Abstract
The large amount of personal data that is shared in the digital age has proportionally increased the risks of user privacy violations. The same privacy risks are reflected in OpenID Connect, which is one of the most widespread protocols used for identity management to access both private and public administration services. Since personal data is collected and shared via OpenID Connect, appropriate technologies to protect user privacy should be adopted as suggested by data protection guidelines and regulations (e.g., the General Data Protection Regulation). Unfortunately, it is difficult to make the privacy-enhancing technology suggestions in such documents actionable and available to IT professionals who are required to configure them within their OpenID Connect deployments. To overcome this problem, we present a practical approach to improving user privacy in OpenID Connect-based solutions by identifying a set of privacy-preserving features extracted from the available OpenID Connect specifications. We conduct a privacy compliance analysis on popular private and governmental OpenID Providers to determine how widely these privacy best practices are used in the wild. The findings indicate that different OpenID Providers grant varying levels of assurance and address different aspects of privacy, failing to provide full support for data protection principles.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Despite Alexa rank ending its service in May 2022, we have used the data available as of April 2022, which we considered reasonably updated.
- 2.
NHS Login is not currently an eIDAS solution due to international political developments, but was developed as such. We have included it since it complies with the specification.
- 3.
References
AUSTRIA ID OIDC documentation. https://eid.egiz.gv.at/wp-content/uploads/2021/10/ID-Austria-Technisches-Whitepaper-fuer-Service-Owner-1.pdf. Accessed 28 Nov 2022
Auth0 API documentation. https://auth0.com/docs/api/authentication. Accessed 28 Nov 2022
Authlete API documentation. https://docs.authlete.com/en/shared/2.2.19. Accessed 28 Nov 2022
AWS Cognito OIDC documentation. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html. Accessed 28 Nov 2022
Cloudentity API documentation. https://cloudentity.com/developers/api/authorization_apis/oauth2/. Accessed 28 Nov 2022
Cnil dossier thématique dédié à l’identité numérique. https://www.cnil.fr/sites/default/files/atoms/files/cnil_dossier-thematique_identite-numerique.pdf. Accessed 4 Mar 2023
Connect2Id API documentation. https://connect2id.com/products/server/docs/api. Accessed 28 Nov 2022
Facebook OIDC documentation. https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow/. Accessed 28 Nov 2022
ForgeRock API documentation. https://backstage.forgerock.com/docs/am/7.1 . Accessed 28 Nov 2022
FranceConnect identity provider documentation. https://partenaires.franceconnect.gouv.fr/fcp/fournisseur-identite. Accessed 28 Nov 2022
FranceConnect+ OIDC documentation. https://github.com/france-connect/Documentation-FranceConnect-Plus/blob/main/fs/docs-fs.md. Accessed 28 Nov 2022
General data protection regulation. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679 &from=EN. Accessed 25 Nov 2022
Google Identity API documentation. https://developers.google.com/identity/openid-connect/openid-connect. Accessed 25 Nov 2022
IBM Oidc documentation. https://www.ibm.com/docs/en/sva/9.0.7?topic=methods-openid-connect-oidc-authentication. Accessed 25 Nov 2022
ID-Porten OIDC documentation. https://docs.digdir.no/docs/idporten/oidc/oidc_guide_english. Accessed 25 Nov 2022
itsme API documentation. https://belgianmobileid.github.io/slate/login.html. Accessed 25 Nov 2022
Microsoft OIDC documentation. https://connect2id.com/products/server/docs/api. Accessed 25 Nov 2022
MitID and NemID service provider documentation. https://broker.signaturgruppen.dk/application/files/7415/8763/0084/Nets_MitID_Broker_Technical_reference_v._0.9.5.pdf. Accessed 25 Nov 2022
MojeID OIDC documentation. https://www.mojeid.cz/documentation/html/ImplementacePodporyMojeid/OpenidConnect/index.html. Accessed 25 Nov 2022
