Using attribute-based access control in OAuth 2.0

Aleksandr V. Belovodov, Olga R. Laponina


This article is a research paper on the possibilities of applying role-based access control (RBAC) and attribute-based access control (ABAC) together using the OAuth 2.0 open authorization protocol. The article discusses the basic concepts associated with authorization models, attributes, and how existing solutions face a number of problems in the modern world, as well as possible methods for solving them. The article proposes a model for attribute-based access control for cross-domain origins using an API. The model includes basic architectural solutions and principles of ABAC and OAuth. The ABAC authorization service is considered as a microservice or a set of microservices. This will ensure architecture and deployment compatibility with microservice-based applications. Combining the capabilities of OAuth 2.0 and ABAC will enable an end-to-end security model that can protect customer and employee privacy, business-critical transactions, and most sensitive data across the API gateway. It is also possible to filter the response message. This is important if the API call is to retrieve a record of data from a student, bank, or medical card, as these may contain sensitive or private data elements that should be filtered based on the caller's credentials.

Full Text:

PDF (Russian)


OWASP Top Ten, “Top 10 Web Application Security Riskss”,, accessed at 2021.

Klejkomb, U., Hut, K. L., Flinn, L., Makintajr, D. M., & Levellen, T. (2012). Hronologicheskij analiz sabotazha s insajderskoj ugrozoj: predvaritel'nye nabljudenija. J. Wirel. Mob. Seti Vezdesushhego Komp'jutera. Nadezhnoe prilozhenie, 3, 4-20.

Al'-Ahmad, U. (2013). Podrobnaja strategija upravlenija bezopasnost'ju korporacii v kibervojne. Mezhdunarodnyj zhurnal kiberbezopasnosti i cifrovoj kriminalistiki, 2 (4), 1-9.

Soluade, O. A., i Opara, Je. U. (2014). Narushenija bezopasnosti, setevye jeksplojty i ujazvimosti: zagadka i analiz. Mezhdunarodnyj zhurnal kiberbezopasnosti i cifrovoj kriminalistiki, 3 (4), 246-261.

Brikli, Dzh. K., Thakur, K., Kamruzzaman, A. S. (2021). Sravnitel'nyj analiz tehnicheskih i netehnicheskih sredstv zashhity ot fishinga. Mezhdunarodnyj zhurnal kiberbezopasnosti i cifrovoj kriminalistiki, 10 (1), 28-41.5. B. V. Ljempson. Zashhita. ACM SIGOPS Operating System Review, 8(1):18-24, janvar' 1974.

H. L. F. Ravi S. Sandhu, Jedvard Dzh. Kojn i K. Je. Juman. Modeli upravlenija dostupom na osnove rolej. IEEE Komp'juter, 29(2): 38-47, fevral' 1996 goda.

H. Dzhin, R. Krishnan i R. S. Sandhu. Unificirovannaja model' upravlenija dostupom na osnove atributov, ohvatyvajushhaja DAC, MAC i RBAC. DBSec, 12:41-55, 2012.

D. Hardt, Ed, “The OAuth 2.0 Authorization Framework”, IETF, 2012.

Bilbie, A., “A Guide To OAuth 2.0 Grants”,, accessed at July 2019.


  • There are currently no refbacks.

Abava  Кибербезопасность FRUCT 2023

ISSN: 2307-8162