OAuth 2.0 Authorization Framework

The evolution of the Identity and Access Management environment follows the overall shift of the IT world to distributed technologies, where the complex solutions handling all aspects of processing internally are being replaced by a composition of light-weight solutions interconnected by standardized methods. Within the domain of identity provisioning and access control, this approach is predominantly represented by federated authentication and authorization technologies, among other innovations.

DirX Access has historically provided a wide portfolio of SAML- and WS-Federation-based standards, including basic OAuth 2.0 support. Since DirX Access V8.7, the OAuth 2.0 Authorization Framework is completely supported and extended by a set of OAuth 2.0-based standards as well as comprehensive OpenID Connect support. These standards are currently gaining popularity among the target client applications due to their ease of use coupled with the great number of use cases they can cover. Since the fundamental OAuth 2.0 Authorization Framework specification is framework-oriented (not protocol-oriented), it enables easy development of standardized extensions. This feature in turn increases the usability of this framework as a whole.

Supported Standards

The implementation of the OAuth 2.0 Authorization Framework together with a large set of its extensions enables DirX Access to be employed in almost any plausible federation scenario. The extensions were chosen to complete the basic set of operations so that the communication with DirX Access can be performed in a standardized way that is also as dynamic as possible. These extensions include:

The OAuth 2.0 Authorization Framework (RFC6749) – a mechanism that enables a third party to obtain a limited access to an HTTP service. See RFC6479: The OAuth 2.0 Authorization Framework.
The OAuth 2.0 Authorization Framework: Bearer Token (RFC6750) – a mechanism for handling access tokens that represent the authorized state. See The OAuth 2.0 Authorization Framework: Bearer Token Usage.
OAuth 2.0 Authorization Server Metadata (RFC8414) – a mechanism for an OAuth client to obtain the information needed to interact with an OAuth Authorization Server, including its endpoint locations. See RFC8414: OAuth 2.0 Authorization Server Metadata. To support the standard completely, additional changes have to be done at the components surrounding the DirX Access installation. For more information, see section “OAuth Server Metadata” of this document.
Proof Key for Code Exchange (RFC7636) – an extension to the Authorization Code flow to prevent several attacks and to be able to securely perform the OAuth exchange from public clients.
OpenID Connect 1.0 – a simple identity layer on top of the OAuth 2.0 protocol.
OpenID Connect Discovery 1.0 – a mechanism for an OpenID Connect Relying Party to obtain information needed to interact with OpenID Provider, including its OAuth 2.0 endpoint locations.
OAuth 2.0 Token Revocation (RFC7009) – an extension that allows clients to notify the authorization server that a previously obtained token is no longer needed and should be invalidated.
OAuth 2.0 Token Introspection (RFC7662) – an extension used to convey information about the authorization context of a token from the authorization server to the protected resource.
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens – profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format.
OAuth 2.0 Dynamic Client Registration Protocol (RFC7591) – a mechanism for dynamically registering OAuth 2.0 clients with authorization servers.
OpenID Connect Dynamic Client Registration Protocol – a mechanism for dynamically registering an OpenID Connect Relying Party with an OpenID Provider.
OAuth 2.0 Resource Registration – a method for an OAuth 2.0 resource server to register resources with an authorization server to protect them.
User-managed Access 2.0, including:
- Federated Authorization for User-Managed Access 2.0 – a means for an UMA-enabled authorization server and resource server to be loosely coupled, or federated, in a resource owner context.
- User-Managed Access 2.0 Grant for OAuth 2.0 Authorization – a means for a client representing a requesting party to gain access to a protected resource asynchronously from the time a resource owner authorizes access.
OAuth 2.0 Protected Resource Metadata - a mechanism for an OAuth 2.0 Client or authorization server to obtain the information needed to interact with an OAuth 2.0 protected resource. See OAuth 2.0 Protected Resource Metadata IETF draft.

Design

The implementation of the OAuth 2.0 Authorization Framework divides the competencies into two components: an OAuth Provider component serves as a proxy application and transmits the requests/responses to/from the OAuth Server. Both components run in the Services container. There can be multiple OAuth Providers paired with a single OAuth Server.

An OAuth Server includes the implementations of all the aforementioned specifications and the capability of running them simultaneously. A single DirX Access deployment enables the configuration of multiple OAuth Servers. The OAuth Servers do not share any OAuth-related information: each OAuth Server contains its own set of authenticated and authorized states (access tokens, authorization codes), its own set of policies (UMA-related policies) and its own OAuth-related configuration.

Note: The OAuth Server is an entity defined by a configuration object. DirX Access enables the configuration of a cluster of interconnected Services containers to satisfy performance requirements. In this case, an OAuth Server is still a single entity existing across these containers sharing all necessary internal states.

Configuration

DirX Access Manager’s OAuth Server administrative interface allows you to select and apply default configurations for the supported OAuth Server extensions that you can use immediately and then customize (or disable) later on as necessary. It is composed of a basic configuration section and an advanced configuration section. The next sections describe the functions of these sections. For a detailed description of OAuth Server administrative fields and controls, see the Administrative Tasks.

Basic Configuration

The basic configuration section of the OAuth Server administrative page allows a DirX Access administrator to set some basic endpoint values and select and apply one or more default OAuth Server configurations. The administrative page provides a control for each supported OAuth Server extension that can be used to enable or disable the default configuration for that extension. Basic configuration settings provide the means to set up the OAuth Server for immediate use.

Advanced Configuration

TODO:

The advanced configuration section of the OAuth Server administrative page allows a DirX Access administrator to align the default values set up in basic configuration to align with company security policies.

The advanced configuration section sets up the OAuth Server from the perspective of exposed endpoints and their capabilities. It is divided into two categories: authorization and token endpoints and protected endpoints.

Authorization and Token Endpoints

This category configures the endpoints that produce the OAuth tokens. Each row in this category represents a configuration item applied on both authorization and token endpoint. The third column presents the current values, while the first two columns determine the applicability of the setting to particular types of requests. The combination of the first two columns determines which requests are supported via the following logic:

The Grant Type column determines which grant type is supported. The support of authorization code and implicit grant types determine the support of the relevant response types at the authorization endpoint.
The Scopes column determines the subset of scopes necessary to be bound to a request to yield the application of this configuration item. If there are multiple configurations for a single grant type, the OAuth Server chooses the one where the set of configured scopes forms the largest subset of the requested scopes. Note: If the incoming request is bound to a scope set for which more than one configured scope sets are subsets and these subsets have an equal number of scopes, any of the relevant configuration items may be applied.