NemID identity provider documentation. https://broker.signaturgruppen.dk/application/files/6616/5166/7106/Nets_eID_Broker_Identity_Providers_v.1.2.6.pdf. Accessed 25 Nov 2022
NHS Login OIDC OIDC documentation. https://developer.nhs.uk/library/systems/eis/. Accessed 25 Nov 2022
NL Gov Assurance Profile OIDC documentation. https://logius.gitlab.io/oidc/#authorization-endpoint. Accessed 25 Nov 2022
OKTA Api documentation. https://developer.okta.com/docs/reference/api/oidc/. Accessed 28 Nov 2022
PING Federation SSO documentation. https://docs.pingidentity.com/bundle/pingone/page/gbj1632772285136.html. Accessed 28 Nov 2022
Pro Santé Connect OIDC documentation. https://industriels.esante.gouv.fr/produits-services/pro-sante-connect/documentation-technique. Accessed 28 Nov 2022
Regulation on electronic identification and trust services for electronic transactions. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910 &from=EN. Accessed 25 Nov 2022
Security assertion markup language (saml) v2.0 technical overview. http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html. Accessed 4 Mar 2023
Sign in with apple. https://developer.apple.com/sign-in-with-apple/. Accessed 23 Dec 2022
SMART-ID OIDC documentation. https://e-gov.github.io/TARA-Doku/TechnicalSpecification. Accessed 28 Nov 2022
SPID Oidc documentation. https://docs.italia.it/AgID/documenti-in-consultazione/lg-openidconnect-spid-docs/it/bozza/index.html. Accessed 28 Nov 2022
WSO2 Identity Server documentation. https://is.docs.wso2.com/en/latest/guides/before-you-start/. Accessed 28 Nov 2022
Yahoo OIDC documentation. https://developer.yahoo.com/oauth2/guide/openid_connect/. Accessed 28 Nov 2022
Asghar, M.R., Backes, M., Simeonovski, M.: Prima: Privacy-preserving identity and access management at internet-scale. In: 2018 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2018)
Simeonovski, M., Bendun, F., Asghar, M.R., Backes, M., Marnau, N., Druschel, P.: Oblivion: mitigating privacy leaks by controlling the discoverability of online information. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 431–453. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_21
Bisegna, A., Carbone, R., Pellizzari, G., Ranise, S.: Micro-id-gym: a flexible tool for pentesting identity management protocols in the wild and in the laboratory. In: Saracino, A., Mori, P. (eds.) Emerging Technologies for Authorization and Authentication, pp. 71–89. Springer International Publishing, Cham (2020)
Boysen, A.: Decentralized, self-sovereign, consortium: the future of digital identity in Canada. Front. Blockchain 11 (2021)
Calzavara, S., Focardi, R., Maffei, M., Schneidewind, C., Squarcina, M., Tempesta, M.: WPSE: Fortifying web protocols via Browser-Side security monitoring. In: 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD, pp. 1493–1510. USENIX Association, August 2018. https://www.usenix.org/conference/usenixsecurity18/presentation/calzavara
Chari, S., Jutla, C., Roy, A.: Universally composable security analysis of oauth v2.0. Cryptology ePrint Archive, Paper 2011/526 (2011). https://eprint.iacr.org/2011/526
Fett, D., Küsters, R., Schmitz, G.: Spresso: a secure, privacy-respecting single sign-on system for the web. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1358–1369 (2015)
Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of oauth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS 2016, pp. 1204–1215, New York, NY, USA. Association for Computing Machinery (2016). https://doi.org/10.1145/2976749.2978385, https://doi.org/10.1145/2976749.2978385
Fett, D., Küsters, R., Schmitz, G.: The web sso standard openid connect: In-depth formal security analysis and security guidelines. In: 2017 IEEE 30th Computer Security Foundations Symposium (CSF), pp. 189–202. IEEE (2017)
Foundation, O.: Certified openid providers, https://openid.net/certification/. Accessed 23 Nov 2022
Foundation, O.: List of openid specifications (2023). https://openid.net/developers/specs/. Accessed 6 Mar 2023
