Dynamic Trust - Globally
Combined Session
Thursday, June 06, 2024 17:30—18:30
Location: B 09
Thursday, June 06, 2024 17:30—18:30
Location: B 09
Traditional federation agreements are relatively static. It takes some effort to onboard an IdP and RP to each other, but once that trust is established, it's good until some exceptional event breaks the federation.
But what about a more dynamic world, one where trust comes and goes based on context? What if users could be provisioned dynamically into a space based on trust from elsewhere? What if an isolated space could still function in a disconnected state and still have powerful security properties? What if these isolated spaces could reconnect to the network and provide audit capabilities and security signaling to other components throughout the wide ecosystem? And what if all of this could be built on a layer of trusted software that didn't rely on pre-placing keys or accounts ahead of time?
This isn't addressed by only using local accounts, or creating and distributing shards of a global truth. We need a world that expects things to move.
Come to this talk to learn about Federation Bubbles, the proof of concept being built out on top of a suite of technology including OpenID Connect, OAuth, SPIFFE, Verifiable Credentials, and more.
Deploying national federations is a complex task, requiring the integration of various protocols to build a secure, reliable, scalable, and interoperable ecosystem. This session will focus on the Italian experience in the design and deployment of national digital identity systems, SPID and CIE id, using OpenID Federation and OpenID Connect.
The discussion will delve into the Italian implementation profile of OpenID Federation and the onboarding system highlighting the challenges encountered during the deployment of these national federations, the solutions implemented, and the lessons learned in the process.
The aim is to share insights and practical knowledge that can guide other nations and organizations in their journey toward deploying their own national federations using similar federation protocols.
We are excited about the possibility of contributing to EIC and look forward to the opportunity to share our knowledge with fellow professionals from around the globe. Please find our short biography and portrait:
OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has historically been difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last six years working to improve the state of the art and will present the latest developments in the field.
There are challenges when trying to achieve high security and interoperability with OAuth 2: There are many potential threats, some not part of the original OAuth threat model. For seamless authorizations, optionality must be minimized in OAuth itself and also in any extensions used.
Seven years ago, the IETF OAuth working group began work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.
We will help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and security using techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS, discussing the benefits and potential disadvantages of each. We highlight the benefits for implementers and the role of conformance testing tools.
