OSW Sessions of Interest

OSW is itself part conference, part unconference. The mornings are dedicated to proper talks, keynotes, and sessions for different horizons – students, researchers, security architects, seasoned RFC writers, thought leaders, startup founders, and even Digital Identity Advancement Foundation “Vittorio Bertocci Award” grantees. The afternoons are open for unconference-style open sessions, the contents of which are decided each day by popular vote. Several tracks were thus discussed, these being the latest and greatest work currently in progress or published in the OAuth universe at large. 

Verifiable Credentials

A set of sessions was dedicated to the various groups working on Verifiable Credentials and related specs (OID4VC, etc.). Kristina Yasuda and her peers showed that a lot of effort has been going into standardizing the formats for representing credentials, for building trust frameworks, and ensuring that these digital credentials can be read, presented and understood, and most importantly, trusted. A huge driver here is still the pan-European eIDAS initiative, whose goal is to provide all European citizens with Digital Credentials.

WIMSE-cal Workloads

On another tack, a lot of work has been going into securing Workloads, with the advent of the new Transaction Tokens and WIMSE specifications, as well as the new implementations of the not-so-new SPIFFE framework. As defined in the Transactions Token spec, a Workload is “An independent computational unit that can autonomously receive and process invocations, and can generate invocations of other workloads. Examples of workloads include containerized microservices, monolithic services and infrastructure services such as managed databases”. This also applies to our friends the AI Agents. Pieter Kasselman highlighted that workloads have two main problems: providing them with a provable unique identity that can enable them to authenticate with each other (support of which can be provided through SPIFFE, but also through a new concept of a Workload Identity Token or WIT), and ensuring that the same context is shared across all the workloads participating in the same transaction (achieved through Transaction Tokens). Access to any resource by any of these Workloads can then be properly authorized within the context of the operation at hand.

The Next Member of the OAuth Family

This topic led to some good follow-up discussions after Justin Richer presented the RFC on HTTP message signature, an alternative to DPoP, one of the legitimate children of OSW. What would happen if the workload couldn’t access the Authorization Server or the client key material? By the end of the conference a new proposal was submitted to IETF. Discussions in Bangkok promise to be epic.

FAPI

On the development/engineering security side, the FAPI 2.0 specification was also released recently. It included various updates to the security posture required from its various participants. As for gauging the security of Web Applications, the Open Worldwide Application Security Project (OWASP) just released its version 5.0 of its Application Security Verification Standard (ASVS). Elar Lang presented the ASVS project, whose primary goal is to provide an open application security standard for web apps and web services of all types. The standard provides a set of controls that can be used to assess or test the security of any system. Implementers can thus choose which controls to focus on to secure their applications.

Factors and Claims

Jeff Lombardo and Alex Babeanu have introduced a new set of claims for the JWT Access Token profile within the OAuth2 standard, along with a new flow. These proposed claims aim to enhance visibility into the Client entity itself. While existing OAuth2 flows provide extensive information about the end-user making requests to access resources (through access or ID token claims), there is little standardization around identifying and assessing the client application that the end-user is authorizing. Specifically, there is no widely accepted way to determine the level of assurance associated with the client entity. For example, how was the client authenticated? Was it a simple ID and secret, mTLS, or a signed JWT assertion? These methods vary significantly in security, with cryptographic signatures offering stronger assurances. Additionally, what security extensions were applied in the OAuth flow? Was PKCE or DPoP used? These factors can impact the overall security posture of a request.

Access Control Mechanisms

As access control mechanisms evolve, these considerations are becoming increasingly important. With the rise of AI agents, Policy Decision Points (PDPs) must assess not just the end-user but also the security of the calling application itself. By incorporating these new claims, PDPs can make more informed access control decisions, ensuring stronger and more adaptable security policies.

Thus, a better integration with AuthZEN-compliant Policy Decision Points (PDP) is proposed in a couple of ways:

• OAuth Authorization Servers (AS) should make direct AuthZEN calls to compliant PDPs as part of their usual token-minting ceremonies. This will supply the PDPs with the additional client claims described above to help in decision-making. (We are thinking in particular about RAR requests, which can be complex authorization requests).
  
• The authors also proposed a new Step-Up Authorization Protocol as an extension to RFC 9470, Step-Up Authentication Protocol. In this new flow, a Resource Server can request an Authorization Step-Up and require a new set of client claims from the client. The client is then responsible for obtaining these claims by, for example, authenticating using a stronger method (such as mTLS or signed assertions) and ensuring certain extensions (such as DPoP) are presented.