Hammann, S., Sasse, R., Basin, D.: Privacy-preserving openid connect. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. ASIA CCS 2020, New York, NY, USA, pp. 277–289. Association for Computing Machinery (2020). https://doi.org/10.1145/3320269.3384724, https://doi.org/10.1145/3320269.3384724
Li, W., Mitchell, C.J.: User access privacy in oauth 2.0 and openid connect. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 664–6732. IEEE (2020)
Li, W., Mitchell, C.J., Chen, T.: Oauthguard: protecting user security and privacy with oauth 2.0 and openid connect. In: Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop. SSR 2019, New York, NY, USA, pp. 35–44, Association for Computing Machinery (2019). https://doi.org/10.1145/3338500.3360331, https://doi.org/10.1145/3338500.3360331
Lodderstedt, T., Fett, D., Haine, M., Pulido, A., Lehmann, K., Koiwai, K.: Openid connect for identity assurance 1.0. https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html. Accessed 23 Nov 2022
Lodderstedt, T., Bradley, J., Labunets, A., Fett, D.: OAuth 2.0 Security Best Current Practice. Internet-Draft draft-ietf-oauth-security-topics-21, Internet Engineering Task Force, September 2022. https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/21/. work in Progress
Varley, M., Grassi, P.: International government assurance profile (igov) for openid connect 1.0. https://openid.bitbucket.io/iGov/openid-igov-profile-id1.html
Morkonda, S.G., Chiasson, S., van Oorschot, P.C.: Ssoprivateeye: timely disclosure of single sign-on privacy design differences. arXiv preprint arXiv:2209.04490 (2022)
Navas, J., Beltrán, M.: Understanding and mitigating openid connect threats. Comput. Secur. 84, 1–16 (2019)
Richer, J., Johansson, L.: Vectors of trust. RFC 8485, RFC Editor, October 2018. https://www.rfc-editor.org/info/rfc8485
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: Openid connect core 1.0. The OpenID Foundation, p. S3 (2014)
Sharif, A., Ranzi, M., Carbone, R., Sciarretta, G., Marino, F.A., Ranise, S.: The eidas regulation: a survey of technological trends for European electronic identity schemes. Appl. Sci. 12(24) (2022). https://doi.org/10.3390/app122412679
Sudhodanan, A., Carbone, R., Compagna, L., Dolgin, N., Armando, A., Morelli, U.: Large-scale analysis & detection of authentication cross-site request forgeries. In: 2017 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 350–365. IEEE (2017)
eID User Community: Overview of pre-notified and notified eid schemes under eidas (2019). https://ec.europa.eu/digital-building-blocks/wikis/display/EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS. Accessed 23 Nov 2022
Wilson, Y., Hingnikar, A.: Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID connect, and SAML 2.0. Springer, Berkeley (2019). https://doi.org/10.1007/978-1-4842-5095-2
Zhang, Z., Król, M., Sonnino, A., Zhang, L., Rivière, E.: El passo: privacy-preserving, asynchronous single sign-on. arXiv preprint arXiv:2002.10289 (2020)
Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single Sign-On vulnerabilities. In: 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, pp. 495–510. USENIX Association, August 2014. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/zhou
Acknowledgements
This work was partially supported by project SERICS (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU, by “Futuro & Conoscenza S.r.l.”, jointly created by the FBK and the Italian National Mint and Printing House (IPZS), Italy and by the project “METAfora: Metodologie e tecnologie di rappresentazione per il metaverso” (CUP code B69J23000190005), proposed by BIT4ID S.r.l.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Sassetti, G., Sharif, A., Sciarretta, G., Carbone, R., Ranise, S. (2023). Assurance, Consent and Access Control for Privacy-Aware OIDC Deployments. In: Atluri, V., Ferrara, A.L. (eds) Data and Applications Security and Privacy XXXVII. DBSec 2023. Lecture Notes in Computer Science, vol 13942. Springer, Cham. https://doi.org/10.1007/978-3-031-37586-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-37586-6_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37585-9
Online ISBN: 978-3-031-37586-6
eBook Packages: Computer ScienceComputer Science (R0)