Protected Endpoints

This category configures the endpoints that consume the OAuth tokens issued by the authorization/token endpoints. The majority of these endpoints are directly protected by the OAuth Server so that they require the presence of an OAuth access token in the request. The OAuth Server currently supports the transmission of the access token according to RFC6750. The configurable properties of the transmission can be set up for each of the protected endpoints.

Each row in this category represents a configuration item for a single endpoint. The third column presents the current values, while the first two columns determine the applicability of the configuration item to a particular type of request:

The Endpoint Type column determines which endpoint type is supported by this configuration item.
The Scopes column determines the subset of scopes necessary to be bound to the access token used in the request to yield the application of this configuration. If there are multiple configurations for a single endpoint type, the OAuth Server chooses the one where the set of configured scopes forms the largest subset of the scopes presented by the access token. Some of the endpoints do not require the use of an access token. These endpoints can be present only once (they do not configure the scopes parameter). Note: If the incoming request is bound to a scope set for which more than one configured scope sets are subsets and these subsets have an equal number of scopes, any of the relevant configuration items may be applied.

OAuth Server Metadata

Several of the implemented specifications require the publication of authorization server metadata. DirX Access fulfils this requirement by exposing the well-known addresses for each of the specifications that the administrator has configured as supported.

The published metadata are auto-generated based on the server’s configuration. Endpoint addresses are created from the concatenation of the issuer property and the predefined URL suffices. The published well-known URIs follow the RFC5785 specification and are drawn from the list of IANA-registered Well-Known URIs4; as a result, they have the form of https://example.com/.well-known/, where https://example.com is an example issuer.

DirX Access supports the following metadata paths:

/.well-known/oauth-authorization-server - Metadata according to the standard defined in OAuth 2.0 Authorization Server Metadata relevant to The OAuth 2.0 Authorization Framework specification. In the DXA deployment, the OAuth Server endpoint is typically available at the address {domain}/{oauth_server_path}. According to given specification, the well-known path shall be in this case of the form: /.well-known/oauth-authorization-server/{oauth_server_path}. To achieve this form, an external proxy has to be used with URL rewriting feature. DirX Access provides the metadata at /.well-known/{oauth_server_path}/oauth-authorization-server.
/.well-known/openid-configuration - Metadata providing the information about the OpenID Provider, defined in OpenID Connect Discovery 1.0.
/.well-known/uma2-configuration - Metadata extension built on RFC6479: The OAuth 2.0 Authorization Framework providing information about the UMA 2.0 authorization server defined by User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization.

The OAuth 2.0 Authorization Framework

DirX Access fully implements the specification of The OAuth 2.0 Authorization Framework. This implementation forms the basis for the extension specifications; as a result, any rules that hold for it also apply to the extensions.

The implementation primarily supports all four basic grant types (authorization code, implicit, resource owner password, and client credentials), client authentication, issuance of refresh tokens, and scope resolution. The resource owner authentication is delegated to the associated Web PEP which enables leveraging the full range of DirX Access’ authentication capabilities, including Authentication Application and the Risk-based Authentication mechanism.

Security Considerations

In this section, we discuss several important security topics and the way DirX Access enables handling them.

Client Authentication and Impersonation Prevention

DirX Access supports all the RFC6749-listed client authentication methods: client_secret_basic, client_secret_post, and none. During the OAuth authorization process, the authentication methods are employed according to client’s registered metadata. The clients without client credentials must pre-register their redirect URIs.

DirX Access currently does not support communication with unregistered clients, however, it enables any client (even an unknown client) to employ the dynamic client registration mechanism to register to the authorization server and hence enable its use.

OAuth Tokens

The random type of OAuth tokens that represent some form of credentials (access token, authorization code, refresh token, and so on) are generated as random 160-bit strings. This action satisfies the stricter recommendation for prevention against credential guessing by unauthorized parties. More precisely, the random strings are generated by the Java SecureRandom class; consequently, the system administrator can influence the means of their generation by setting up the used Java Cryptographic Service Provider.

The OAuth tokens represented by random strings referencing the authorization information stored on the authorization server rather than stored internally prevents the potential security threat valid for the latter approach. The modification of tokens containing the authorization information may lead to a modification of the information itself and subsequently to authorization elevation.

The validity period of each OAuth token is determined by its type and the use case for which it was created. DirX Access enables configuring the validity period with respect to both of these aspects in the advanced configuration section of the OAuth Server page in DirX Access Manager. The validity is furthermore limited by the validity period of the client metadata. If the time set by client_secret_expires_at in the client metadata of the client to which the token is issued precedes the end of the validity period according to the configuration, the validity period end is set to client_secret_expires_at.

The binding between OAuth tokens and the clients for which the tokens have been issued is tested wherever necessary.

In the current version, the OAuth tokens are not persisted. For the random type of tokens that means a simultaneous restart of all DXA servers leads to a loss of the internal state of those OAuth tokens.

Authorization Codes

RFC6749 requires the client to use each authorization code only once. Receiving the same code multiple times can, therefore, mean the code was sent by two entities one of which is not the valid client. As the authorization server can’t be sure which receipt is the valid one, it invalidates all tokens (access tokens, refresh tokens, etc.) already issued based on the duplicated code. This feature is fully supported by DirX Access.

Access Tokens

DirX Access employs the bearer profile for access token transmission. For more information, see the section “Bearer Token”.

DirX Access enables alternatively to use the JSON Web Token format for the representation of access token. Security of this type of tokens is assured via the signing and encryption. The use case shall determine the necessity of use and parameters of these operations.

Refresh Tokens

The administrator can decide for which use cases the refresh tokens should be issued.

DirX Access also enables refresh token rotation. This mechanism causes a new refresh token to be issued on the use of the original refresh token while the latter is invalidated. This approach effectively shortens the life period of the refresh token and thus the time during which it can be misused.

