Profiling OAuth 2.0 and OpenID Connect for Enterprise Use
by Michael Peck,Mark Russell
We will describe MITRE's efforts to profile OAuth 2.0 and OpenID Connect to enable the ability to use them in a secure and interoperable manner to address enterprise environment use cases. Our profiles leverage protocol extensions, profiles, security guidance, and other work by the IETF OAuth Working Group and OpenID Foundation FAPI and iGov Working Groups. We will compare our profiles with other efforts and describe open challenges that remain. Our targeted enterprise use cases include:
• user authorization delegation to a web application (using OAuth 2.0)
• user authorization delegation to a native application (using OAuth 2.0)
• user authentication to a web application (using OpenID Connect)
The OAuth 2.0 and OpenID Connect standards are used ubiquitously across the Internet for delegated authorization and federated authentication. In an enterprise environment, OAuth and OpenID Connect can enable significant improvements over legacy approaches, for example by:
• Abstracting user and device authentication away from individual web applications and native applications, providing the ability to adapt authentication approaches without modifying every existing application, and to provide single sign on.
• Eliminating the need for applications to fully impersonate user identities when interacting with resource servers.
• Enabling the ability to make authorization decisions based on attributes of both the user and the client, rather than just the user.
However, the base specifications alone are insufficient for enterprise adoption due to numerous optional requirements, undefined behaviors, and issues that have been identified since their publication, hindering security and interoperability.
We will also describe our efforts to profile the IETF RFC 8693 OAuth 2.0 Token Exchange specification to enable protected resources to access other protected resources in order to satisfy a query received from a client, including addressing complexities such as multi-organization environments.
We would like to explore opportunities to collaborate with others facing similar enterprise challenges and to consolidate our work with related efforts.