FAPI Working Group Presentation
Last updated:
Today, I presented the following information about Curity's hypermedia authentication API to the OpenID Foundation's FAPI working group. I got good comments, questions, and feedback which I appreciated very much. The conclusion was that we'd make a subgroup to discuss it more and see where it takes us. Feel free to join the OpenID Foundation and join us. The more the merrier ☺
Agenda
- Requirements
- Brief overview of solution
- More info
Our Customers' Demands
- Non-browser-based login and authorization
- Integration between OP and RP on different domains without cookies
- As secure as browser-based solution (or more so)
- Existing deployments keep working as-is
OpenID Connect is a Hypermedia API
- All Websites are hypermedia (i.e., REST) APIs, ∴ OpenID Connect is a hypermedia API
- Simplify non-browser-based login and consent by:
- Replace HTML hypermedia representation with JSON
- Attest to the client’s provenance
App Provenance
- Provenance == origin (i.e., provider) of RP
- Traditionally verified by control of redirect URI
- Provenance verification happens at flow's end
- Deep linking required on mobile (PKCE isn't enough)
- New tools available to ascertain origin on modern mobile devices
Proving Provenance
- Modern mobile devices have Hardware Security Modules (HSM) built-in
- Can be used to sign a challenge
- Verifiable up to trusted root
- DPoP allows all login API calls to be tied to attested RP
- Establishes provenance prior to or instead of redirection
Flow Used to Prove Provenance
Get
+-(A)-Challenge----+ Authorization
| | Server
v | +-------------------+
+---------------+ (B) Request +------------+---+ v | +---------------+ |
| +<--attestation---+ +------(D)---->o-----| CAT endpoint | |
| Attestation | | OAuth Client | Attestation | | +---------------+ |
| System | | Application | | | |
| +-------(C)------>+ +<--(E)-CAT----+ | |
+---------------+ Attestation +---+----+---+---+ | |
| ^ | | +---------------+ |
| | +---(F)-CAT------>o------|Token endpoint | |
| | | | +---------------+ |
| +-(G)-AAT-------------+ | |
| | +---------------+ |
+----(H)-AAT-------------->o------|Login endpoints| |
| +---------------+ |
+-------------------+
- CAT is sent to token endpoint using client assertion framework
- API calls to login API are protected with sender-constrained access token
Adapting to First- or Third-party Provenance
- Provenance establishes whether RP is from first- or third-party provider
- OP can adapt login methods based on this
- Hypermedia allows support for any kind of credential (incl. short-lived ones)
- First-party: End user can provide all factors (same as OP in system browser)
- Third-party: End user cannot provide all factors, consent may be verified out of band
More Info & Next Steps
- Just a short overview
- See my website for an ever-growing list of resources
- Suggested next steps:
- Draft specs and threat model in breakout sessions
- Submit to WG for consideration