OIDC-PRINCE
The OIDC PRINCE project aims to enhance the privacy support in user consents used in OpenID Connect authentication and authorization processes.
Nowadays the consent to access the claims about end-user and authentication events (e.g., gender, birthdate, phone number), may have associated privacy issues. Users need to be informed regarding the potential risk of providing consent for the personal information access by services/entities that may not be trusted by the user and the OpenID Provider, which is responsible to manage the authentication and authorization.
OpenID PRINCE introduces the proof of privacy regulations compliance (e.g., compliance with GDPR) in the OIDC discovery and registration processes using data privacy vocabulary (DPV) specification that can be certified by entities external to the OIDC authentication process. These proofs can be stored securely in a EMV compliant blockchain.
OIDC PRINCE also enables privacy analysis to assess the risk of services accessing the end-user private information. This analysis, performed by Fuzzy Logic models considers the claims which access is being requested and the profile of the service requesting the access, for instance if it is a service associated with acquisitions or a service for education and learning.
OIDC PRINCE contributes to enhance the support of privacy in OpenID connect by enabling informed consents, and by minimizing the data sharing with entities that are not trusted, or that do not provide evidence of being trustworthy in terms of privacy management.
- Motivation for the project: To enhance the privacy support in user consents used in OpenID Connect authentication and authorization processes. Nowadays the consent to access the claims about end-user and authentication events (e.g., gender, birthdate, phone number), may have associated privacy issues. Users need to be informed regarding the potential risk of providing consent for the personal information access by services/entities that may not be trusted by the user and the OpenID Provider, which is responsible to manage the authentication and authorization.
- Generic use case description: OIDC-PRINCE functionalities are validated in two distinct use cases. One including an education use case, where students authenticate in a learning platform using SSO solutions. The other use is related with an acquisitions platform where users also authentication using SSO solutions. Both use cases have differences in terms of privacy. For instance, in the education use case, information like the home address is not required for login process.
- Essential functionalities: OIDC-PRINCE aims to provide the following functionalities: 1. Allow Authentication and Authorization in Single Sign On processes to use the proof of compliance in services regarding GDPR compliance. 2. Informed end-user consents regarding the privacy risks and trustworthy information. Risk privacy analysis allow to objectively determine the risk of sharing private. 3. Trust in relevant operations like authentication and authorization enabled in standard solutions like OpenID Connect, used to enable SSO, widely used nowadays.
- How these functionalities can be integrated within the software ecosystem: The functionalities leverage on Verifiable Credentials (Decentralized Identifiers) with Data Privacy Vocabulary (DPV) extensions technologies. OpenID Connect is also enhanced to support policies regarding data privacy related risks.
- Gap being addressed: The major gap being addressed is related with users that are not aware of the privacy risks that can be associated with consents. In addition, services using the information included in consents (claims) need to provide proofs regarding their support of GDPR compliance.
- Expected benefits achieved with the novel technology building blocks: The expected outcomes are related a more trustful ecosystem, with users being aware of the privacy risks, and on services using verifiable proofs regarding data privacy regulations compliance.
- Potential demonstration scenario: Mainly related with the use cases that will validate the technical solution of OIDC-PRINCE.
Team
Bruno Sousa
Assistant professor at the
university of Coimbra
Tiago Galvão
Researcher at the CISUC.
Bernardo Arzileiro
Master student enrolled
at Master in Engineering Informatics, at the
University of Coimbra
Paulo Silva
Master student enrolled at
Master in Informatics Security, at the University
of Coimbra
Entities
University of Coimbra
The University of Coimbra (UC) is a public
higher education institution founded in 1290.
Website: https://www.uc.pt/