The Grant Negotiation and Authorization Protocol (GNAP) is a protocol under development by the IETF that allows delegating permissions to third parties. With these permissions, the third party can, for example, access protected APIs or obtain information directly from the issuer of the permissions. The scope of the permissions can be negotiated between the third party and the issuer. Since this allows the third party to access the resources of the issuer, the security of the protocol is of key importance. For example, only the approved permissions should be delegated to only the authorized third party. To analyze the security of GNAP, we model the protocol within the Web Infrastructure Model, including various interaction modes of GNAP. We define several security properties regarding the authorization of access via the protocol and prove them within our model. In the course of this work, several attacks and vulnerabilities of GNAP were discovered, which we reported to the editors of GNAP. Together with the editors, we worked out mitigations and security considerations regarding these issues, which were added to the protocol. To be able to prove the security of GNAP, we also implemented them in our model.