It also produces a misuse detection mechanism: RFC6749 requires the client to use each rotating refresh token only once. Receiving such a token multiple times can therefore mean the token was sent by two entities, one of which is not the valid client. As the authorization server can’t be sure which receipt is the valid one, it invalidates all tokens (access tokens, refresh tokens, etc.) already issued based on the duplicated token. This feature is fully supported by DirX Access.

Scope Evaluation

With respect to the scopes any client can request (with the exception of UMA 2.0), DirX Access employs a basic rule: the client can be granted only the scopes it has registered in its metadata. This approach enables not only to control the request scopes by the authorization server, but also the features provided to the respective clients, as OpenID Connect and UMA 2.0 requires specific defined scopes to be present in the access tokens.

User consent

Client requests scopes and claims that contains resources of the user. A part of these claims is required, but the other part is optional, and the user should be able to choose and grant his consent to some, or none, of these optional claims. For this purpose, there is the User consent page, that is generated based on configuration under the Boolean parameter Print user consent (only for OAuth) or based on prompt request parameter consent (OAuth and OpenID).

The result of the User consent page is then evaluated based on a unique identifier that can be used only once to prevent its potential misuse by sending the consent repeatedly.

With this User consent there is a possibility that the consent won’t be granted by the user itself, but by some script. There is a way to prevent that by implementing CAPTCHA and assure that the consent was granted by the user, but this is not part of the delivered solution.

Localization

The User Consent page supports standard localization. From a user’s perspective, it means that the Accept-Language HTTP request header is examined. The User Consent page is then presented using the requested language as long as this language is supported. If it is not supported or if there is no Accept-Language header, a default locale is used.

For example, if the Accept-Language header of the request is German (de), the application looks for the file OAuthLocale_de.properties. If the localized file is not defined, the application defaults to using OAuthLocale.properties. For more details about properties files, see Java documentation or guides of the class ResourceBundle.

The file location is within the installation directory: DirX Access\instances\{instance name}\webapps\oauth-provider\WEB-INF\classes\OAuthLocale.properties. The provided files contain predefined keys for all static elements within the User Consent page. All of these can be adjusted to fit the look and feel of the page.

Claims, transferred to the third party are also localized. But those are configuration dependent.They are configured via Attribute Template identifiers for the corresponding OAuth Server. Localization of these claims can be achieved using two keys for each claim:

consent.user.parameter.description.<attrib_name> — represents the localized name of the claim, which is displayed next to the on/off switch for that claim.
consent.user.parameter.name.<attrib_name> — contains the localized description of the claim, which appears in the tooltip when the user hovers over the info icon.

<attrib_name> refers to the name of the specific Attribute Template identifier.

Bearer Token

The endpoints protected by the OAuth 2.0

Authorization Framework consume the access tokens according to The OAuth 2.0 Authorization Framework: Bearer Token specification.

The bearer tokens passed are the access tokens described in previous sections implying the same security measures.

The administrator can choose the supported methods for sending the bearer token from the methods listed in the specification. Relevant security implications should be considered; in particular, transmission in the URI query parameter should only be used when there are no other options and the security parameters of the access tokens should be updated accordingly.

When using the Bearer Token together with the RFC#9068, the transmission in the URI query parameter is prohibited, as stated by the aforementioned RFC.

OpenID Connect

The OpenID Connect specification extends the OAuth 2.0 Authorization Framework. OpenID Connect functionality is initiated when the openid scope is placed in the scope request parameter in an authentication request. This standard provides signed ID tokens in the token response, the UserInfo protected endpoint, and several new request parameters for authentication requests on top of the OAuth 2.0 Authorization Framework.

Authentication Request

The OpenID Connect specification extends the authorization code flow and the implicit flow with several new request parameters. These parameters are described in the next sections.

Prompt Request Parameter

The prompt request parameter is a space-delimited, case-sensitive list of ASCII string values that specifies whether the Authorization Server prompts the user for reauthentication and consent. The supported values are:

none – the OAuth 2.0 Authorization Framework does not display any authentication or consent user interface pages. When there is an unauthenticated request to the authorization endpoint, an exception is thrown instead of requesting authentication, which is the case when using pure OAuth 2.0 Authorization Framework.
login – the OAuth 2.0 Authorization Framework prompts the user for reauthentication. The reauthentication is performed in the same way as the initial authentication. The old session is deleted. Note: There is no visible reauthentication for an end user in basic authentication or the x509 authentication method because credentials remain in the request header of a client.
consent – the OAuth 2.0 Authorization Framework prompts the user for consent before returning information to the client. There is no other way to prompt user consent. It must be explicitly requested and it is shown after the end user is already authenticated.
select_account – the OAuth 2.0 Authorization Framework prompts the user to select a user account. There is a one-to-one binding between the session and the user account in DirX Access, so only one selection is displayed.

Max Age Request Parameter

Maximum Authentication Age specifies the allowable elapsed time in seconds since the last time the user was actively authenticated by the OAuth 2.0 Authorization Framework. The request parameter can also cause reauthentication and it is performed in the same way as the initial authentication.

Display Request Parameter

The display request parameter is an ASCII string value that specifies how the Authorization Server should display the authentication and consent user interface pages to the user.

The supported value is:

page – the support of this mode depends on the authentication method used by the PEP. Note: Basic authentication and x509 authentication methods are not suitable because credentials remain in the request header. A possible authentication method is form-based authentication or ideally a redirect to the Authentication application.

ID Token

The OpenID Connect specification extends the token response to contain the ID token, which is a security token that contains claims about the authentication of a user by the OAuth 2.0 Authorization Framework.

The ID Token is represented as a JSON Web Token that contains all required claims and is signed using JSON Web Signature. The default claims contained in ID token are iss, sub, aud, exp, iat, auth_time and, for implicit flow, at_hash and nonce.

The private key for signing is taken from one of the crypto containers referenced in the OAuth Server configuration. The decision of which private key to use is made based on the id_token_signed_response_alg attribute from the client metadata. If no JWS algorithm is specified, the private key supporting the default RS256 algorithm is used.

Next to the default claims returned within any ID token, DirX Access enables you to configure additional custom claims that are imprinted into the ID token (if they have a meaningful and defined value for the authenticated subject). The configuration is done via the “Attribute templates” field in the “Authorization and token endpoint settings” section. For more information, see the description of this section in the DirX Access Administration Guide.

