Bringing Semantics to Authentication: An OpenID Connect Extension
Resumo
OpenID Connect (OIDC) is a widely adopted authentication protocol, yet it offers limited expressiveness when conveying details about how a user was authenticated. The Authentication Methods References (amr) claim used for this purpose lacks structure and semantic clarity, hindering scenarios that require higher assurance. This paper proposes an extension to OIDC that introduces the amr details claim — a structured, interoperable mechanism for describing authentication factors along with relevant metadata, such as assurance levels and trust frameworks. By enhancing the protocol’s expressiveness without compromising compatibility, the extension enables granular access control, thereby contributing to increased trust in distributed identity systems.Referências
Bonneau, J., Herley, C., Van Oorschot, P. C., and Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In 2012 IEEE symposium on security and privacy, pages 553–567. IEEE.
Bray, T. (2017). The JavaScript Object Notation (JSON). RFC 8259.
Hardt, D. (2012). The OAuth 2.0 Authorization Framework. RFC 6749, IETF.
Lodderstedt, T., Fett, D., Haine, M., Pulido, A., Lehmann, K., and Koiwai, K. (2022). OpenID Connect for Identity Assurance 1.0.
M’Raihi, D., Rydell, J., Pei, M., and Machani, S. (2011). TOTP: Time-Based One-Time Password Algorithm. RFC 6238.
Ometov, A., Bezzateev, S., Mäkitalo, N., Andreev, S., Mikkonen, T., and Koucheryavy, Y. (2018). Multi-Factor Authentication: A Survey. Cryptography, 2(1).
Parecki, A., Hardt, D., and Lodderstedt, T. (2019). OAuth 2.1. URL [link]. IETF, 106.
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., and Mortimore, C. (2014). OpenID Connect Core 1.0. The OpenID Foundation, specification, 335.
Schardong, F. and Custódio, R. (2022). Self-Sovereign Identity: A Systematic Review, Mapping and Taxonomy. Sensors, 22(15).
Bray, T. (2017). The JavaScript Object Notation (JSON). RFC 8259.
Hardt, D. (2012). The OAuth 2.0 Authorization Framework. RFC 6749, IETF.
Lodderstedt, T., Fett, D., Haine, M., Pulido, A., Lehmann, K., and Koiwai, K. (2022). OpenID Connect for Identity Assurance 1.0.
M’Raihi, D., Rydell, J., Pei, M., and Machani, S. (2011). TOTP: Time-Based One-Time Password Algorithm. RFC 6238.
Ometov, A., Bezzateev, S., Mäkitalo, N., Andreev, S., Mikkonen, T., and Koucheryavy, Y. (2018). Multi-Factor Authentication: A Survey. Cryptography, 2(1).
Parecki, A., Hardt, D., and Lodderstedt, T. (2019). OAuth 2.1. URL [link]. IETF, 106.
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., and Mortimore, C. (2014). OpenID Connect Core 1.0. The OpenID Foundation, specification, 335.
Schardong, F. and Custódio, R. (2022). Self-Sovereign Identity: A Systematic Review, Mapping and Taxonomy. Sensors, 22(15).
Publicado
01/09/2025
Como Citar
SILVA, Brendon Vicente R.; SCHARDONG, Frederico; CUSTÓDIO, Ricardo F..
Bringing Semantics to Authentication: An OpenID Connect Extension. In: WORKSHOP DE GESTÃO DE IDENTIDADES DIGITAIS - SIMPÓSIO BRASILEIRO DE CIBERSEGURANÇA (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 111-114.
DOI: https://doi.org/10.5753/sbseg_estendido.2025.12430.
