Building secure healthcare services using OAuth 2.0 and JSON web token in IOT cloud scenario

Abstract

OAuth 2.0 is a delegated authorization framework enabling secure authorization for applications running on various kinds of platforms. In healthcare services, OAuth allows the patient (resource owner) seeking real time clinical care to authorize automatic monthly payments from his bank account (resource server) without the patient being required to supply his credentials to the clinic (client app). OAuth 2.0 achieves this with the help of tokens issued by an authorization server which enables validated access to a protected resource. To ensure security, access tokens have an expiry time and are short-lived. So the clinical app may use a refresh token to obtain a new access token to cash monthly payments for rendering real time health care services. Refresh tokens need secure storage to ensure they are not leaked, since any malicious party can use them to obtain new access and refresh tokens. Since OAuth 2.0 has dropped signatures and relies completely on SSL/TLS, it is vulnerable to phishing attack when accessing interoperable APIs. In this paper, we develop an approach that combines JSON web token (JWT) with OAuth 2.0 to request an OAuth access token from authorization server when a client wishes to utilize a previous authentication and authorization. Experimental evaluation confirms that the proposed scheme is practically efficient, removes secure storage overhead by removing the need to have or store refresh token, uses signature and prevents different security attacks which is highly desired in health care services using an IOT cloud platform.