UserInfo Endpoint

The UserInfo endpoint requires the requester to authorize itself by presenting an access token according to the bearer token specification. This token must be bound to the same client as the token being sent to UserInfo.

The UserInfo endpoint is basically a protected endpoint and is therefore created in the same way. The UserInfo endpoint can also be used for the pure OAuth 2.0 Authorization Framework (without enabling OpenID Connect).

The information contained in the response is highly configurable, as with the introspection endpoint. See the section “OAuth 2.0 Token Introspection”.

The administrator needs to configure mandatory claims for a particular UserInfo endpoint according to the OpenID Connect specification.

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

DirX Access supports RFC#9068 in two separate areas: the production of tokens described by this profile (described in this section) and the consumption of such tokens (described in the section “DirX Access in the Role of OAuth Resource Server”).

Support of this standard enables to serve (not only) the scenarios when OAuth is used to supply the identity or authorization decision while the entities Client and Resource Server can be separate. Namely, the Client isn’t the consumer of the token. These scenarios are valid for the clients such as single-page applications, mobile-device’s native applications, etc. This is in contrast with the defined scenario for OpenID Connect, where the requesting Client/Relying Party is the primary consumer of the token. In such scenarios, we recommend following the configuration for OpenID Connect.

If the “JWT Access Token Support” parameter of the “Authorization and Token Endpoint” configuration is switched on, the OAuth AS will produce for corresponding requests responses containing the JWT form of access token.

The token can be signed with the signing key contained in the configured crypto containers. The preference of signing the token is expressed on the server side by the configuration element “Signing applicability” with the following options:

none - The JWT will not be signed.
referred - The JWT will be signed as long as there is an applicable signing key configured.
required - The JWT will always be signed. If there’s no applicable signing key configured, an error will be thrown.

The token can be encrypted with the encryption certificate taken from the audience client metadata. The preference of encrypting the token is expressed on the server side by the configuration element “Encryption applicability” with the following options:

none - The JWT will not be encrypted.
preferred - The JWT will be encrypted as long as there is an applicable encryption key configured.
required - The JWT will always be encrypted. If there’s no applicable encryption key configured, an error will be thrown.

Both cryptographic operations follow the corresponding specifications JSON Web Signature (JWS) and JSON Web Encryption (JWE), respectively.

The content of the token follows the profile specification with these specifics:

audience - If the request contains the “resource” parameter as defined in RFC#8707, the AS searches for assigned Client metadata containing a “resource_uri” parameter equal to the “resource” value. If such found, the audience is assigned with this value and the metadata are used for further processing, such as for providing the encryption certificate. Otherwise, the audience is the Client identifier of the requesting client.
roles, groups, entitlements as defined in the profile can be configured using the “Attribute templates” configuration of the “Authorization and Token Endpoint”.
custom claims - The token can contain any addition custom claims configurable via the “Attribute templates” configuration of the “Authorization and Token Endpoint”.

The issuance of the access token is currently not subject to any additional authorization process as it is primarily oriented on distributing the identity state to given audiences. Authorization from the side of the user towards the Client and Resource Server is achieved via the User Consent page.

OAuth 2.0 Token Revocation

The OAuth 2.0 Token Revocation specification extends the OAuth 2.0 Authorization Framework with the mechanism to request the invalidation of OAuth tokens. This mechanism helps to mitigate the risk of misuse of tokens that are no longer used. It can also be used to prevent misuse in cases where the client that possesses the OAuth token suspects the token has been disclosed to a third party.

The implementation covers revocation of both client-side OAuth token types defined in the OAuth 2.0 Authorization framework: the access token and the refresh token. Revoking a refresh token revokes all valid access tokens that have been issued based on the revoked refresh token. Revoking an access token has no impact on any other tokens. The administrator can configure the token types that the revocation endpoint should support.

UMA 2.0 Extension

UMA 2.0 introduces the persisted claims token (PCT) and the requesting party token (RPT) specification for an access token. DirX Access extends the revocation endpoint to support the configuration and processing of both these types (processing the RPT token is implicit because it is an access token).

OAuth 2.0 Token Introspection

The introspection endpoint requires the requester to authorize itself by presenting an access token according to the bearer token specification. This token must be bound to the same client as the token being introspected.

The implementation covers introspection of both client-side OAuth token types defined in the OAuth 2.0 Authorization framework: the access token and the refresh token.

The information contained in the response is highly configurable for each of the published introspection endpoints. Except for the required active field, all other fields are configured according to the template mechanism described in the DirX Access Administration Guide. This mechanism enables the administrator to include the fields defined in the introspection specification or any other fields defined in the DirX Access template mechanism, especially the fields containing additional information about the resource owner authorizing the token. The administrator must explicitly configure all fields that are to be contained within the response.

If the active field is resolved as false, the response contains no additional fields.

The token introspection specification defines the optional fields in the response. For the following fields, it is important to explicitly declare their precise implementation:

sub – DirX Access follows the definition in RFX 7519: JSON Web Token (JWT) . The sub-field can be relevant either to client or to subject. The sub value is a Base64 URL safe encoded SHA-256 hash of string formed according to the means used for determining the entity the token represents. The hashed strings are as follows:
- client: cl:{client_id}
- subject with persisted user account: local:{subject_persisted_identifier}, where subject_persisted_identifier is unique with respect to DirX Access as an issuer and the actual persisted parameter being used can be set via DirX Access Manager by the Subjects | Persistent data | Subject template | Login name attribute.
- OAuth 2.0 federated subject from external identity provider: ext:{issuer}:{sub}, where both issuer and sub are the claims declared about the subject by the external identity provider.
- SAML federated subject from external identity provider: ext:{issuer}:{name_id}, where both issuer and name_id are parameters contained within the SAML Assertion used for the subjects authentication.
- X.509-based authentication: ext:{issuer_dn}:{subject_alt_name}.
- Kerberos: kerb:{name}, where name is a single-string representation of Kerberos name as specified in Section 2.1 in RFC 1964.
token_type – Currently, this always returns bearer.
jti – The access token string itself.

Currently, the introspection endpoint consumes the request via HTTP POST method only, to prevent the disclosure of the sensitive tokens to both the Web agent and server logs.

