OAuth is an authentication procedure developed as a way, based on a single OpenID, for Internet users to grant websites or applications access to their information on other websites but without giving them their passwords. The OAuth protocol specifies a process for the websites and applications to share authentication without a separate authentication procedure. That is, the OAuth protocol is a protocol for resource owners, i.e., clients, to authorize third-party access to their resources by the websites or applications without disclosing their credentials or identifiers.
In addition, OAuth has been constantly revised from OAuth core 1.0 in December 2007 to recent OAuth 2.0 to set access permissions per client and to prevent client information from being exposed to a third party. The OAuth protocol can acquire access to resources in a resource server by using a token issued by an authentication server.
However, the currently effective OAuth protocol does not specify a limit on the number of tokens that can be used by a client.
Therefore, when using the OAuth protocol, a malicious client that already acquired a legitimate token can access the resource server several times in an attempt to do some malicious activities.
Particularly, in the conventional OAuth, when the authentication information of the user is hijacked by an attacker, then the attacker can access all of affiliate services related to a corresponding OpenID.
Therefore, there is a need for a new security algorithm like OAuth that can effectively protect the authentication information of the user such as personal information from external attacks while allowing authentication to be shared among the applications without the separate authentication procedure.