There is an impersonation (login as) feature in several applications that can be used by system administrators who have special privileges. This feature can be utilized by development and maintenance teams that have administrator rights to reproduce errors or bugs, to check specific features in applications according to the specific users’ login sessions. Beside its benefits, there is a security vulnerability that allows administrators to abuse the rights. They can access users’ private data or execute some activities inside the system without account or resource owners’ consents.

This research proposes an impersonation method on authorization server using Client-Initiated Back-channel Authentication (CIBA) protocol. This method prevents impersonation without account or resource owners’ consent. The application will ask users’ authentication and permission via authentication device possessed by resource owners before the administrator performs impersonation. By utilizing authentication device, the impersonation feature should be preceded by users’ consent and there is no direct interaction needed between the administrator and resource owners to prove the users’ identities. The result shows that the implementation of CIBA protocol can be used to complement the impersonation method and can also run on the authorization server that uses OAuth 2.0 and OpenID Connect 1.0 protocols. The system testing is done by adopting FAPI CIBA conformance testing.

P. Hu, R. Yang, Y. Li, and W. Cheong Lau, "Application impersonation: problems of OAuth and API design in online social networks," in Proc. ACM Conf. Online Social Networks, pp. 271–278, 2014.

A. Ometov, S. Bezzateev, N. Mäkitalo, S. Andreev, T. Mikkonen, and Y. Koucheryavy, "Multi-Factor Authentication: A Survey," Cryptography, 2018.

D. Tonge, J. Heenan, Authlete, T. Lodderstedt, and B. Campbell, "Financial-grade API: Client Initiated Backchannel Authentication Profile," 15 Agustus 2019. [Online] Available https://openid.net/specs/openid-financial-api-ciba.html. [Accessed 10 October 2020].

S.-T. Sun and K. Beznosov, "The devil is in the (implementation) details: an empirical analysis of oauth sso systems," in Proc. ACM Conference on Computer and Communications Security, pp. 378-390, 2012.

F. Yang and S. Manoharan, "A security analysis of the OAuth protocol," in Proc. IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, pp. 271-276, 2013.

Wanpeng Li, Chris J. Mitchell, and Thomas Chen, "OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect," in Proc. ACM Workshop on Security Standardisation Research Workshop, pp. 35–44, 2019.

Ben-Ghorbel-Talbi, Meriam, et al. "A delegation model for extended RBAC," International Journal of Information Security, vol. 9, no. 3, pp. 209-236, 2010.

X. Zhang, S. Oh, and R. Sandhu, "PBDM: a flexible delegation model in RBAC," in Proc. ACM Symposium on Access Control Models and Technologies, pp. 149-157, 2003.

M. Li and H. Wang, "ABDM: An extended flexible delegation model in RBAC," in Proc. IEEE International Conference on Computer and Information Technology, pp. 390-395, 2008.

K. Hasebe, M. Mabuchi, and A. Matsushita, "Capability-based delegation model in RBAC," in Proc. ACM Symposium on Access Control Models and Technologies, pp. 109-118, 2010.

Tools.ietf.org. 2021. RFC 6749 - The OAuth 2.0 Authorization Framework. [Online] Available: [Accessed 10 October 2020].

R.H. Khan, J. Ylitalo, and A.B. Ahmed, "OpenID authentication as a service in OpenStack," in Proc. IEEE International Conference on Information Assurance and Security, pp. 372-377, 2011.

N. Sakimura, N. J. Bradley, P. Identity, M. Jones, M. B. d. Medeiros, and G. C. Mortimore, "OpenID Connect Core 1.0," OpenID Connect, 2014. [Online] Available: https://openid.net/specs/openid-connect-core-1_0.html. [Accessed 10 Oktober 2020].

M.H. Almeshekah, M.J. Atallah, and E.H. Spafford, "Back Channels Can Be Useful! – Layering Authentication Channels to Provide Covert Communication", Security Protocols XXI, vol. 8263, pp. 189-195, 2013.

W.P. Payack JR., "Back Channel Authentication Using Smartphones". U.S. Patent Application No 15/383,952, 2017.

D. Tonge, Moneyhub, J. Heenan, Authlete, T. Lodderstedt, and B. Campbell, "Financial-grade API: Client Initiated Backchannel Authentication Profile," 15 Agustus 2019. [Online] Available: https://openid.net/specs/openid-financial-api-ciba-ID1.html. [Accessed 10 October 2020].

CHU, Ronald King-Hang, et al. “Methods and systems for secure user authentication”. U.S. Patent No 9,768,963, 2017.

https://bshaffer.github.io/oauth2-server-php-docs/ . [Accessed 10 October 2020].

https://openid.net/certification/fapi_op_testing/ . [Accessed 10 October 2020].