UMA 2.0 Extension

The set of supported fields is extended with the permissions field to enable the support of UMA 2.0. This field contains the resource-specific permissions granted to the holder of the provided token. The implementation enables the administrator to configure multiple introspection endpoints at the same time with different purposes (for example, with only part of them UMA 2.0-enabled).

OAuth 2.0 Dynamic Client Registration Protocol

Historically, DirX Access incorporates a static metadata declaration process performed by an administrator via DirX Access Manager. In this process, the communication of the metadata to the administrator is performed outside the system. DirX Access V8.7 provides the OAuth 2.0 Dynamic Client Registration protocol, which allows for a much faster reaction to the needs of the ever-changing environment for OAuth clients and fully enables the service-oriented approach to identity provisioning.

The specification leaves it to the implementation to choose whether there can be multiple registered metadata with the same client_id. In the DirX Access implementation, the authorization server has no method for verifying that multiple registration requests are coming from the same client, so it issues a different client_id for each metadata registration. It is up to the client to determine what client_id to use for subsequently performed OAuth requests. The generation of the client_id is designed to preserve its human readability if possible: if the client_name attribute is present in the metadata registration request, it is suffixed with a random integer. Otherwise a random 128-bit string encoded by URL-safe Base64 is used.

The authorization server performs the necessary metadata validation, including checking the relationship between grant_type and response_type and the presence of redirect_uri for clients using the redirection-based grant types.

The configuration of the authorization server provides the administrator with the option to enable the registration of public clients and the conditions of the registration process.

The authorization server supports both types of registration:

Open registration – any client with a valid registration request can register itself with the authorization server.
Protected registration – the client must send an initial access token with the registration request in order to register itself with the authorization server.

When the authorization server supports open client registration, it checks whether the logo_uri, tos_uri, policy_uri and client_uri have the same host and scheme as those defined in the redirect_uris. Those URIs are displayed to the user at the authorization page and with this validation the authorization server protects the user from malicious content that could be hosted at those URIs.

To avoid the proliferation of expired client identifiers, an authorization server cancels registrations for existing clients whose client_secret_expires_at parameter is due. While this parameter is defined by the standards for clients using the client secret, DirX Access extends its use to public clients so that registration expiration is handled in a uniform way. In this way, the authorization server can clean up clients that registered themselves only for a single use. The client secret validity time is configurable via the DirX Access Manager.

The use of software_statement parameter requires an administrator to manage trusted credentials. As all of the parameters present in software_statement can be transported in other ways, DirX Access ignores this element.

The authorization server only accepts parameters without language tags. Parameters with language tags are omitted.

Profiling

The profiling is done by setting up a configuration for a dynamic client registration endpoint in DirX Access Manager:

Client type – is partially bound to the token_endpoint_auth_method; if the authentication method is none, the client must be public. Also, the client can specify its client type in the registration request using the client_type parameter; if supported at the endpoint, the authorization server will grant the requested type to the client.
- Public client
- Confidential client
Supported scopes – the client can be granted only those preregistered scopes that are configured in the supported scopes field.
Open registration – any client can register itself.
Protected registration – requires an access token for a successful registration.
Client secret validity – is also used for expiration of client registrations.
OpenID Connect registration support

OpenID Connect Dynamic Client Registration Protocol

DirX Access supports the OpenID Connect Dynamic Client Registration Protocol by extending the implementation of the OAuth 2.0 Dynamic Client Registration Protocol.

The extension enables processing the application_type field, which specifies either native or web clients that place additional requirements on the redirect_uris, which are validated by the authorization server:

Native clients can only register URIs using custom URI schemes or URLs using HTTP scheme with localhost as hostname.
Web clients using an implicit grant_type must register URLs using the HTTPS scheme.

The OpenID scope must be included in the scope element; if OpenID Connect registration support is configured in DirX Access Manager, the openid scope is added automatically.

DirX Access ignores the sector_identifier_uri element in the registration request because the client can include the redirect_uri domains directly in the redirect_uris parameter.

UMA 2.0 Extension

UMA 2.0 introduces the claims_redirect_uris parameter to be used in client metadata. This parameter represents the URI to which the client wishes the authorization server to redirect the requesting party after completing the claims collection. DirX Access validates the claims_redirect_uris parameter according to the specification. For the client to enable the use of UMA 2.0, the claims redirection URIs must be registered.

UMA protection scope is not automatically added into the scope element as this scope is used at the resource server.

User-Managed Access 2.0

User-Managed Access 2.0 (UMA) is an OAuth-based protocol designed to achieve the following goals:

Give an individual the ability to manage authorization policies protecting his/her digital resources, no matter where they reside.
Enable any requestors to ask for actions involving the protected resources without the need of synchronous interaction with the resource owner.
Delegate the authorization process from the resource server to a dedicated entity - authorization server.

These goals provide significant benefits to the IT environment that incorporates the UMA 2.0 components, including:

Authorization as a service by design. A single UMA authorization server can be used by multiple resource servers. While there are numerous solutions providing a similar multi-tenancy feature, the DirX Access solution that is based on the UMA standard profits from being tightly bound to OAuth 2.0. As a result, all of the features enabled by other OAuth specifications can be used by UMA clients, including a fast, easy, and standardized way of new client (resource server) registration, identity provisioning via OpenID Connect, and others.
IoT enablement. While authorization service by design provides the multi-tenancy typical for an environment of large applications with centralized administration, the UMA 2.0 specification provides the base for authorization decisioning in the world of the Internet of Things (IoT). The DirX Access implementation complies with this base and enhances it with the underlying authorization engine: the resource-centric authorization service. This service brings the authorization process of DirX Access into the IoT era.
Standardized APIs. UMA 2.0 introduces a standardized API with all its benefits. Contemporary solutions that provide the authorization decision-processing to third-party applications (resource servers) typically include components accessed via proprietary APIs. This solution requires that components from the same vendor be deployed at the resource server side as well. By contrast, when using a standardized API, the customer can choose from the best specific solutions for each system component, even from different vendors.

