Trust ElevationImplementing an OAuth 2.0 Infrastructure using the OpenID Connect & UMA profiles

sales@gluu.org@GluuFederation

By: Michael Schwartz

What is trust elevation?

“Trust Elevation methods increase the mitigation of risk of false assertion of identity in order to allow the subject to engage in a transaction.”

OASIS Trust-EL TCAuthentication Step-Up Protocol and MetadataVersion 1.0-Draft 3

Don’t use 2FA, unless you have to...

“Civilization advances by extending the number of important operations which we can perform without thinking about them.”

Albert North WhiteheadEnglish Mathematician and Philosopher(1861 - 1947)

Authentication Involves Tradeoffs

Agenda

1. What tools do we have for person identification?

2. OAuth2 for trust elevation?3. Inter-domain trust elevation?4. New challenges!

Who am I:

Founded & Sold ISP: ‘95-’99IAM Integrator: ‘98-’09Founder / CEO Gluu: ‘09 - PresentDad, hacker, pigeon enthusiast

Part I: Identification

electron → meat correlation…

How do we know who is on the other side of that digital transaction?

CognitiveSomething you know or

something your browser saved.

BiometricSomething you are or…

something you can’t change.

TokenSomething you have.

MobileSome device you control.

Smart CardSomething you probably don’t

have a reader for...

Wearables / NFCSomething you have on.

FIDO: Second Factor ExperienceSome U2F device that you have.

FIDO: Passwordless ExperienceSome UAF that device you have.

Context and BehaviorSome way you use your phone or browser.

Risk ScoresSome big-data footprint you’re not even aware of..

Contextual Combinations Complicate Relative Scale

● Is the IP address a known hacker? ● Was the device rooted? ● Is a browser cookie present? ● Is the device running virus

protection? ● Is the location recognized? ● When was credential issued? ● What is the time of day?

According to Microsoft research (page 11), every authentication scheme does worse than passwords on deployability.

Pick your poison:

Part II: OAuth2How do apps use all these crazy authentication methods?

● Deployability = cost

● Less Cost = consolidation

● No “one-offs”!

A brief history in Web Authentication Standards

Developers want JSON REST API’s for authentication.

OpenID ConnectOnly one protected endpoint: “user_info” which returns id_token

UMAThe requesting party must provide

a valid RPT Token to the resource server.

How does the app know what kind of authn happened?

id_tokenUser claims + info about authentication event

OpenID Provider DiscoveryGET host + /.well-known/openid-configuration

OpenID Dynamic Client Registration

Authentication RequestThat is a space delimited string

Scope basedNot ABAC policies!

Best Practice:Centralize Policy Management

UMA provides the PDP

What kind of policies can you make?

Return Hint...You are Forbidden because you need acr...

Part IIIFederations for inter-domain trust

EDURoam for wifi

SAML FederationsNormalize legal and technical details for trust.

SAML Federation Metadata

Many SAML Federations publish user schema

Domains need to collaborate on the values for acr’s and amr’s

So what values should we use for amr and acr?

SAML FederationsIdentity Providers and Websites (SP)

OAuth2 has new entities and new jargon

OAuth2 Schema, not just attributes

Open Trust Taxonomy for OAuth2 (OTTO)

Enter...

Where do we need federations?

Part IV: New Challenges

Who’s that knocking at my door?

IOT Challenges

New Services like Data FederationNot “can you access?” But “what can you access?”

Summary

Questions?sales@gluu.org

@GluuFederation