09. February 2017

On the Internet, Nobody Knows You're a Dog – Identification with OpendIDConnect, the Prelude to Unique OAuth Authorization

Dog 750x410

When considering authentication, the first thing people think of is identity. However, with the use of new authentication frameworks applied to current business cases, essential security requirements seem to get neglected. Thus, it might just happen that we lose our identity on the internet. This article is part of a series based on different user’s feedback dealing with fundamental security concepts applied to the applicability of authentication and authorization protocols such as OAuth and OpenIDConnect.

So far, we have mainly dealt with strong authentication vs. authorization, data classification, digital signatures and token types in the OAuth context. However, considering that with the help of API we expose valuable data, we should also expect to know who is accessing our data. In fact, we have never mentioned the identification aspect. OAuth authenticated applications running without identification can be critical and are considered delicate.

Identification, authentication and authorization are distinct concepts and have to be handled separately. However, security needs to be addressed holistically. Verifying the claimed identity and granting the right access to a user to use a program should be part of any transaction. Authentication and authorization without identification is ambiguous because the application loses control of its user baseOAuth 2.0 does not properly carry the user identity as the OAuth provider controls this. In fact, the only attribute user_idprovided by the OAuth 2.0 can be used as an impersonation attack by swapping the user identifier. Failing to provide identification can lead to a situation where technical or auditing problems might not be solved properly, user liability is not defined and access control cannot be applied in a granular way. When considering authentication, identification along with access control can be considered as the most important aspect in IT Security.

Access control can be implemented considering different paradigms such as preventive-, detective- or deterrent- access control (Vincent C. et.Al. 2006. Assessment of Access Control Systems). As IT professionals, we are used to dealing with various access control types. DAC (Discretionary Access Control), RBAC (Role Based Access Control) or ACL (Access Control List) to mention just a few. All in all, there are myriads of different types. Some of them came about considering the person’s role, some of them are based on specific requirements and others consider the identity of the user requesting access to a resource or to execute a particular operation. However, considering “modern” criteria such as data that can be stored anywhere, identity is becoming more important than location.

NIST, the National Institute of Standards and Technology, describes ABAC as an evolution of ACL and complex RBAC, and whatever definition we might give, it is a good choice in order to provide dynamic access control and contextual security. Context security needs to address more the identity and less the location whilst still considering the fundamental security principles of need-to-know.

(Source: Vincent C. et al., 2014)

With the adoption of ABAC, operations on objects are granted or denied based on the attributes of the subject, object or rules that determine if the access should be allowed or not.

“Wait a minute”, I hear you say. “What is the connection between the dog and the internet, identification, access controls and OpenIDConnect?” Networked services are facilitated by identity management whether they are a web browser, mobile phones, smart-tv or internetTherefore, internet with identification might need to know if you are a dog, a freezer or a user. In the OAuth world, OpenIDConnect is the Identity Layer on top of the access authorization protocol OAuth that reveals the identity of the authenticated user.

(Source: OpenID Connect Core 1.0, 2017)

OAuth 2.0 in conjunction with OpenIDConnect 1.0 enables the user to participate in the issuance of tokens containing user data. The identity layer provides a set of claim types about the identity such as the authenticated user, the e-mail address or the way the authentication took place (OpenID Connect Core 1.0, 2017).


Request GET/userinfo HTTP/1.1
   Host: server.example.com
   Authorization: Bearer SIAV32hkKG
Response HTTP/1.1 200 OK
   "sub": "248289761001",
   "name": "Jane Doe",
   "given_name": "Jane",
   "family_name": "Doe",
   "preferred_username": "j.doe",
   "email": "janedoe@example.com",
   "picture": "http://example.com/janedoe/me/jpg"

The combination of these frameworks opens the door to new IT opportunities. The Internet of Things (IoT), Bring Your Own Device (BYOD) or cloud computing are just a few examples. There are many different initiatives related with OAuth trying to secure apps that interact with them.

In IoT for example, being confident of who is contacting you, is the presupposition for accessing protected device data. In this context, OAuth with a new IoT client credentials grant (draft-tschofenig-ace-oauth-iot-00, 2017) and the OpenID foundation with a set of extended specifications profiles are aiming to help clients discover and register to OpenID providers (OpenID Connect Core 1.0, 2017).