User-Managed Access 2.0 is a standard described by two specifications:

Federated Authorization for User-Managed Access (UMA) 2.0 specifies the mechanisms used for loose coupling of the resource server and authorization server in the UMA scenario.
User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization specifies the protocol between the requesting party, the requesting party’s client, the resource server and the authorization server that is used for performing a requested action on a requested resource.

DirX Access supports these standards in versions 2.0.8, issued on September 4, 2017.

DirX Access takes on the role of the authorization server. It can also serve as an identity provider for the authorization server; in this scenario, the authorization server benefits from the internal session stored for both resource owners and requesting parties, accelerating the authorization process and improving the user experience.

Analytics View

KuppingerCole – June 2017 – Leadership Compass: Identity as a Service: Single Sign-On to the Cloud (IDaaS SSO) - UMA is one of the innovative features evaluated.
Gartner – 2016 – Hype Cycle for Identity and Access Management Technologies 2016 - Hype curve position - on the rise; 5 - 10 years to mainstream adoption.
KuppingerCole – June 2017 – Leadership Compass: CIAM Platforms - UMA is one of the innovative features evaluated.
KuppingerCole – June 2017 – Leadership Compass: Identity as a Service: Cloud-based Provisioning, Access Governance and Federation (IDaaS B2E) - UMA is one of the innovative features evaluated.

Federated Authorization

Federated authorization is a fairly new notion in production environments. Federation in contemporary identity and access management solutions is typically connected to identity provision (using OpenID Connect or SAML). Even the general OAuth 2.0 Authorization Framework in its simplicity limits the authorization decisioning by the necessity of the presence of the resource owner.

By comparison, UMA 2.0 introduces the role of the requesting party, which naturally enriches the protocol by removing the resource owner’s interaction from the requesting part of the protocol. For a detailed description, see the respective specifications. This section provides a very high level overview of the new features:

Resource registration – the resource owner initiates the registration of its resource stored at the resource server. The resource server registers the resource in question at the authorization server. From that point on, any request for any operation over this resource is protected by the authorization server. The resource owner is provided with the address of an application that can be used to set up the authorization policies. It is solely in the realm of the resource server to determine what a resource is (a picture, text document, web page, the whole web domain, and so on).
Policy management – after a successful resource registration, the resource owner uses the policy management application to set up the authorization policies for any entity. These policies are used during the authorization decision-making and thus form the basis of the switch from the synchronous to the asynchronous decisioning. The policy and evaluation mechanism is out of the scope of the UMA 2.0 specification. DirX Access employs the new resource-centric authorization service that provides an easy-to-use yet highly configurable policy management interface.
Request for resources – when a resource is registered and appropriate policies are set up by the resource owner, a requesting party may ask (through its client application) the resource server for an operation on the resource. Subsequently, the client is redirected to the authorization server to provide the necessary information for the authorization process. Typically, this phase contains an interaction between the requesting party (end user) and an identity provider which results in presenting the UMA authorization server with identity claims used for authorization decision-making. The decision is subsequently passed to the client, which sends it to the resource server. Based on the decision, the requested resource operation is either performed, or disabled. The information bound to the decision may be reusable so that the next time the client requests a resource operation, the resource server might provide it based just on the previous decision.

Federated Authorization for User-Managed Access 2.0

This section describes the DXA-specific handling of the non-mandatory aspects of the Federated Authorization for User-Managed Access 2.0 specification.

Protection API

The protection API that enables communication between the resource and authorization servers is itself protected by the OAuth 2.0 authorization server. In the DirX Access solution, the authorization server protecting the API is the same instance of the OAuth Server, which enables internal sharing of some important states and thus accelerates the processing.

PAT Issuance

As defined, PAT is an OAuth 2.0 access token with the scope uma_protection. Following the general rules of DXA OAuth Server configuration, the issuance of PAT is limited to the requesting clients having the uma_protection scope preregistered in their client metadata. Also using the OAuth 2.0 Dynamic Client Registration Protocol, this approach enables easy and automatic management of the UMA resource servers. Any registered OAuth client that contains the uma_protection scope in its metadata is treated as a UMA 2.0 resource server by the DXA UMA 2.0 authorization server.

Any grant type can be used for issuance of PAT; thus DirX Access enables both OAuth client and system users to perform the role of a resource owner.

Resource Identifiers

According to the UMA specifications, the generation of resource identifiers is solely under control of the authorization server. In the DirX Access implementation, the resource identifier is a Base64-encoded 64-bit random value generated by the server during the registration process. The identifier is unique with respect to the resource server.

It is important to point out that the resource identifier is free to be openly published, which justifies the relatively short length of the identifier (there is no requirement on the identifier to be unguessable).

Resource Registration Endpoint

The precise endpoint address is declared in the published authorization server metadata document (found at {issuer}/.well-known/uma2-configuration) and has the following form: {issuer}/rs.

The internationalization of the parameters of resource and scope descriptions is currently not supported.

By default, the user_access_policy_uri parameter in the resource registration response refers to the metadata document of the OData API defined for the policy management. As the response is sent back to the resource server, the server can leverage this information to supply its own specific application to provide the policy management UI to the resource owner.

The administrator can configure the value of the parameter user_access_policy_uri to refer to the address of any custom application that provides the policy management API.

Be aware that Resource Registration URL syntax might be in collision with Resource exclusion on designated PEP protecting the OAuth endpoint.
E.g., we have {issuer}/rs/NameOfResource resource which requires authorized access, but to designated PEP we at some point configured Resource exclusion, specifically parameter Resource paths ending with and assigned it a value Resource. This way we coincidentally allowed unauthorized access through PEP.

More information about Resource exclusion can be found also here: Plain Web PEP

Permission Endpoint

The precise endpoint address is declared in the published authorization server metadata document (found at {issuer}/.well-known/uma2-configuration) and has the following form: {issuer}/permission.

The permission endpoint follows the specification requirements exactly.

According to the specification, the permission request may contain zero or more scopes in the resource_scopes parameter. DirX Access supports the specific case of zero requested scopes but provides a specific way of setting up the authorization policies for this case. For more information, see the section “UMA 2.0 Empty Scopes”.

Token Introspection Endpoint

The precise endpoint address is declared in the published authorization server metadata document (found at {issuer}/.well-known/uma2-configuration) and has the following form: {issuer}/introspect.

