user device that received the authorization transfer information transmits information for requesting an access token to the authentication server, to thereby obtain the access token issued by the authentication server. Then, since the user device can send a request for resource related to the service to the service-providing server by using the access token, a login delegation is completed.
Meanwhile, the service-providing server may request the authentication server to verify the access token in order to confirm whether the access token obtained from the user device is valid, and in response, the authentication server may return attribute information on the user.
Since the conventional OAuth authentication process is performed only by checking whether a user ID (user identification information) and a password match their counterparts, there is still a vulnerability problem of the stolen user ID and the stolen password. A certificate that can be introduced for tighter security, for example, a conventional public certificate, generally requires a large amount of issuing cost and is subject to inconvenience in its use. Therefore, a certificate based on a blockchain is preferred that is much more secure and usable and that replaces the conventional public certificate.
Therefore, the inventors of the present disclosure propose a method that delegates authentication of individuals or servers that is more secure and has more various configurations than a conventional OAuth 2.0 protocol, by using a technique based on the blockchain in addition to the conventional OAuth 2.0 protocol.