Work on drafts for these extensions has already started.

Closing With a Bang

Finally, as Mike Jones pointed out during his session entitled “The Cambrian explosion of OAuth and OpenID Specifications”, there are rather a LOT of standards in the OAuth universe, over 100. So much so that it can be hard for newcomers or implementers to find the right path in this forest. This is nevertheless also a sign of a healthy ecosystem, where more and more problems are tackled. Like the Cambrian explosion that our planet Earth experienced some 540 million years ago, we may be witnessing an explosion in the diversity of Digital Identity topics and concerns, a good sign that we will keep busy for the foreseeable future.

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Authors:

Alex Babeanu is a seasoned expert with over two decades of building innovative IAM solutions using Graphs and Open Standards, as a principal Engineer, Consultant, Product Manager and CTO. A passionate advocate for the graph-based approach to IAM, Alex has presented at leading conferences and contributed extensively through published papers and blogs. As a founding member of IDPro and part of its editorial committee, Alex plays a key role in curating content for the organization’s monthly publications. Currently, he leads the Access Management product at Indykite, a cutting-edge platform that harnesses graph data and AI to simplify complex identity challenges.

Badges: IDPro Member, IDPro Editorial Committee, IDPro BoK Reviewer, IDPro Newsletter Author, IDPro Founding Member

Jeff Lombardo is a Solutions Architect expert in IAM, Application Security, and Data Protection. Through 15 years as an IAM consultant for French, Canadian, and US enterprises of all sizes and business verticals, he has delivered innovative solutions with respect to standards and governance frameworks. Since the last 5 years at AWS, he helps organizations enforce best practices and defense in depth for secure cloud adoption.

The post The OAuth Security Workshop 2025 appeared first on IDPro.

After having attended in person one Identiverse, two EICs, one AuthenticateCon, one IETF, one OSW and one IIW, I thought I definitely left behind the woes of the Lockdown Winter that forced our favorite events to take place in the netherspace that is Zoom or proprietary eponym equivalents. Boy, was I wrong. None of those events prepared me for a conference that takes over entire blocks, where the expo alone is large enough (700+ exhibitors!) to have its own weather system, if not its own zip code. Above all, I wasn’t prepared for an event where you no longer have direct line of sight with your tribe, and the majority of the badge-clad people are perfect strangers.

The very distrustful conference site (it asked for my username/password every couple of hours; is this what continuous authentication means?) offered a staggering 612 sessions. One first-time attendee asked me – “how do you choose what to attend at RSA?”. My answer: use the search feature to tease out what’s relevant to your interests. That is also what I have done: as a result, expect this report to be a very partial & personal account of the event. If you want to broaden your perspective, you can chat to other IDPros who were there; you’ll find them on #RSAConference in our IDPro Slack.

Content highlights

Despite all the rhetoric about identity being the new perimeter and other platitudes, and some shoutouts to OIDC and FIDO from the keynote, RSAC 2022 had very little content on our favorite topic. The Identity track had 44 sessions, 13 of them being vendor sponsored and 7 being duplicates (overflow rooms). 

While zero trust was still one of the dominating buzzwords, I was surprised to see that a search for “blockchain” only returned 5 sessions, “web3” exactly zero, and “decentralized” only one track session, from IDPro’s very own George Fletcher.

George’s session, “Managing De-Centralized Identities: A Relying Party Perspective”,  was one of the highlights of the conference for me. The first time I saw George present on this topic was at an IIW in 2019. In a nutshell, the session takes tools and principles of Self-Sovereign Identity (SSI)/decentralized identity and tries to apply them when developing a realistic relying party. In so doing, he uncovers discrepancies, opportunities and impedance mismatch that are both a powerful tool to understand SSI’s value proposition and an honest litmus test to assess the maturity level of those new technologies. TL;DR: things did improve since that first 2019 session, but much still needs to be figured out for those technologies to be viable in real world use. 

After the session, a bunch of IDPros and identirati congregated right outside, engaging in an incredibly satisfying 30 minute long discussion on VCs, passkeys and their potential impact on society. Those 30 minutes alone were worth the trip, what a JOY to be among one’s people!  

Passkeys were the centerpiece of the other awesome event-in-the-event I had the chance to attend, the half-day FIDO Alliance seminar on – surprise surprise – passwordless and passkeys in particular. The Apple WWDC announcements about passkeys created a huge interest around the topic, and the seminar was the perfect opportunity to demystify the technology and get a glimpse of the enormous potential it has to finally deliver a substantial blow to passwords in consumer authentication. Our very own IDPro member Tim Cappalli delivered key parts of the event, from the very first live cross device/vendor passkey demo to a very lively panel.   