IoT is not the only domain that heavily needs to use identity on the internet. Cloud computing with its numerous promises needs the user context for the work it needs to do. Although cloud computing is easily accepted by people and nowadays also by companies, it still has risk factors related to the identification and consequently to the access control mechanism. Just to finish it off, despite all these technical security frameworks, authentication social hypes, cloud storage possibilities and business changes, the IAAA (Identification, Authentication, Authorization, and Auditing) security principles are even more valid than ever before on the internet as well.


Vincent C. Hu David Ferraiolo Rick Kuhn Adam Schnitzer Kenneth Sandlin Robert Miller Karen Scarfone. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 20 December 2016].

Vincent C. Hu David F. Ferraiolo D. Rick Kuhn. 2006. Assessment of Access Control Systems. [ONLINE] Available at: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf. [Accessed 18 January 2017]

draft-tschofenig-ace-oauth-iot-00 - The OAuth 2.0 Internet of Things (IoT) Client Credentials Grant. [ONLINE] Available at: https://tools.ietf.org/html/draft-tschofenig-ace-oauth-iot-00. [Accessed 20 January 2017].

Native Applications Working Group | OpenID. 2017. Native Applications Working Group | OpenID. [ONLINE] Available at: http://openid.net/wg/napps/. [Accessed 20 January 2017].

Vincent C. Hu David Ferraiolo Rick Kuhn. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 21 January 2017].

OpenID Connect Core 1.0, 2017. Final: OpenID Connect Core 1.0 incorporating errata set 1. [ONLINE] Available at: http://openid.net/specs/openid-connect-core-1_0.html#Claims. [Accessed 21 January 2017].

Rainer Knupfer
Rainer Knupfer

Rainer Knupfer is a Lead Engineer at ti&m, graduated in Computer Science and IT-Information Security and has accumulated the right mix between education, consulting experiences and hands-on jobs. He's particularly interested in different aspects of technical security applied to software integration and development in different domains such as digital payment, security authentication design, regulatory compliance and omni-channel applications.

Ähnliche Artikel

Blog 1_Titelbild
AI ist gekommen um zu bleiben

Seit der Geburtsstunde des Computers hat der Mensch Programme entwickelt und perfektioniert. Fast immer mit dem Ziel effizienter zu werden und die Lebensqualität zu erhöhen. Die Informatik hat sich seither in viele Spezialgebiete aufgeteilt und jüngst ist ein neues Gebiet hinzugekommen: Die Künstliche Intelligenz oder kurz AI für das englische «artificial intelligence».

find more information
Moritz Baumotte 1000 02
Moritz Baumotte will niemals auslernen

ti&m surfer Moritz Baumotte liebt es Neues zu lernen. Er hat einen enormen Wissensdurst und grosses Interesse an der Software-Architektur. Dank der ti&m academy kann er sich regelmässig weiterbilden. Der Kurs «Certified Professional for Software Architecture – Foundation Level» (ISAQB-FL) mit Gernot Starke hat ihm besonders gut gefallen.

find more information
Code Camp 750x410
The Night Is There for Coding: Here's What Happened at Our 30 Hour Code Camp.

During the last week of October, the very first ti&m code camp took place. 25 surfers, that’s what we call our agile employees, signed up to code for 30 hours and to resolve several technical challenges. Here’s what happened.

find more information
Why Podman is worth a look

When it comes to managing containers, Docker is often the first choice. But Podman can also be an alternative. In this blog post, we take a closer look at the differences between the two tools and the points you need to consider if you plan to use Podman.

find more information
Impressionen von der App Builders Switzerland
Impressionen von der ersten App Builders Konferenz der Schweiz

Die Schweiz hat mit der App Builders Konferenz einmal mehr bewiesen, dass sie ein iOS-Land ist. In diesem Artikel geht es um die Impressionen der „App Builders Switzerland 2016“, der ersten Schweizer Konferenz von Entwicklern für Entwickler in Europa.

find more information