To support the UMA 2.0 extension in a configured token introspection endpoint, the extending parameter – permissions – must be included in the Token introspection endpoint section of the OAuth Server configuration object. At the same time, this endpoint’s scopes parameter must contain at least the uma_protection value. Here, the configured scopes enable not only to differentiate between a plain introspection endpoint and a UMA 2.0 extension, but can also provide additional information according to the scopes granted to the access token (PAT for the UMA 2.0 extension) used in the request.

User-Managed Access 2.0 Grant for OAuth 2.0 Authorization

This section describes the DirX Access-specific handling of the non-mandatory items that are relevant to the User-Managed Access 2.0 Grant for OAuth 2.0 Authorization specification.

RPT Issuance

A client may supply a PCT in the request for RPT. The authorization server subsequently extracts all valid claims internally bound to the PCT and uses them for authorization assessment.

As for the current state, there are no publicly standardized claim token formats. Because DirX Access has other methods for identifying the requesting party, it does not support any claim tokens supplement in the client’s request for RPT.

If the client supplies an existing RPT in the request for a new RPT, the authorization server always upgrades it. As a result:

A new RPT is issued that is associated with both the fresh permissions and the permissions bound to the original RPT.
The existing RPT is discarded.
The upgraded parameter in the response is set to true.

The authorization server may return a refresh token along with the RPT, depending on the configuration of the token endpoint.

PCT Issuance

The administrator can configure whether or not the PCT is issued. When the PCT issuance is set to true, the requesting party is explicitly asked for consent with the issuance of the PCT bound to its identity.

The DirX Access UMA 2.0 authorization server extends the token revocation endpoint with the pct OAuth token type to be revocable.

Claims Collection

The claims interaction endpoint facilitates the claims collection process between the requesting party and the authorization server. Its precise address is declared in the published authorization server metadata document (found at {issuer}/.well-known/uma2-configuration) and has the following form: {issuer}/claims.

When a request gets to the claims interaction endpoint, the server first checks whether the requesting party has already authenticated to the DirX Access instance. The authentication could have been performed either in previous claims collection rounds or via means irrelevant to the UMA 2.0 scenario (the requesting party has established an active session). If not, the requesting party is provided with the authentication method configured for the Associated Web PEP (either a discrete authentication method, or the corresponding Authentication Application).

The fact the authentication process is bound to the same instance of DirX Access enables the whole process to be accelerated by leveraging an existing DirX Access session. Furthermore, the delegation of the authentication to the Associated Web PEP allows for employing any third-party identity provider (if configured).

Authorization Assessment

The authorization assessment is performed by the resource-centric authorization service. For more information, please see: Resource-Centric Authorization Service.

The authorization server issues an RPT if at least one permission has been granted by the authorization assessment process. In such a case, all the permissions’ validity intervals are set to the same length as the validity interval of the first RPT the permissions are bound to (the RPT may be later upgraded, yet the permissions’ validity will not change).

If an RPT is not issued because the authorization assessment result is negative, one of the following error codes is returned:

need_info – there is at least one processed policy that yields a negative result because it is missing a relevant claim from the client/requesting party (this gives the opportunity to supply the claim and satisfy the policy).
request_denied – all of the processed policies had enough information (claims) to return the negative result (supplying any additional claim won’t change the result).
request_submitted – the authorization server does not currently support submitting the requests to the resource owners; hence, the request_submitted error code has the same meaning as request_denied.

Security Considerations

This section discusses security considerations related to UMA 2.0 Grant for Oauth 2.0 Authorization.

Permission Ticket Management

DirX Access applies the same security measures on the permission ticket as OAuth 2.0 demands for authorization code: duplicated use may be caused by a disclosure of the ticket to an attacker, so all tokens issued based on this ticket are immediately revoked.

A permission ticket is generated as Base64-encoded 160 random bits.

Configuration

The support of UMA 2.0 standard can be easily achieved by checking the User Managed Access support checkbox in the Default configuration section of the OAuth Server configuration page in DirX Access Manager (Federation | OAuth | Servers). The administrator may want to customize some of the configuration options. This section explains these options and how they relate to UMA 2.0.

Associated Web PEP

The Web PEPs authentication method may be employed during the claims collection process.

Client Metadata

Any resource servers that are relevant to the configured authorization server must be listed in the “Client metadata” field.

To enable the policy management, the client metadata list must contain also the internally-relevant OAuth clients - internal resource server and rule templates servers. These are represented by client identifiers as_res and as_res_rt{oauth_server_id} (where oauth_server_id is the identifier of relevant OAuth Server configuration object), respectively. These clients have special meanings and are self-protected by the OAuth Server. The former enables to manage the registered resources, while the latter enables to manage the rule templates for given OAuth Server.

The client_id parameter of the client metadata mustn’t contain the string “:::” as this is used during an internal processing.

Authorization and Token Endpoint Configuration

Authorization and token endpoint configuration have the following requirements:

To support the UMA 2.0 grant type, at least one endpoint must have the urn:ietf:params:oauth:grant-type:uma-ticket grant type configured. The validity period property also applies to the UMA-specific access token extensions (PAT, RPT).
The “persisted claims token validity in seconds” field determines the validity period of issued PCTs.
To set up specific configuration parameters for the tokens issued to resource servers, include the uma_protection scope in the “Scopes” list.

Protected Endpoints Configuration

This section discusses protected endpoints configuration in relation to UMA 2.0.

Token Introspection

Token introspection configuration has the following requirements:

To enable the UMA 2.0 extension of the token introspection endpoint, the administrator must include an identifier of the “OAuth Attribute template” in the “Attribute templates” list (Subject | OAuth token | OAuth Attribute template Construction) that has an “OAuth attribute value template” (Subject | OAuth token | OAuth Attribute template Value Construction) constructed as follows:
- Return type: ANYTYPE
- Container: OAUTHSERVICE
- Abstraction: REQUESTINGPARTYTOKEN
- Detail: PERMISSIONS
To set up specific configuration parameters for the tokens issued to resource servers, include the uma_protection scope in the “Scopes” list.

Resource Registration

The resource registration endpoint must be configured to enable registration of UMA resources. This endpoint can be generally used for any resource registration, however, to comply with the UMA 2.0 specifications, it must be accessible only with access tokens that have the uma_protection scope granted. To achieve this, simply include this scope into the “Scopes” list.

