On the Internet, Nobody Knows You're a Dog – Identification with OpendIDConnect, the Prelude to Unique OAuth Authorization
When considering authentication, the first thing people think of is identity. However, with the use of new authentication frameworks applied to current business cases, essential security requirements seem to get neglected. Thus, it might just happen that we lose our identity on the internet. This article is part of a series based on different user’s feedback dealing with fundamental security concepts applied to the applicability of authentication and authorization protocols such as OAuth and OpenIDConnect.
So far, we have mainly dealt with strong authentication vs. authorization, data classification, digital signatures and token types in the OAuth context. However, considering that with the help of API we expose valuable data, we should also expect to know who is accessing our data. In fact, we have never mentioned the identification aspect. OAuth authenticated applications running without identification can be critical and are considered delicate.
Identification, authentication and authorization are distinct concepts and have to be handled separately. However, security needs to be addressed holistically. Verifying the claimed identity and granting the right access to a user to use a program should be part of any transaction. Authentication and authorization without identification is ambiguous because the application loses control of its user base. OAuth 2.0 does not properly carry the user identity as the OAuth provider controls this. In fact, the only attribute user_idprovided by the OAuth 2.0 can be used as an impersonation attack by swapping the user identifier. Failing to provide identification can lead to a situation where technical or auditing problems might not be solved properly, user liability is not defined and access control cannot be applied in a granular way. When considering authentication, identification along with access control can be considered as the most important aspect in IT Security.
Access control can be implemented considering different paradigms such as preventive-, detective- or deterrent- access control (Vincent C. et.Al. 2006. Assessment of Access Control Systems). As IT professionals, we are used to dealing with various access control types. DAC (Discretionary Access Control), RBAC (Role Based Access Control) or ACL (Access Control List) to mention just a few. All in all, there are myriads of different types. Some of them came about considering the person’s role, some of them are based on specific requirements and others consider the identity of the user requesting access to a resource or to execute a particular operation. However, considering “modern” criteria such as data that can be stored anywhere, identity is becoming more important than location.
NIST, the National Institute of Standards and Technology, describes ABAC as an evolution of ACL and complex RBAC, and whatever definition we might give, it is a good choice in order to provide dynamic access control and contextual security. Context security needs to address more the identity and less the location whilst still considering the fundamental security principles of need-to-know.
(Source: Vincent C. et al., 2014)
With the adoption of ABAC, operations on objects are granted or denied based on the attributes of the subject, object or rules that determine if the access should be allowed or not.
“Wait a minute”, I hear you say. “What is the connection between the dog and the internet, identification, access controls and OpenIDConnect?” Networked services are facilitated by identity management whether they are a web browser, mobile phones, smart-tv or internet. Therefore, internet with identification might need to know if you are a dog, a freezer or a user. In the OAuth world, OpenIDConnect is the Identity Layer on top of the access authorization protocol OAuth that reveals the identity of the authenticated user.
(Source: OpenID Connect Core 1.0, 2017)
OAuth 2.0 in conjunction with OpenIDConnect 1.0 enables the user to participate in the issuance of tokens containing user data. The identity layer provides a set of claim types about the identity such as the authenticated user, the e-mail address or the way the authentication took place (OpenID Connect Core 1.0, 2017).
Authorization: Bearer SIAV32hkKG
|Response||HTTP/1.1 200 OK
"name": "Jane Doe",
The combination of these frameworks opens the door to new IT opportunities. The Internet of Things (IoT), Bring Your Own Device (BYOD) or cloud computing are just a few examples. There are many different initiatives related with OAuth trying to secure apps that interact with them.
In IoT for example, being confident of who is contacting you, is the presupposition for accessing protected device data. In this context, OAuth with a new IoT client credentials grant (draft-tschofenig-ace-oauth-iot-00, 2017) and the OpenID foundation with a set of extended specifications profiles are aiming to help clients discover and register to OpenID providers (OpenID Connect Core 1.0, 2017).
IoT is not the only domain that heavily needs to use identity on the internet. Cloud computing with its numerous promises needs the user context for the work it needs to do. Although cloud computing is easily accepted by people and nowadays also by companies, it still has risk factors related to the identification and consequently to the access control mechanism. Just to finish it off, despite all these technical security frameworks, authentication social hypes, cloud storage possibilities and business changes, the IAAA (Identification, Authentication, Authorization, and Auditing) security principles are even more valid than ever before on the internet as well.
Vincent C. Hu David Ferraiolo Rick Kuhn Adam Schnitzer Kenneth Sandlin Robert Miller Karen Scarfone. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 20 December 2016].
Vincent C. Hu David F. Ferraiolo D. Rick Kuhn. 2006. Assessment of Access Control Systems. [ONLINE] Available at: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf. [Accessed 18 January 2017]
draft-tschofenig-ace-oauth-iot-00 - The OAuth 2.0 Internet of Things (IoT) Client Credentials Grant. [ONLINE] Available at: https://tools.ietf.org/html/draft-tschofenig-ace-oauth-iot-00. [Accessed 20 January 2017].
Native Applications Working Group | OpenID. 2017. Native Applications Working Group | OpenID. [ONLINE] Available at: http://openid.net/wg/napps/. [Accessed 20 January 2017].
Vincent C. Hu David Ferraiolo Rick Kuhn. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. [ONLINE] Available at: http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. [Accessed 21 January 2017].
OpenID Connect Core 1.0, 2017. Final: OpenID Connect Core 1.0 incorporating errata set 1. [ONLINE] Available at: http://openid.net/specs/openid-connect-core-1_0.html#Claims. [Accessed 21 January 2017].
Self-Sovereign Identity // Schon jetzt tätigen wir Einkäufe oder beziehen Dienstleistungen mehr- heitlich online, weitere Bereiche wie das Gesundheitswesen werden ebenfalls immer stärker digitalisiert. Wird die Welt digitaler, so muss es auch unser Verständnis von Identität. Gemeinsam mit Lissi erprobt ti&m neue Lösungen für eine digitale Identität mit Selbstbestimmung für den Nutzer, die für verschiedene Ökosysteme angewandt werden kann.Mehr erfahren
Während viele Unternehmen noch damit beschäftigt sind, im Rahmen ihrer agilen Transformation eine DevOps-Kultur einzuführen, entwickelt sich im Tooling-Bereich schon der Begriff NoOps, um weitere Schritte auf dem Weg zur vollständigen Automatisierung im Software-Betrieb zu beschreiben. Braucht es in Zukunft überhaupt noch ein Operations-Team?Mehr erfahren
Banks spend a vast amount of time researching and collecting data about clients, but often lack the bigger picture of connecting these separate data piles from various systems. Data alone is worthless, but connected and turned into information using an identity database, new possibilities such as reducing the cost per client, increasing quality of service and anticipating a client's actions are possible.Mehr erfahren
Herr Walter entdeckt einen Teil der IT-Landschaft auf seiner Zugreise nach Bern.Mehr erfahren
Cyberangriffe // Cybersecurity ist das Wort der Stunde. Es vergeht kein Tag ohne eine Meldung über eine Cyberattacke oder gehackte Accounts in den Zeitungen. Wer steckt dahinter? Und was wollen die Angreifer? Eine Übersicht.Mehr erfahren