[Openid-specs-fapi] Presentation about hypermedia login API

ANTHONY NADALIN nadalin at prodigy.net
Tue Feb 9 17:40:07 UTC 2021


I assume there are no IPR issues when presenting to this group?

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Travis Spencer via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: Tuesday, February 9, 2021 8:24:54 AM
To: openid-specs-fapi at lists.openid.net <openid-specs-fapi at lists.openid.net>
Cc: Travis Spencer <travis at curity.io>
Subject: [Openid-specs-fapi] Presentation about hypermedia login API

In the summer, I emailed the list about working on a new protocol that
would facilitate strong login without requiring a browser[1]. Since
then, I've been talking with Mike Schwartz, Nat, and others about
this. To move this conversation forward, I would like to talk through
the following presentation[2] on tomorrow's Atlantic call. Please have
a look beforehand if you have a moment.

Talk to you all tomorrow.

[1] https://lists.openid.net/pipermail/openid-specs-fapi/2020-August/002037.html
[2] It's in Asciidoc format in case the syntax isn't familiar

= Hypermedia Authentication API

== Agenda

* Requirements
* Brief overview of solution
* More info

[small]#Slide 1#

== Our Customers' Demands

* Non-browser-based login and authorization
* Integration between OP and RP on different domains without cookies
* As secure as browser-based solution (or more so)
* Existing deployments keep working as-is

[small]#Slide 2#

== OpenID Connect is a Hypermedia API

* All Websites are hypermedia (i.e., REST) APIs, ∴ OpenID Connect is a
hypermedia API
* Simplify non-browser-based login and consent by:
[arabic]
.. Replace HTML hypermedia representation with JSON
.. Attest to the client's provenance

[small]#Slide 3#

== App Provenance

* Provenance == origin (i.e., provider) of RP
* Traditionally verified by control of redirect URI
* Provenance verification happens at flow's end
* Deep linking required on mobile (PKCE isn't enough)
* New tools available to ascertain origin on modern mobile devices

[small]#Slide 4#

== Proving Provenance

* Modern mobile devices have Hardware Security Modules (HSM) built-in
* Can be used to sign a challenge
* Verifiable up to trusted root
* DPoP allows all login API calls to be tied to attested RP
* Establishes provenance prior to or instead of redirection

[small]#Slide 5#

== Flow Used to Prove Provenance

[ditta]
....
                                                        Get
                                               +-(A)-Challenge----+
    Authorization
                                               |                  |
       Server
                                               v                  |
+-------------------+
+---------------+   (B) Request   +------------+---+              v
| +---------------+ |
|               +<--attestation---+
+------(D)---->o-----|  CAT endpoint | |
|  Attestation  |                 |  OAuth Client  |  Attestation |
| +---------------+ |
|    System     |                 |  Application   |              |
|                   |
|               +-------(C)------>+                +<--(E)-CAT----+
|                   |
+---------------+   Attestation   +---+----+---+---+
|                   |
                                      |    ^   |
| +---------------+ |
                                      |    |
+---(F)-CAT------>o------|Token endpoint | |
                                      |    |                     |
| +---------------+ |
                                      |    +-(G)-AAT-------------+
|                   |
                                      |
| +---------------+ |

+----(H)-AAT-------------->o------|Login endpoints| |

| +---------------+ |

+-------------------+
....

* CAT is sent to token endpoint using client assertion framework
* API calls to login API are protected with sender-constrained access token

[small]#Slide 6#

== Adapting to First- or Third-party Provenance

* Provenance establishes whether RP is from first- or third-party provider
* OP can adapt login methods based on this
* Hypermedia allows support for any kind of credential (incl. short-lived ones)
** First-party: End user can provide all factors (same as OP in system browser)
** Third-party: End user cannot provide all factors, consent may be
verified out of band

[small]#Slide 7#

== More Info

* Very short summary
* See https://travisspencer.com/articles/hypermedia-api-resources/[my
website] for an ever-growing list of resources

[small]#Slide 8#
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20210209/c6163a7d/attachment.html>


More information about the Openid-specs-fapi mailing list