Remaining in IDpro territory, mighty board member and acclaimed book author Jon Lehtinen presented a session on “Demystifying the Identity Capabilities of AWS for Enterprise Practitioners”- no one will be surprised to learn that it was well received.

Just because it’s RSA, and the RSA experience needs some “pure security” to be complete, I decided to attend “Bypassing Windows Hello for Business and Pleasure” –  and I wasn’t disappointed. The lengths to which the researcher had to go in order to defeat Windows Hello were substantial, and he presented his journey with flair and competence. If you have access to the on-demand content, I would recommend this session.

In Summary

Is RSA still worth the very hefty admission price? From the content perspective, I am honestly not sure. I got lucky with George and passkey, but the dearth of identity content is concerning, though I suspect part of the fault falls on ourselves – I personally had some submission fatigue and didn’t propose anything. Perhaps we should resolve to submit in bigger numbers and see whether we move the needle. From the experience perspective… I’d say it’s a resounding YES. True, we identirati have other opportunities to see each other, but with its sheer size, parties (rrrisky) and general vibe, RSA remains an important milestone in the conference calendar, and I am glad it’s back!

About the Author

Vittorio Bertocci is a Principal Architect for Auth0|OKTA. A veteran of the identity industry, in his 20 year career Vittorio helped create, shape and steer key identity products, technologies, and practices. Vittorio is currently serving on the OpenID Foundation board of directors, and is the host of the Identity, Unlocked podcast. An active member of the identity community, Vittorio is a well-known speaker, educator, and published author.

The post Strolling Through RSAC 2022 appeared first on IDPro.

Identity management is the term that describes how organizations maintain effective security to prevent unauthorized users from obtaining access to secure systems. Good identity management keeps systems and people secure, enhances privacy, and enables efficient digital experiences for both businesses and individuals.

Identity Management Day was first hosted on April 12, 2021 by the Identity Defined Security Alliance and the National Cybersecurity Alliance to spread awareness about the importance of proper identity management and the dangers of improperly managing digital identities. 

We asked our members to share their best IAM practices for protecting digital identity. Learn from the best by following these 9 tips:

1. Only collect the data you absolutely need to provide your product or service. The more data you have, the more attractive you become to attackers, and the more risk you take on.
2. Bad data quality will kill every IAM approach. For example: people suddenly without managers, missing required data or having it disappear from a source overnight. Plan to keep the bad data out and when it creeps in (because it will) make sure you have tested  the unhappy path before you accidentally fire the CEO.
3. Follow the ‘principle of least privilege.’ Meaning, don’t assign too many privileges to those who don’t need them; instead only assign what is needed to do their jobs.
4. Prune and clean your account list and remove your “leavers”. It should be a no-brainer, but is actually an often-neglected control measure.
5. Any MFA is better than no MFA (Multi-Factor Authentication). (see #6)
6. If you’re using MFA, use Adaptive MFA. Don’t carpet-bomb every transaction with laborious authentication requirements, because other parts of your business could suffer (e.g., signup funnels). Have clear policies when you require stronger authentication and only present those prompts when necessary.
7. Encrypt personally identifiable information (PII) and personal data (PD) at rest and in transit. Things like emails and phone numbers should never be stored or sent in cleartext.
8. Block the use of known breached passwords / credentials.
9. Adopt SSO (Single Sign-on) as a default practice. Friends don’t let friends connect things directly to LDAP for sign-on or local user ID/password pairs — they adopt SSO. You don’t know who wrote and tested a given application, much less what they actually contain for code or their patching practices. They do NOT need to handle clear text user ID and password pairs. Local accounts pose the risk of ghosting credentials, jeopardizing them, or handling them without the same duty of care needed for good security hygiene. SSO is vastly more helpful than trying to remember all the touch points on local credentials when revoking them. 

Now it’s YOUR turn to participate! 

Identity practitioners are encouraged to share their best security practices during the 2022 Identity Management Day Virtual Conference, inspiring others to employ effective strategies for securing their digital identities and helping leadership understand the importance of a strong identity management team. 
Want to learn more? Check out this 2022 RSAConference presentation by IDPro members – Vittorio Bertocci and Sarah Cecchetti – Securing Your Direct to Consumer Identity Strategy.

The post Celebrating Identity Management Day 2022 with Nine IAM Best Practices from IDPro® Members appeared first on IDPro.