Trust ElevationImplementing an OAuth 2.0 Infrastructure using the OpenID Connect & UMA profiles
sales@gluu.org@GluuFederation
By: Michael Schwartz
What is trust elevation?
“Trust Elevation methods increase the mitigation of risk of false assertion of identity in order to allow the subject to engage in a transaction.”
OASIS Trust-EL TCAuthentication Step-Up Protocol and MetadataVersion 1.0-Draft 3
Don’t use 2FA, unless you have to...
“Civilization advances by extending the number of important operations which we can perform without thinking about them.”
Albert North WhiteheadEnglish Mathematician and Philosopher(1861 - 1947)
Authentication Involves Tradeoffs
Agenda
1. What tools do we have for person identification?
2. OAuth2 for trust elevation?3. Inter-domain trust elevation?4. New challenges!
Who am I:
Founded & Sold ISP: ‘95-’99IAM Integrator: ‘98-’09Founder / CEO Gluu: ‘09 - PresentDad, hacker, pigeon enthusiast
Part I: Identification
electron → meat correlation…
How do we know who is on the other side of that digital transaction?
CognitiveSomething you know or
something your browser saved.
BiometricSomething you are or…
something you can’t change.
TokenSomething you have.
MobileSome device you control.
Smart CardSomething you probably don’t
have a reader for...
Wearables / NFCSomething you have on.
FIDO: Second Factor ExperienceSome U2F device that you have.
FIDO: Passwordless ExperienceSome UAF that device you have.
Context and BehaviorSome way you use your phone or browser.
Risk ScoresSome big-data footprint you’re not even aware of..
Contextual Combinations Complicate Relative Scale
● Is the IP address a known hacker? ● Was the device rooted? ● Is a browser cookie present? ● Is the device running virus
protection? ● Is the location recognized? ● When was credential issued? ● What is the time of day?
According to Microsoft research (page 11), every authentication scheme does worse than passwords on deployability.
Pick your poison:
Part II: OAuth2How do apps use all these crazy authentication methods?
● Deployability = cost
● Less Cost = consolidation
● No “one-offs”!
A brief history in Web Authentication Standards
Developers want JSON REST API’s for authentication.
OpenID ConnectOnly one protected endpoint: “user_info” which returns id_token
UMAThe requesting party must provide
a valid RPT Token to the resource server.
How does the app know what kind of authn happened?
id_tokenUser claims + info about authentication event
OpenID Provider DiscoveryGET host + /.well-known/openid-configuration
OpenID Dynamic Client Registration
Authentication RequestThat is a space delimited string
Scope basedNot ABAC policies!
Best Practice:Centralize Policy Management
UMA provides the PDP
What kind of policies can you make?
Return Hint...You are Forbidden because you need acr...
Part IIIFederations for inter-domain trust
SAML FederationsNormalize legal and technical details for trust.
SAML Federation Metadata
Many SAML Federations publish user schema
Domains need to collaborate on the values for acr’s and amr’s
So what values should we use for amr and acr?
SAML FederationsIdentity Providers and Websites (SP)
OAuth2 has new entities and new jargon
OAuth2 Schema, not just attributes
Open Trust Taxonomy for OAuth2 (OTTO)
Enter...
Where do we need federations?
Part IV: New Challenges
Who’s that knocking at my door?
New Services like Data FederationNot “can you access?” But “what can you access?”
Questions?sales@gluu.org
@GluuFederation