On the Internet, Nobody Knows You're a Dog – Identification with OpendIDConnect, the Prelude to Unique OAuth Authorization
When considering authentication, the first thing people think of is identity. However, with the use of new authentication frameworks applied to current business cases, essential security requirements seem to get neglected. Thus, it might just happen that we lose our identity on the internet. This article is part of a series based on different user’s feedback dealing with fundamental security concepts applied to the applicability of authentication and authorization protocols such as OAuth and OpenIDConnect.
So far, we have mainly dealt with strong authentication vs. authorization, data classification, digital signatures and token types in the OAuth context. However, considering that with the help of API we expose valuable data, we should also expect to know who is accessing our data. In fact, we have never mentioned the identification aspect. OAuth authenticated applications running without identification can be critical and are considered delicate.
Identification, authentication and authorization are distinct concepts and have to be handled separately. However, security needs to be addressed holistically. Verifying the claimed identity and granting the right access to a user to use a program should be part of any transaction. Authentication and authorization without identification is ambiguous because the application loses control of its user base. OAuth 2.0 does not properly carry the user identity as the OAuth provider controls this. In fact, the only attribute user_idprovided by the OAuth 2.0 can be used as an impersonation attack by swapping the user identifier. Failing to provide identification can lead to a situation where technical or auditing problems might not be solved properly, user liability is not defined and access control cannot be applied in a granular way. When considering authentication, identification along with access control can be considered as the most important aspect in IT Security.
Access control can be implemented considering different paradigms such as preventive-, detective- or deterrent- access control (Vincent C. et.Al. 2006. Assessment of Access Control Systems). As IT professionals, we are used to dealing with various access control types. DAC (Discretionary Access Control), RBAC (Role Based Access Control) or ACL (Access Control List) to mention just a few. All in all, there are myriads of different types. Some of them came about considering the person’s role, some of them are based on specific requirements and others consider the identity of the user requesting access to a resource or to execute a particular operation. However, considering “modern” criteria such as data that can be stored anywhere, identity is becoming more important than location.
NIST, the National Institute of Standards and Technology, describes ABAC as an evolution of ACL and complex RBAC, and whatever definition we might give, it is a good choice in order to provide dynamic access control and contextual security. Context security needs to address more the identity and less the location whilst still considering the fundamental security principles of need-to-know.
(Source: Vincent C. et al., 2014)
With the adoption of ABAC, operations on objects are granted or denied based on the attributes of the subject, object or rules that determine if the access should be allowed or not.
“Wait a minute”, I hear you say. “What is the connection between the dog and the internet, identification, access controls and OpenIDConnect?” Networked services are facilitated by identity management whether they are a web browser, mobile phones, smart-tv or internet. Therefore, internet with identification might need to know if you are a dog, a freezer or a user. In the OAuth world, OpenIDConnect is the Identity Layer on top of the access authorization protocol OAuth that reveals the identity of the authenticated user.
(Source: OpenID Connect Core 1.0, 2017)
OAuth 2.0 in conjunction with OpenIDConnect 1.0 enables the user to participate in the issuance of tokens containing user data. The identity layer provides a set of claim types about the identity such as the authenticated user, the e-mail address or the way the authentication took place (OpenID Connect Core 1.0, 2017).
Authorization: Bearer SIAV32hkKG
|Response||HTTP/1.1 200 OK
"name": "Jane Doe",
The combination of these frameworks opens the door to new IT opportunities. The Internet of Things (IoT), Bring Your Own Device (BYOD) or cloud computing are just a few examples. There are many different initiatives related with OAuth trying to secure apps that interact with them.
In IoT for example, being confident of who is contacting you, is the presupposition for accessing protected device data. In this context, OAuth with a new IoT client credentials grant (draft-tschofenig-ace-oauth-iot-00, 2017) and the OpenID foundation with a set of extended specifications profiles are aiming to help clients discover and register to OpenID providers (OpenID Connect Core 1.0, 2017).
IoT is not the only domain that heavily needs to use identity on the internet. Cloud computing with its numerous promises needs the user context for the work it needs to do. Although cloud computing is easily accepted by people and nowadays also by companies, it still has risk factors related to the identification and consequently to the access control mechanism. Just to finish it off, despite all these technical security frameworks, authentication social hypes, cloud storage possibilities and business changes, the IAAA (Identification, Authentication, Authorization, and Auditing) security principles are even more valid than ever before on the internet as well.
Vincent C. Hu David Ferraiolo Rick Kuhn Adam Schnitzer Kenneth Sandlin Robert Miller Karen Scarfone. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 20 December 2016].
Vincent C. Hu David F. Ferraiolo D. Rick Kuhn. 2006. Assessment of Access Control Systems. [ONLINE] Available at: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf. [Accessed 18 January 2017]
draft-tschofenig-ace-oauth-iot-00 - The OAuth 2.0 Internet of Things (IoT) Client Credentials Grant. [ONLINE] Available at: https://tools.ietf.org/html/draft-tschofenig-ace-oauth-iot-00. [Accessed 20 January 2017].
Native Applications Working Group | OpenID. 2017. Native Applications Working Group | OpenID. [ONLINE] Available at: http://openid.net/wg/napps/. [Accessed 20 January 2017].
Vincent C. Hu David Ferraiolo Rick Kuhn. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 21 January 2017].
OpenID Connect Core 1.0, 2017. Final: OpenID Connect Core 1.0 incorporating errata set 1. [ONLINE] Available at: http://openid.net/specs/openid-connect-core-1_0.html#Claims. [Accessed 21 January 2017].
Open banking, if it is intelligently positioned and implemented as part of a digital transformation strategy, can give banks the tools to survive and compete in the future. There are also cultural issues to contend with.find more information
Durch das Projekt SHIP haben Krankenversicherungen und Leistungserbringer eine gemeinsame Sprache gefunden. Im Interview erklärt der CEO der SASIS AG, Domenico Fontana, warum das Projekt ein Meilenstein für die Digitalisierung im Gesundheitswesen ist und welche entscheidende Rolle ti&m in dem fast zehn Jahre dauernden Unterfangen spielte.find more information
Das Spendenwesen krankt an Intransparenz und mangelnder Effizienz. Diese Probleme will das Schweizer Start-up AIDONIC von Severiyos Aydin lösen. In der ti&m garage erarbeiteten wir zusammen mit ihm einen ersten MVP in gerade einmal 2 Monaten. Das Projekt hat das Potenzial, das Spendenwesen weltweit zu revolutionieren.find more information
Beim dritten Code Camp von ti&m drehte sich alles um das Thema künstliche Intelligenz (KI). Mehr als 20 Entwickler kamen zusammen, um ihr Wissen in der Technologie zu vertiefen. In 30 Stunden Programmieren lernten die Teilnehmer, was mit KI alles möglich ist.find more information
ti&m surfer Moritz Baumotte liebt es Neues zu lernen. Er hat einen enormen Wissensdurst und grosses Interesse an der Software-Architektur. Dank der ti&m academy kann er sich regelmässig weiterbilden. Der Kurs «Certified Professional for Software Architecture – Foundation Level» (ISAQB-FL) mit Gernot Starke hat ihm besonders gut gefallen.find more information