OAuth Cross-Device Flow for Enhanced Authorization in Electric Vehicle Charging
02-27, 11:30–12:00 (UTC), Kaldalón

This talk proposes Electric Vehicle (EV) charging authorization using the OAuth Device Authorization Grant and Rich Authorization Requests to simplify credential installation and enhancing security of the Plug and Charge (PnC) ISO 15118 standard.


The Plug-and-Charge (PnC) process, as defined by the ISO 15118 standard, automates Electric Vehicle (EV) charging by enabling seamless authentication with X.509 certificates between EVs and Charge Points (CPs). However, the current X.509 credential installation process is complex, relying on a non-uniform Public Key Infrastructure (PKI) and lacking fine-grained authorization capabilities. This talk proposes a streamlined approach to the initial charging authorization and X.509 certificate installation process by leveraging the OAuth Device Authorization Grant (RFC 8628) and Rich Authorization Requests (RFC 9396) with the Authlete Authorization Server API. The proposed solution simplifies PnC’s X.509 credential installation process, reduces technical complexity, introduces flexible authorization constraints (e.g., const and time limits), and facilitates payment through OpenID Connect (OIDC). A proof-of-concept implementation will be presented along with a performance evaluation. Moreover, the Device Authorization Grant implementation represents a blueprint for a formally verified solution to common issues introduced by cross-device flows.