OpenPubkey: Augmenting OpenID Connect with User held Signing Keys

Ethan Heilman; Lucie Mugnier; Athanasios Filippidis; Sharon Goldberg; Sebastien Lipman; Yuval Marcus; Mike Milano; Sidhartha Premkumar; Chad Unrein; John Merfeld

Paper 2023/296

OpenPubkey: Augmenting OpenID Connect with User held Signing Keys

Ethan Heilman

, BastionZero

Lucie Mugnier, BastionZero

Athanasios Filippidis, BastionZero

Sharon Goldberg, BastionZero

Sebastien Lipman, BastionZero

Yuval Marcus, BastionZero

Mike Milano, BastionZero

Sidhartha Premkumar, BastionZero

Chad Unrein, BastionZero

John Merfeld, BastionZero

Abstract

OpenPubkey makes a client-side modification to OpenID Connect so that an ID Token issued by an OpenID Provider commits to a user held public key. This transforms an ID Token into a certificate that cryptographically binds an OpenID Connect identity to a public key. We call such an ID Token, a PK Token. The user can then sign messages with their signing key and these signatures can be authenticated and attributed to the user’s OpenID Connect identity. This allows OpenPubkey to upgrade OpenID Connect from Bearer Authentication to Proof-of-Possession, eliminating trust assumptions in OpenID Connect and defeating entire categories of attacks present in OpenID Connect. OpenPubkey was designed to satisfy a decade-long need for this functionality. Prior to OpenPubkey, OpenID Connect did not have a secure way for users to sign statements under their OpenID identities. OpenPubkey is transparent to users and OpenID Providers. An OpenID Provider can not even determine that OpenPubkey is being used. This makes OpenPubkey fully compatible with existing OpenID Providers. In fact a variant of OpenPubkey is currently deployed and used to authenticate signed messages and identities for users with accounts on Google, Microsoft, Okta, and Onelogin. OpenPubkey does not add new trusted parties to OpenID Connect and reduces preexisting trust assumptions. If used in tandem with our MFA-cosigner, OpenPubkey can maintain security even against a malicious OpenID Provider (the most trusted party in OpenID Connect).

Note: Minor updates to authors, fixes links to open source project

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint.
Keywords: SSO Authentication Signatures OpenID Web JSON
Contact author(s): ethan r heilman @ gmail com
lucie @ bastionzero com
thanos @ bastionzero com
goldbe @ bastionzero com
sebby @ bastionzero com
yuval @ bastionzero com
mbmilano @ bastionzero com
chad @ bastionzero com
History: 2024-04-03: last of 4 revisions; 2023-02-27: received; See all versions
Short URL: https://ia.cr/2023/296
License: CC BY

BibTeX

@misc{cryptoeprint:2023/296,
      author = {Ethan Heilman and Lucie Mugnier and Athanasios Filippidis and Sharon Goldberg and Sebastien Lipman and Yuval Marcus and Mike Milano and Sidhartha Premkumar and Chad Unrein and John Merfeld},
      title = {{OpenPubkey}: Augmenting {OpenID} Connect with User held Signing Keys},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/296},
      year = {2023},
      url = {https://eprint.iacr.org/2023/296}
}