Skip to main content
SpringerLink
Log in

Assurance, Consent and Access Control for Privacy-Aware OIDC Deployments

  • Conference paper
  • First Online:
Data and Applications Security and Privacy XXXVII (DBSec 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13942))

Included in the following conference series:

  • 547 Accesses

Abstract

The large amount of personal data that is shared in the digital age has proportionally increased the risks of user privacy violations. The same privacy risks are reflected in OpenID Connect, which is one of the most widespread protocols used for identity management to access both private and public administration services. Since personal data is collected and shared via OpenID Connect, appropriate technologies to protect user privacy should be adopted as suggested by data protection guidelines and regulations (e.g., the General Data Protection Regulation). Unfortunately, it is difficult to make the privacy-enhancing technology suggestions in such documents actionable and available to IT professionals who are required to configure them within their OpenID Connect deployments. To overcome this problem, we present a practical approach to improving user privacy in OpenID Connect-based solutions by identifying a set of privacy-preserving features extracted from the available OpenID Connect specifications. We conduct a privacy compliance analysis on popular private and governmental OpenID Providers to determine how widely these privacy best practices are used in the wild. The findings indicate that different OpenID Providers grant varying levels of assurance and address different aspects of privacy, failing to provide full support for data protection principles.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Despite Alexa rank ending its service in May 2022, we have used the data available as of April 2022, which we considered reasonably updated.

  2. 2.

    NHS Login is not currently an eIDAS solution due to international political developments, but was developed as such. We have included it since it complies with the specification.

  3. 3.

    https://drive.google.com/drive/folders/1SVKA9ti2-0Rt6Lu_bIX2jaWxjsN5cVfP.

References

  1. AUSTRIA ID OIDC documentation. https://eid.egiz.gv.at/wp-content/uploads/2021/10/ID-Austria-Technisches-Whitepaper-fuer-Service-Owner-1.pdf. Accessed 28 Nov 2022

  2. Auth0 API documentation. https://auth0.com/docs/api/authentication. Accessed 28 Nov 2022

  3. Authlete API documentation. https://docs.authlete.com/en/shared/2.2.19. Accessed 28 Nov 2022

  4. AWS Cognito OIDC documentation. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html. Accessed 28 Nov 2022

  5. Cloudentity API documentation. https://cloudentity.com/developers/api/authorization_apis/oauth2/. Accessed 28 Nov 2022

  6. Cnil dossier thématique dédié à l’identité numérique. https://www.cnil.fr/sites/default/files/atoms/files/cnil_dossier-thematique_identite-numerique.pdf. Accessed 4 Mar 2023

  7. Connect2Id API documentation. https://connect2id.com/products/server/docs/api. Accessed 28 Nov 2022

  8. Facebook OIDC documentation. https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow/. Accessed 28 Nov 2022

  9. ForgeRock API documentation. https://backstage.forgerock.com/docs/am/7.1 . Accessed 28 Nov 2022

  10. FranceConnect identity provider documentation. https://partenaires.franceconnect.gouv.fr/fcp/fournisseur-identite. Accessed 28 Nov 2022

  11. FranceConnect+ OIDC documentation. https://github.com/france-connect/Documentation-FranceConnect-Plus/blob/main/fs/docs-fs.md. Accessed 28 Nov 2022

  12. General data protection regulation. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679 &from=EN. Accessed 25 Nov 2022

  13. Google Identity API documentation. https://developers.google.com/identity/openid-connect/openid-connect. Accessed 25 Nov 2022

  14. IBM Oidc documentation. https://www.ibm.com/docs/en/sva/9.0.7?topic=methods-openid-connect-oidc-authentication. Accessed 25 Nov 2022

  15. ID-Porten OIDC documentation. https://docs.digdir.no/docs/idporten/oidc/oidc_guide_english. Accessed 25 Nov 2022

  16. itsme API documentation. https://belgianmobileid.github.io/slate/login.html. Accessed 25 Nov 2022

  17. Microsoft OIDC documentation. https://connect2id.com/products/server/docs/api. Accessed 25 Nov 2022

  18. MitID and NemID service provider documentation. https://broker.signaturgruppen.dk/application/files/7415/8763/0084/Nets_MitID_Broker_Technical_reference_v._0.9.5.pdf. Accessed 25 Nov 2022

  19. MojeID OIDC documentation. https://www.mojeid.cz/documentation/html/ImplementacePodporyMojeid/OpenidConnect/index.html. Accessed 25 Nov 2022

  20. NemID identity provider documentation. https://broker.signaturgruppen.dk/application/files/6616/5166/7106/Nets_eID_Broker_Identity_Providers_v.1.2.6.pdf. Accessed 25 Nov 2022