Rule Template Registration and Policy Management

The DirX Access-proprietary endpoints are parts of the Policy Management API. For more information, see the section “Policy Management API”.

Token Revocation

To support the UMA 2.0 extension of the token revocation endpoint (revocation of PCTs), the pct identifier must be included in the “Token types” list.

Permission

As part of the UMA Protection API, the permission endpoint should be protected by the access token that has the uma_protection scope granted. As a result, include the uma_protection scope in the “Scopes” list.

The configuration enables setting up the “Permission ticket validity period in seconds” value.

Claims Interaction

The claims interaction endpoint configuration determines whether or not the requesting party is provided with a choice that leads to the issuance of the PCT to the client.

Registration Point Reset

This configuration regenerates the registration point relevant to the given OAuth Server. For more information about the registration point, see the “Resource Ownership and Registration” section.

UMA Use Cases

Several examples of UMA-enabled use cases are listed.

Hospital Resource System

The UMA implementation enables managing the complex environment of medical records within a larger organization, like a hospital or a group of medical record originators (doctors) for which it makes sense to share information. According to legislation, the resource owners are typically the patients that authorize their doctors to manage their medical records. From the UMA perspective, these records are owned by the doctor (that operates the UMA-protected software) and the legal owner (patient) gives its consent with the change of rights verbally or by a signing a paper contract (the break-glass scenario is of special concern). It is important to point out that the UMA specification is tightly bound to the legal side of the authorization process via the UMA Legal Working Group, which discusses the questions of transforming the standardized actions into legal consequences.

Here is a UMA use case in everyday business: A patient comes to the hospital to see her general practitioner. The examination shows some non-standard results, and the patient is sent to see a specialist. Normally, the practitioner would print the examination result and give it to the patient who would later give it to the specialist, which would represent the patient consent. With UMA, the practitioner asks the patient for her consent and then changes the access rights to the digital version of the record (everything is audited for the purposes of legal compliance). The specialist can immediately see the record, examine the patient, and share the results with the general practitioner. If there were the necessity to perform a surgery, all the records could again be easily shared with the surgeon.

What have we achieved?

No need to print the records.
No need for the records-receiving party to replicate the data (copying or scanning or rewriting) and the prevention of possible mistakes introduced by the replication.
All actions are audited and the whole process can be verified, should any questions arise.

Break-glass Scenario

The break-glass scenario occurs in the cases of a critical emergency. It is basically an option that permits bypassing the systemic access control policies and performing an action that otherwise prohibited yet necessary in the given situation. The resource-centric authorization service provides the possibility to directly include the policies that ensure the break-glass scenario into the policies relevant to the respective resources. For example, an administrator account can have the privilege to perform any action, yet the administrator is bound contractually to do so only in the break-glass situation.

User-owned IoT Network

Picture the not-so-far-off future (technologically, it is the present, but the real deployments don’t cover the majority of the population yet), where every person truly owns a network of communicating devices, including smartphone, smartwatches, sensor-jacket, home thermo-regulator, smart-meters, router, lights, and so on. All of these devices are resources with different actions defined on them that are easily mapped onto a UMA scenario. Then, there might be a single UMA server in each household, enabling the residents to register a new resource and set the access rights for it. There are numerous communication scenarios between all of these devices, but all share the same feature of being owned by a single owner who permits or denies them. The household UMA server can be synchronized to a cloudified UMA server (aaS), which increases the communication options.

Identity Data Repository

Managing user identity in the on-line environment has become a laborious task for any user who is active on multiple services. Authentication federation protocols are easing this task; however, they might not be sufficient for some use cases. For example, picture the following scenario: a user has her identity managed by a federation service. This federation service provides the identity to any client service on the user’s consent. The identity data can be managed either by an administrator (which is typical for an enterprise), or directly by the user. These data can subsequently be passed to the client service within the federation message. However, a problem occurs when the user wants to determine what client service should access what data. Furthermore, a client service might rely on assigning specific identity data (for example, roles) to each identity and expects to receive them again in the federation message. These data naturally mustn’t be seen by any other service.

The described scenario can be easily achieved by a federation service with identities managed via some provisioning user interface (for example, SCIM), where the identities and their respective attributes are managed as UMA resources.

Resource Service Cloud Deployment

UMA is specified so that it can protect a SCIM-based resource server. SCIM, as a representative of provisioning/resource managing protocols, can handle multiple tenants within a single service instance. Hence, UMA plus SCIM can easily be used as a base for a general resource sharing (document sharing, photo server, and so on) cloud service without the need to deploy a new instance for a new customer.

Building Access Protection

Here we present a very specific application: protecting access to a building. This scenario demonstrates the Information Technology/Operational Technology (IT/OT) scenario for using UMA.

Suppose there is a large office building with lots of tenants that change very frequently. Every door in this building has a chip-card sensor that is connected to a central information system that determines the access rights to the building. Using UMA, this action can be easily modelled in the following way: The door is a protected resource; the chip-card is a token performing authentication of the requesting party at the sensor. The information system employs UMA to determine whether the requesting party has access rights for the given resource; if yes, the door opens. The UMA-based solution should provide both the real-time decision-making and the ability for each tenant to manage the access rights for the doors to its offices. This scenario can be handled by enabling the general resource owner (the owner of the building) to assess the policy-management rights to the tenant’s representative.

Social Logins and OAuth Metadata Update

This section describes using social logins as preconfigured OAuth Identity providers.

Authentication

DirX Access supports OAuth authentication using Google or Facebook as Identity providers out of the box. For this purpose, OAuth metadata for these providers are included in the default product configuration so that they are ready to be used via DXA OAuth client. Partnering with Google or Facebook is as easy as selecting them from the metadata list in the configuration without any further setup.

Metadata Update

Over time, OAuth metadata might expire. Therefore, it is necessary to have means of updating the metadata, so that there is a way to replace the outdated metadata and ensure that the authentication works. You can update metadata manually with DirX Access Manager (Federation -> OAuth -> Server metadata -> Metadata), by simply replacing the metadata and updating the configuration. You can also use DirX Access Manager to update the JSON Web Key Set (Federation -> OAuth -> Server metadata -> JWKS Document).