Skip to main content

Mobile Personal Identity Provider Based on OpenID Connect

  • Conference paper
  • First Online:
Trust, Privacy and Security in Digital Business (TrustBus 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10442))

Included in the following conference series:


In our digital society managing identities and according access credentials is as painful as needed. This is mainly due to the demand for a unique password for each service a user makes use of. Various approaches have been proposed for solving this issue amongst which Identity Provider (IDP) based systems gained most traction for Web services. An obvious disadvantage of these IDPs is, however, the level of trust a user requires to place into them. After all, an IDP stores a lot of sensitive information about its users and is able to impersonate each of them.

In the present paper we therefore propose an architecture that enables to operate a personal IDP (PIDP) on a mobile device owned by the user. To evaluate the properties of our introduced mobile PIDP (MoPIDP) we analyzed it by means of a prototype. Our MoPIDP architecture provides clear advantages in comparison to classical IDP approaches in terms of required trust and common threats like phishing and additionally regarding the usability for the end user.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    Until here the protocol is identical to OAuth 2.0.


  1. Abe, T., Itoh, H., Takahashi, K.: Implementing identity provider on mobile phone. In: Proceedings of the 2007 ACM Workshop on Digital Identity Management, DIM 2007, pp. 46–52. ACM, New York (2007).

  2. Alliance, F.: FIDO UAF Architectural Overview (2016).

  3. Barnes, R., Mozilla: Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) (2014).

  4. Bennett, A.: Jose library for ruby.

  5. Bradley, J., Sakimura, N., Jones, M.: JSON Web Token (JWT) (2015).

  6. Cisco Systems: cjose - jose library for c/c++.

  7. Connect2id: JOSE + JWT library for Java.

  8. Dhamija, R., Dusseault, L.: The seven flaws of identity management: usability and security challenges. IEEE Secur. Priv. 6(2), 24–29 (2008)

    Article  Google Scholar 

  9. Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2 (2008).

  10. Facebook: Access Tokens - Facebook Login - Documentation (2017).

  11. Ferdous, M.S., Poet, R.: Portable personal identity provider in mobile phones. In: 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 736–745. IEEE (2013).

  12. Foundation, O.: OpenID Authentication 2.0 (2007).

  13. Google: Google Authenticator (2016).

  14. Google: Using OAuth 2.0 to Access Google APIs \(|\) Google Identity Platform (2016).

  15. Haller, N.: The S/KEY One-Time Password System (1995).

  16. Hardt, D.: The OAuth 2.0 authorization framework (2012).

  17. Jain, A.K., Ross, A., Prabhakar, S.: An introduction to biometric recognition. IEEE Trans. Circuits Syst. Video Technol. 14(1), 4–20 (2004)

    Article  Google Scholar 

  18. Jones, R., Microsoft: JSON Web Key (JWK) (2015).

  19. Lockhart, H., Campbell, B.: Security assertion markup language (SAML) V2.0 technical overview. OASIS Comm. Draft 2, 94–106 (2008).

    Google Scholar 

  20. Lopez, G., Canovas, O., Gomez-Skarmeta, A.F., Girao, J.: A SWIFT take on identity management. Computer 42(5), 58–65 (2009)

    Article  Google Scholar 

  21. Morgan, R.L., Cantor, S., Carmody, S., Hoehn, W., Klingenstein, K.: Federated security: the shibboleth approach. Educ. Q. 27(4), 12–17 (2004).

    Google Scholar 

  22. Rydell, J., M’Raihi, D., Pei, M., Machani, S.: TOTP: Time-based One-time Password Algorithm (2011).

  23. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: Openid connect core 1.0. The OpenID Foundation p. S3 (2014).

  24. Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378–390. ACM (2012).

  25. Thomas, I., Meinel, C.: An identity provider to manage reliable digital identities for SOA and the web. In: Proceedings of the 9th Symposium on Identity and Trust on the Internet, IDTRUST 2010, pp. 26–36. ACM, New York (2010).

  26. Twitter: OAuth Twitter Developers (2017).

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Nils Gruschka .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Iacono, L.L., Gruschka, N., Nehren, P. (2017). Mobile Personal Identity Provider Based on OpenID Connect. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2017. Lecture Notes in Computer Science(), vol 10442. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64482-0

  • Online ISBN: 978-3-319-64483-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics