Why can’t users choose their identity providers on the web?

Kevin Corre 1, 2 Olivier Barais 2 Gerson Sunyé 3 Vincent Frey 1 Jean-Michel Crom 1
2 DiverSe - Diversity-centric Software Engineering
Inria Rennes – Bretagne Atlantique , IRISA_D4 - LANGAGE ET GÉNIE LOGICIEL
3 AtlanModels - Modeling Technologies for Software Production, Operation, and Evolution
Inria Rennes – Bretagne Atlantique , LS2N - Laboratoire des Sciences du Numérique de Nantes
Abstract : Authentication delegation is a major function of the modern web. Identity Providers (IdP) acquired a central role by providing this function to other web services. By knowing which web services or web applications access its service, an IdP can violate the end-user privacy by discovering information that the user did not want to share with its IdP. For instance, WebRTC introduces a new field of usage as authentication delegation happens during the call session establishment, between two users. As a result, an IdP can easily discover that Bob has a meeting with Alice. A second issue that increases the privacy violation is the lack of choice for the end-user to select its own IdP. Indeed, on many web-applications, the end-user can only select between a subset of IdPs, in most cases Facebook or Google. In this paper, we analyze this phenomena, in particular why the end-user cannot easily select its preferred IdP, though there exists standards in this field such as OpenID Connect and OAuth 2? To lead this analysis, we conduct three investigations. The first one is a field survey on OAuth 2 and OpenID Connect scope usage by web sites to understand if scopes requested by web-sites could allow for user defined IdPs. The second one tries to understand whether the problem comes from the OAuth 2 protocol or its implementations by IdP. The last one tries to understand if trust relations between websites and IdP could prevent the end user to select its own IdP. Finally, we sketch possible architecture for web browser based identity management, and report on the implementation of a prototype.
Type de document :
Article dans une revue
Proceedings on Privacy Enhancing Technologies, De Gruyter Open, 2017, 2017 (3), pp.72-86. 〈10.1515/popets-2017-0029〉
Domaine :
Liste complète des métadonnées

Littérature citée [17 références]  Voir  Masquer  Télécharger

https://hal.archives-ouvertes.fr/hal-01611048
Contributeur : Kevin Corre <>
Soumis le : jeudi 5 octobre 2017 - 13:22:44
Dernière modification le : vendredi 13 octobre 2017 - 01:16:33

Fichier

main.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Citation

Kevin Corre, Olivier Barais, Gerson Sunyé, Vincent Frey, Jean-Michel Crom. Why can’t users choose their identity providers on the web?. Proceedings on Privacy Enhancing Technologies, De Gruyter Open, 2017, 2017 (3), pp.72-86. 〈10.1515/popets-2017-0029〉. 〈hal-01611048〉

Partager

Métriques

Consultations de
la notice

67

Téléchargements du document

2