  21. NHS Login OIDC OIDC documentation. https://developer.nhs.uk/library/systems/eis/. Accessed 25 Nov 2022

  22. NL Gov Assurance Profile OIDC documentation. https://logius.gitlab.io/oidc/#authorization-endpoint. Accessed 25 Nov 2022

  23. OKTA Api documentation. https://developer.okta.com/docs/reference/api/oidc/. Accessed 28 Nov 2022

  24. PING Federation SSO documentation. https://docs.pingidentity.com/bundle/pingone/page/gbj1632772285136.html. Accessed 28 Nov 2022

  25. Pro Santé Connect OIDC documentation. https://industriels.esante.gouv.fr/produits-services/pro-sante-connect/documentation-technique. Accessed 28 Nov 2022

  26. Regulation on electronic identification and trust services for electronic transactions. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910 &from=EN. Accessed 25 Nov 2022

  27. Security assertion markup language (saml) v2.0 technical overview. http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html. Accessed 4 Mar 2023

  28. Sign in with apple. https://developer.apple.com/sign-in-with-apple/. Accessed 23 Dec 2022

  29. SMART-ID OIDC documentation. https://e-gov.github.io/TARA-Doku/TechnicalSpecification. Accessed 28 Nov 2022

  30. SPID Oidc documentation. https://docs.italia.it/AgID/documenti-in-consultazione/lg-openidconnect-spid-docs/it/bozza/index.html. Accessed 28 Nov 2022

  31. WSO2 Identity Server documentation. https://is.docs.wso2.com/en/latest/guides/before-you-start/. Accessed 28 Nov 2022

  32. Yahoo OIDC documentation. https://developer.yahoo.com/oauth2/guide/openid_connect/. Accessed 28 Nov 2022

  33. Asghar, M.R., Backes, M., Simeonovski, M.: Prima: Privacy-preserving identity and access management at internet-scale. In: 2018 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2018)

    Google Scholar 

  34. Simeonovski, M., Bendun, F., Asghar, M.R., Backes, M., Marnau, N., Druschel, P.: Oblivion: mitigating privacy leaks by controlling the discoverability of online information. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 431–453. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_21

    Chapter  Google Scholar 

  35. Bisegna, A., Carbone, R., Pellizzari, G., Ranise, S.: Micro-id-gym: a flexible tool for pentesting identity management protocols in the wild and in the laboratory. In: Saracino, A., Mori, P. (eds.) Emerging Technologies for Authorization and Authentication, pp. 71–89. Springer International Publishing, Cham (2020)

    Chapter  Google Scholar 

  36. Boysen, A.: Decentralized, self-sovereign, consortium: the future of digital identity in Canada. Front. Blockchain 11 (2021)

    Google Scholar 

  37. Calzavara, S., Focardi, R., Maffei, M., Schneidewind, C., Squarcina, M., Tempesta, M.: WPSE: Fortifying web protocols via Browser-Side security monitoring. In: 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD, pp. 1493–1510. USENIX Association, August 2018. https://www.usenix.org/conference/usenixsecurity18/presentation/calzavara

  38. Chari, S., Jutla, C., Roy, A.: Universally composable security analysis of oauth v2.0. Cryptology ePrint Archive, Paper 2011/526 (2011). https://eprint.iacr.org/2011/526

  39. Fett, D., Küsters, R., Schmitz, G.: Spresso: a secure, privacy-respecting single sign-on system for the web. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1358–1369 (2015)

    Google Scholar 

  40. Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of oauth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS 2016, pp. 1204–1215, New York, NY, USA. Association for Computing Machinery (2016). https://doi.org/10.1145/2976749.2978385, https://doi.org/10.1145/2976749.2978385

  41. Fett, D., Küsters, R., Schmitz, G.: The web sso standard openid connect: In-depth formal security analysis and security guidelines. In: 2017 IEEE 30th Computer Security Foundations Symposium (CSF), pp. 189–202. IEEE (2017)

    Google Scholar 

  42. Foundation, O.: Certified openid providers, https://openid.net/certification/. Accessed 23 Nov 2022

  43. Foundation, O.: List of openid specifications (2023). https://openid.net/developers/specs/. Accessed 6 Mar 2023

  44. Hammann, S., Sasse, R., Basin, D.: Privacy-preserving openid connect. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. ASIA CCS 2020, New York, NY, USA, pp. 277–289. Association for Computing Machinery (2020). https://doi.org/10.1145/3320269.3384724, https://doi.org/10.1145/3320269.3384724

  45. Li, W., Mitchell, C.J.: User access privacy in oauth 2.0 and openid connect. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 664–6732. IEEE (2020)

