09. Februar 2017

On the Internet, Nobody Knows You're a Dog – Identification with OpendIDConnect, the Prelude to Unique OAuth Authorization

Dog 750x410

When considering authentication, the first thing people think of is identity. However, with the use of new authentication frameworks applied to current business cases, essential security requirements seem to get neglected. Thus, it might just happen that we lose our identity on the internet. This article is part of a series based on different user’s feedback dealing with fundamental security concepts applied to the applicability of authentication and authorization protocols such as OAuth and OpenIDConnect.

So far, we have mainly dealt with strong authentication vs. authorization, data classification, digital signatures and token types in the OAuth context. However, considering that with the help of API we expose valuable data, we should also expect to know who is accessing our data. In fact, we have never mentioned the identification aspect. OAuth authenticated applications running without identification can be critical and are considered delicate.

Identification, authentication and authorization are distinct concepts and have to be handled separately. However, security needs to be addressed holistically. Verifying the claimed identity and granting the right access to a user to use a program should be part of any transaction. Authentication and authorization without identification is ambiguous because the application loses control of its user baseOAuth 2.0 does not properly carry the user identity as the OAuth provider controls this. In fact, the only attribute user_idprovided by the OAuth 2.0 can be used as an impersonation attack by swapping the user identifier. Failing to provide identification can lead to a situation where technical or auditing problems might not be solved properly, user liability is not defined and access control cannot be applied in a granular way. When considering authentication, identification along with access control can be considered as the most important aspect in IT Security.

Access control can be implemented considering different paradigms such as preventive-, detective- or deterrent- access control (Vincent C. et.Al. 2006. Assessment of Access Control Systems). As IT professionals, we are used to dealing with various access control types. DAC (Discretionary Access Control), RBAC (Role Based Access Control) or ACL (Access Control List) to mention just a few. All in all, there are myriads of different types. Some of them came about considering the person’s role, some of them are based on specific requirements and others consider the identity of the user requesting access to a resource or to execute a particular operation. However, considering “modern” criteria such as data that can be stored anywhere, identity is becoming more important than location.

NIST, the National Institute of Standards and Technology, describes ABAC as an evolution of ACL and complex RBAC, and whatever definition we might give, it is a good choice in order to provide dynamic access control and contextual security. Context security needs to address more the identity and less the location whilst still considering the fundamental security principles of need-to-know.

(Source: Vincent C. et al., 2014)

With the adoption of ABAC, operations on objects are granted or denied based on the attributes of the subject, object or rules that determine if the access should be allowed or not.

“Wait a minute”, I hear you say. “What is the connection between the dog and the internet, identification, access controls and OpenIDConnect?” Networked services are facilitated by identity management whether they are a web browser, mobile phones, smart-tv or internetTherefore, internet with identification might need to know if you are a dog, a freezer or a user. In the OAuth world, OpenIDConnect is the Identity Layer on top of the access authorization protocol OAuth that reveals the identity of the authenticated user.

(Source: OpenID Connect Core 1.0, 2017)

OAuth 2.0 in conjunction with OpenIDConnect 1.0 enables the user to participate in the issuance of tokens containing user data. The identity layer provides a set of claim types about the identity such as the authenticated user, the e-mail address or the way the authentication took place (OpenID Connect Core 1.0, 2017).


Request GET/userinfo HTTP/1.1
   Host: server.example.com
   Authorization: Bearer SIAV32hkKG
Response HTTP/1.1 200 OK
   "sub": "248289761001",
   "name": "Jane Doe",
   "given_name": "Jane",
   "family_name": "Doe",
   "preferred_username": "j.doe",
   "email": "janedoe@example.com",
   "picture": "http://example.com/janedoe/me/jpg"

The combination of these frameworks opens the door to new IT opportunities. The Internet of Things (IoT), Bring Your Own Device (BYOD) or cloud computing are just a few examples. There are many different initiatives related with OAuth trying to secure apps that interact with them.

In IoT for example, being confident of who is contacting you, is the presupposition for accessing protected device data. In this context, OAuth with a new IoT client credentials grant (draft-tschofenig-ace-oauth-iot-00, 2017) and the OpenID foundation with a set of extended specifications profiles are aiming to help clients discover and register to OpenID providers (OpenID Connect Core 1.0, 2017).

