Trust establishment between OAuth 2.0 resource servers using claims-based authorisation.

The OAuth 2.0 authorisation framework is one of the most commonly used authorisation frameworks. In its specification, many implementation details are loosely defined including the relationship between resource servers and authorisation servers. This paper presents an approach for establishing trust between servers by using the authorisation server as a broker, and examines an implementation for secure exchange of scholarship information between parties. To specify access rights, claims such as roles and capabilities are assigned to resource servers. These claims are asserted by the authorisation server in the form of access tokens. Instead of relying on shared databases, the issued access tokens are used to exchange messages between resource servers. This approach is useful in scenarios where applications have no shared infrastructure or are implemented by different parties.