On the Internet, Nobody Knows You're a Dog – Identification with OpendIDConnect, the Prelude to Unique OAuth Authorization
When considering authentication, the first thing people think of is identity. However, with the use of new authentication frameworks applied to current business cases, essential security requirements seem to get neglected. Thus, it might just happen that we lose our identity on the internet. This article is part of a series based on different user’s feedback dealing with fundamental security concepts applied to the applicability of authentication and authorization protocols such as OAuth and OpenIDConnect.
So far, we have mainly dealt with strong authentication vs. authorization, data classification, digital signatures and token types in the OAuth context. However, considering that with the help of API we expose valuable data, we should also expect to know who is accessing our data. In fact, we have never mentioned the identification aspect. OAuth authenticated applications running without identification can be critical and are considered delicate.
Identification, authentication and authorization are distinct concepts and have to be handled separately. However, security needs to be addressed holistically. Verifying the claimed identity and granting the right access to a user to use a program should be part of any transaction. Authentication and authorization without identification is ambiguous because the application loses control of its user base. OAuth 2.0 does not properly carry the user identity as the OAuth provider controls this. In fact, the only attribute user_idprovided by the OAuth 2.0 can be used as an impersonation attack by swapping the user identifier. Failing to provide identification can lead to a situation where technical or auditing problems might not be solved properly, user liability is not defined and access control cannot be applied in a granular way. When considering authentication, identification along with access control can be considered as the most important aspect in IT Security.
Access control can be implemented considering different paradigms such as preventive-, detective- or deterrent- access control (Vincent C. et.Al. 2006. Assessment of Access Control Systems). As IT professionals, we are used to dealing with various access control types. DAC (Discretionary Access Control), RBAC (Role Based Access Control) or ACL (Access Control List) to mention just a few. All in all, there are myriads of different types. Some of them came about considering the person’s role, some of them are based on specific requirements and others consider the identity of the user requesting access to a resource or to execute a particular operation. However, considering “modern” criteria such as data that can be stored anywhere, identity is becoming more important than location.
NIST, the National Institute of Standards and Technology, describes ABAC as an evolution of ACL and complex RBAC, and whatever definition we might give, it is a good choice in order to provide dynamic access control and contextual security. Context security needs to address more the identity and less the location whilst still considering the fundamental security principles of need-to-know.
(Source: Vincent C. et al., 2014)
With the adoption of ABAC, operations on objects are granted or denied based on the attributes of the subject, object or rules that determine if the access should be allowed or not.
“Wait a minute”, I hear you say. “What is the connection between the dog and the internet, identification, access controls and OpenIDConnect?” Networked services are facilitated by identity management whether they are a web browser, mobile phones, smart-tv or internet. Therefore, internet with identification might need to know if you are a dog, a freezer or a user. In the OAuth world, OpenIDConnect is the Identity Layer on top of the access authorization protocol OAuth that reveals the identity of the authenticated user.
(Source: OpenID Connect Core 1.0, 2017)
OAuth 2.0 in conjunction with OpenIDConnect 1.0 enables the user to participate in the issuance of tokens containing user data. The identity layer provides a set of claim types about the identity such as the authenticated user, the e-mail address or the way the authentication took place (OpenID Connect Core 1.0, 2017).
Authorization: Bearer SIAV32hkKG
|Response||HTTP/1.1 200 OK
"name": "Jane Doe",
The combination of these frameworks opens the door to new IT opportunities. The Internet of Things (IoT), Bring Your Own Device (BYOD) or cloud computing are just a few examples. There are many different initiatives related with OAuth trying to secure apps that interact with them.
In IoT for example, being confident of who is contacting you, is the presupposition for accessing protected device data. In this context, OAuth with a new IoT client credentials grant (draft-tschofenig-ace-oauth-iot-00, 2017) and the OpenID foundation with a set of extended specifications profiles are aiming to help clients discover and register to OpenID providers (OpenID Connect Core 1.0, 2017).
IoT is not the only domain that heavily needs to use identity on the internet. Cloud computing with its numerous promises needs the user context for the work it needs to do. Although cloud computing is easily accepted by people and nowadays also by companies, it still has risk factors related to the identification and consequently to the access control mechanism. Just to finish it off, despite all these technical security frameworks, authentication social hypes, cloud storage possibilities and business changes, the IAAA (Identification, Authentication, Authorization, and Auditing) security principles are even more valid than ever before on the internet as well.
Vincent C. Hu David Ferraiolo Rick Kuhn Adam Schnitzer Kenneth Sandlin Robert Miller Karen Scarfone. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 20 December 2016].
Vincent C. Hu David F. Ferraiolo D. Rick Kuhn. 2006. Assessment of Access Control Systems. [ONLINE] Available at: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf. [Accessed 18 January 2017]
draft-tschofenig-ace-oauth-iot-00 - The OAuth 2.0 Internet of Things (IoT) Client Credentials Grant. [ONLINE] Available at: https://tools.ietf.org/html/draft-tschofenig-ace-oauth-iot-00. [Accessed 20 January 2017].
Native Applications Working Group | OpenID. 2017. Native Applications Working Group | OpenID. [ONLINE] Available at: http://openid.net/wg/napps/. [Accessed 20 January 2017].
Vincent C. Hu David Ferraiolo Rick Kuhn. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 21 January 2017].
OpenID Connect Core 1.0, 2017. Final: OpenID Connect Core 1.0 incorporating errata set 1. [ONLINE] Available at: http://openid.net/specs/openid-connect-core-1_0.html#Claims. [Accessed 21 January 2017].
There has been a fundamental shift in customer values in the insurance sector, studies and experts tell us. This is being driven by technology. As time goes on, customer opinions will no longer be solely based on brand loyalty and confidence in advisors, but increasingly on digital social networking and self-service.Mehr erfahren
Trust in a relationship is a must and this is not only holds true for private lives but also in the virtual life. While trustworthiness for established authentication protocols is mainly based on agreement between entities, certificates and keys, trust in the identity delegation context is ambiguous because the owner might not be the consumer of the API. This post addresses some trust concerns when introducing protocols based on identity delegation that de-facto lead to an identity paradigm shift.Mehr erfahren
Are millennial men the right target group for a Pampers marketing campaign? Of course - if they have children. Anticipating what the customer wants is like mind reading. This is now possible by analyzing customer behavior and situations.Mehr erfahren