IoT is not the only domain that heavily needs to use identity on the internet. Cloud computing with its numerous promises needs the user context for the work it needs to do. Although cloud computing is easily accepted by people and nowadays also by companies, it still has risk factors related to the identification and consequently to the access control mechanism. Just to finish it off, despite all these technical security frameworks, authentication social hypes, cloud storage possibilities and business changes, the IAAA (Identification, Authentication, Authorization, and Auditing) security principles are even more valid than ever before on the internet as well.


Vincent C. Hu David Ferraiolo Rick Kuhn Adam Schnitzer Kenneth Sandlin Robert Miller Karen Scarfone. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 20 December 2016].

Vincent C. Hu David F. Ferraiolo D. Rick Kuhn. 2006. Assessment of Access Control Systems. [ONLINE] Available at: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf. [Accessed 18 January 2017]

draft-tschofenig-ace-oauth-iot-00 - The OAuth 2.0 Internet of Things (IoT) Client Credentials Grant. [ONLINE] Available at: https://tools.ietf.org/html/draft-tschofenig-ace-oauth-iot-00. [Accessed 20 January 2017].

Native Applications Working Group | OpenID. 2017. Native Applications Working Group | OpenID. [ONLINE] Available at: http://openid.net/wg/napps/. [Accessed 20 January 2017].

Vincent C. Hu David Ferraiolo Rick Kuhn. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 21 January 2017].

OpenID Connect Core 1.0, 2017. Final: OpenID Connect Core 1.0 incorporating errata set 1. [ONLINE] Available at: http://openid.net/specs/openid-connect-core-1_0.html#Claims. [Accessed 21 January 2017].

Rainer Knupfer
Rainer Knupfer

Rainer Knupfer is a Lead Engineer at ti&m, graduated in Computer Science and IT-Information Security and has accumulated the right mix between education, consulting experiences and hands-on jobs. He's particularly interested in different aspects of technical security applied to software integration and development in different domains such as digital payment, security authentication design, regulatory compliance and omni-channel applications.

Ähnliche Artikel

Data isn’t valuable. Information is!<br/>
Data isn’t valuable. Information is!

Banks spend a vast amount of time researching and collecting data about clients, but often lack the bigger picture of connecting these separate data piles from various systems. Data alone is worthless, but connected and turned into information using an identity database, new possibilities such as reducing the cost per client, increasing quality of service and anticipating a client's actions are possible.

Mehr erfahren
Die digitale Transformation verändert Verhalten und Erwartungen der Kunden

Nach und nach verlagern sich Teile der Customer Journey in den digitalen Kanal. Trotzdem bleibt die persönliche Beratung für den Kunden wichtig. Um die konkreten Erwartungen zu erfüllen, müssen Unternehmen bei der Gestaltung ihres Angebots die Kunden und ihre Bedürfnisse ins Zentrum stellen.

Mehr erfahren
Smartes Loginverfahren ohne lästiges Abtippen

Zusammen mit ti&m hat die Luzerner Kantonalbank AG (LUKB) eine neue Stufe in puncto Sicherheit erreicht. Gemeinsam brachten die beiden Unternehmen die aktuell wohl innovativste Authentisierungslösung der Schweiz an den Start. So bequem und sicher konnten sich E-Banking-Kunden noch nie einloggen! Doch: Wie funktioniert das genau?

Mehr erfahren
Cloud Computing – Macht NoOps den IT-Betrieb bald überflüssig?

Während viele Unternehmen noch damit beschäftigt sind, im Rahmen ihrer agilen Transformation eine DevOps-Kultur einzuführen, entwickelt sich im Tooling-Bereich schon der Begriff NoOps, um weitere Schritte auf dem Weg zur vollständigen Automatisierung im Software-Betrieb zu beschreiben. Braucht es in Zukunft überhaupt noch ein Operations-Team?

Mehr erfahren
Eine neue Möglichkeit der Art Direction bei responsiven Bildern
Eine neue Möglichkeit der Art Direction bei responsiven Bildern

Das Jahr 2015 markiert ein Meilenstein in der digitalen Medienlandschaft. Zum ersten Mal verwendeten mehr Leute das Internet über mobile Geräte als über Desktop-Browser. Die Webseitenbetreiber haben deshalb ihre Webseiten responsive gestaltet. Je nach Gerät und Bildschirmgrösse wird das Layout der Seite anders dargestellt, so dass der Inhalt immer optimal sichtbar ist.

Mehr erfahren