    Google Scholar 

  46. Li, W., Mitchell, C.J., Chen, T.: Oauthguard: protecting user security and privacy with oauth 2.0 and openid connect. In: Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop. SSR 2019, New York, NY, USA, pp. 35–44, Association for Computing Machinery (2019). https://doi.org/10.1145/3338500.3360331, https://doi.org/10.1145/3338500.3360331

  47. Lodderstedt, T., Fett, D., Haine, M., Pulido, A., Lehmann, K., Koiwai, K.: Openid connect for identity assurance 1.0. https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html. Accessed 23 Nov 2022

  48. Lodderstedt, T., Bradley, J., Labunets, A., Fett, D.: OAuth 2.0 Security Best Current Practice. Internet-Draft draft-ietf-oauth-security-topics-21, Internet Engineering Task Force, September 2022. https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/21/. work in Progress

  49. Varley, M., Grassi, P.: International government assurance profile (igov) for openid connect 1.0. https://openid.bitbucket.io/iGov/openid-igov-profile-id1.html

  50. Morkonda, S.G., Chiasson, S., van Oorschot, P.C.: Ssoprivateeye: timely disclosure of single sign-on privacy design differences. arXiv preprint arXiv:2209.04490 (2022)

  51. Navas, J., Beltrán, M.: Understanding and mitigating openid connect threats. Comput. Secur. 84, 1–16 (2019)

    Article  Google Scholar 

  52. Richer, J., Johansson, L.: Vectors of trust. RFC 8485, RFC Editor, October 2018. https://www.rfc-editor.org/info/rfc8485

  53. Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: Openid connect core 1.0. The OpenID Foundation, p. S3 (2014)

    Google Scholar 

  54. Sharif, A., Ranzi, M., Carbone, R., Sciarretta, G., Marino, F.A., Ranise, S.: The eidas regulation: a survey of technological trends for European electronic identity schemes. Appl. Sci. 12(24) (2022). https://doi.org/10.3390/app122412679

  55. Sudhodanan, A., Carbone, R., Compagna, L., Dolgin, N., Armando, A., Morelli, U.: Large-scale analysis & detection of authentication cross-site request forgeries. In: 2017 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 350–365. IEEE (2017)

    Google Scholar 

  56. eID User Community: Overview of pre-notified and notified eid schemes under eidas (2019). https://ec.europa.eu/digital-building-blocks/wikis/display/EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS. Accessed 23 Nov 2022

  57. Wilson, Y., Hingnikar, A.: Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID connect, and SAML 2.0. Springer, Berkeley (2019). https://doi.org/10.1007/978-1-4842-5095-2

  58. Zhang, Z., Król, M., Sonnino, A., Zhang, L., Rivière, E.: El passo: privacy-preserving, asynchronous single sign-on. arXiv preprint arXiv:2002.10289 (2020)

  59. Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single Sign-On vulnerabilities. In: 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, pp. 495–510. USENIX Association, August 2014. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/zhou

Download references

Acknowledgements

This work was partially supported by project SERICS (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU, by “Futuro & Conoscenza S.r.l.”, jointly created by the FBK and the Italian National Mint and Printing House (IPZS), Italy and by the project “METAfora: Metodologie e tecnologie di rappresentazione per il metaverso” (CUP code B69J23000190005), proposed by BIT4ID S.r.l.

Author information

Authors and Affiliations

  1. Fondazione Bruno Kessler, Trento, Italy

    Gianluca Sassetti, Amir Sharif, Giada Sciarretta, Roberto Carbone & Silvio Ranise

  2. University of Trento, Trento, Italy

    Gianluca Sassetti & Silvio Ranise

Authors
  1. Gianluca Sassetti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Amir Sharif
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giada Sciarretta
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Roberto Carbone
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Silvio Ranise
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Gianluca Sassetti , Amir Sharif , Giada Sciarretta , Roberto Carbone or Silvio Ranise .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. University of Molise, Campobasso, Italy

    Anna Lisa Ferrara

Rights and permissions

Reprints and permissions

Copyright information

© 2023 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sassetti, G., Sharif, A., Sciarretta, G., Carbone, R., Ranise, S. (2023). Assurance, Consent and Access Control for Privacy-Aware OIDC Deployments. In: Atluri, V., Ferrara, A.L. (eds) Data and Applications Security and Privacy XXXVII. DBSec 2023. Lecture Notes in Computer Science, vol 13942. Springer, Cham. https://doi.org/10.1007/978-3-031-37586-6_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-37586-6_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-37585-9

  • Online ISBN: 978-3-031-37586-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation