]> Attestation in OpenID-Connect Intel Corporation
United States of America ned.smith@intel.com
Massachusetts Institute of Technology
United States of America hardjono@mit.edu
Security Remote ATtestation ProcedureS attestation This document defines message flows and extensions to OpenID-Connect (OIDC) messages that support attestation. Attestation Evidence and Attestation Results is accessed via appropriate APIs that presumably require authorization using OAuth 2.0 access tokens. A common use case for OIDC is retrieval of user identity information authorized by an OIDC identity token. The Relying Party may require Attestation Results that describes the trust properties of the UserInfo Endpoint. Trust properties may be a condition of accepting the user identity information. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Remote ATtestation ProcedureS Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction This document defines attestation conceptual message flows that extend OpenID-Connect (OIDC) messages, see . Attestation Evidence and Attestation Results are RATS conceptual messages, see and , that are obtained via appropriate APIs conditional on OAuth 2.0 access tokens . A common use case for OIDC is retrieval of user identity information authorized by an OIDC identity token. The Relying Party may require Attestation Results regarding the UserInfo Endpoint as a condition of accepting the user identity information.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Terminology This specification uses role names as defined by Remote ATtestation procedureS (RATS), and OpenID Connect (OIDC), . If role names conflict, (e.g., Relying Party), then the RATS role is qualified by prepending ‘RATS’ or ‘R’. For example, the RATS Relying Party is disambiguated as ‘RRP’. A summary of roles used in this specification is provided here for convenience. RATS roles are as follows:
  • Attester (RA) - an endpoint that produces attestation Evidence.
  • Reference Value Provider (RVP) - an endpoint that produces Reference Values used to appraise Evidence.
  • Endorser (RE) - an endpoint that produces Endorsements used to assess the trustworthiness of the Attester's attestation capability.
  • Verifier (RV) - an endpoint that consumes Evidence, Endorsements and Reference Values and produces Attestation Results.
  • Relying Party (RRP) - an endpoint that consumes Attestation Results and applies them to an application or usage context.
OIDC roles are as follows:
  • OpenID Provider (OP) - an endpoint that authenticates an End User, obtains authorization, and responds with an ID Token and (usually) an Access Token. (a.k.a., an OAuth 2.0 Authorization Server, ).
  • Relying Party (RP) / Client - an endpoint that sends a request to an OpenID Provider.
  • UserInfo Endpoint (UE) - an endpoint that receives an Access Token and sends Claims about an End User, also known as the User Agent (UA).
  • End User (EU) - a human participant.
OAuth 2.0 roles are as follows:
  • Resource Server (RS) - a service that controls a resource.
OIDC Sequence with Attestation OpenID-Connect (OIDC) defines user authentication protocol and messages based on OAuth 2.0 authorization protocol and messages. This section shows an example OIDC protocol sequence with extensions for attestation Evidence and Attestation Results (AR) exchanges. The protocol is divided into two phases. A setup phase and an operational phase. The setup phase models protocol initialization steps that are anticipated but often ignored. An understanding of the initialization steps may be helpful when determining how various steps in the operational phase are authorized.
Protocol Endpoints The example protocol message exchange involves four main endpoints:
  1. Device - a RATS Attester that consists of two sub entities:
  • A UserInfo Endpoint (UE) (e.g., browser) that supplies user information for OIDC authentication, and
  • A lead Attesting Environment, that collects device attestation Evidence. When using RATS terminology, the device may be referred to as the RATS Attester (RA). The RA is technically an OAuth 2.0 Resource Server (RS) that performs attestation Evidence collection. The Attester device may consist of multiple components that typically include a root of trust, boot code, system software and the browser. The lead Attesting Environment typically seeks to collect Evidence that describes all the components, from the root of trust to the browser, that may influence browser behavior.
  1. End User (EU/"Alice") - a native application that can engage the human user directly. This document may refer to the End User by name, namely: "Alice".
  2. Relying Party (RP) - an endpoint that seeks UserInfo used to replay user authentication responses for OIDC exchanges, but also wants Attestation Results that describe the trustworthiness of the UE device. The RP is synonymous with the RATS Relying Party (RRP).
  3. OpenID Provider (OP) - an Authorization Server (AS) that implements OIDC.
  4. Verifier (RV) - a RATS attestation Verifier that processes device Evidence. If the Verifier is combined with the OP, the Verifier is synonymous with OP.
Setup Phase The setup phase creates the various identity (‘id-token’) and access (‘access-token’) credentials that are used during the operational phase to authorize the exchange of the various OIDC protocol messages.
Identity Token Creation In this example, there is a single end user, “Alice”, that creates an identity token ‘id-token’. The Native App signals the UE when it is appropriate to create the id-token. For example, the 'id-token' contains: { "sub": "A21CE", "name": "Alice" }.
Attestation Access Token Creation The RA exposes an attestation API that invokes the attestation capabilities of the Attester device. An access token, ‘access-token-attest’, is needed to authorize use of the attestation API.
UserInfo Access Token Creation The UE exposes a UserInfo API that invokes the user information capabilities of the User Agent. An access token, ‘access-token-uinfo’, is needed to authorize use of the UserInfo API.
Evidence Appraisal Access Token Creation The RV exposes an API for appraising Evidence. An access token, ‘access-token-appraisal’, is needed to authorize use of the appraisal API.
Register Device The Attester device is registered with the RP client in anticipation of subsequent operational flows. The registration process is out of scope for this document.
Attestation Evidence Payload The RA produces an Evidence payload that is conveyed to the RV. Some OIDC messages are extended to carry Evidence.
Attestation Results Payload The RV produces an Attestation Results payload that is conveyed to the RP. Some OIDC messages are extended to carry Attestation Results.
Operational Phase The operational phase protocol builds on the abstract OIDC protocol in . The five OIDC steps are described here for convenience and attestation related steps are described as sub-steps.
AuthN Request The RP sends an AuthN request to the OP containing the RP’s identity ‘client-id’. Additionally, the RP includes an attestation scope, e.g., ‘scope=”device-attest”’ that instructs the OP to obtain an attestation from the UE device. The trigger for sending the AuthN request is out of scope for this document.
AuthN Request Flow RP (1) client-id, scope OP | OP | | | | | +---------+ +---------+ ]]>
AuthN Request Payload The following non-normative AuthN Request payload example identifies the OP server location, the RP client identity, and an attestation scope:
Forwarded AuthN Request The OP forwards the original AuthN request to the UE. The attestation scope instructs the UE to configure the device for attestation. For example, an internal interface between the UE and RA (a.k.a., Resource Server) might be used to configure a ‘client-id’ nonce that the RA Attesting Environment includes with attestation Evidence. The UE normally returns a payload containing the ‘client-id’, response type (i.e., resp-type = “code”), and the authentication result (i.e., authn-proof). However, a successful response is returned on condition of successful configuration of the attestation scope. The End User may consent to the disclosure of attestation Evidence using the 'prompt' parameter. An "attestation-consent" authorization string is supplied as one of the 'prompt' parameters. * *attestation-consent - The OP (a.k.a., Authorization Server) SHOULD prompt the End User for consent before returning information to the RP (a.k.a., Client). If it cannot obtain attestation consent, it MUST return an error, typically 'consent_required'.
Forwarded AuthN Request-Response Flow (1.1) client-id, scope OP UE (1.2) client-id, resp-type, authn-proof | | | OP | | UE | | |<-- (1.2) client-id, resp-type, ---+ | | | authn-proof | | +---------+ +---------+ ]]>
Forwarded AuthN Request and Response Payloads The forwarded AuthN Request is identical to AuthN Request. The forwarded AuthN Response payload example identifies the originating RP, scope, response type, and authentication proof: " } ]]>
User Authorization of AuthN, AuthZ, and Attest The OP authenticates the End User (e.g., “Alice”) and obtains authorization. Normally, authorization is limited to an authentication or authorization context as defined by the legacy OIDC protocol. But when attestation scope is used, the End User may wish to approve attestation. Attestation normally reveals Evidence details about the UE device. If those details contain privacy sensitive information, the End User may wish to opt-out of attestation. If the Authentication Request contains the 'prompt' parameter with the value 'attestation-consent', the OP MUST inform the End User that attestation Evidence is about to be disclosed to the RP (a.k.a., Client), and the End User MUST be given the option to withhold Evidence.
End User Authentication Flow OP (2) AuthN, AuthZ, Attest EU | EU | | | | | +---------+ +---------+ ]]>
End User Authorization Payload TODO add example
Attestation Request and Response If the End User doesn’t opt-out of attestation, the OP requests attestation Evidence from the RA (as a Resource Server). The OP sends the ‘access-token-attest’ and ‘id-token = “Alice”’ tokens to the RA. The RA collects Evidence according to the configured attestation scope. For example, if a ‘client-id’ specific nonce was configured, the nonce is included with Evidence. The Evidence is returned to the OP through the UE, which normally returns the ‘client-id’, ‘access-token’, and ‘id-token’.
Attestation Request-Response Flow (2.1) client-id, access-token OP id-token RA (2.2) client-id, access-token id-token, Evidence | | | OP | id-token | RA | | | | | | |<-- (2.2) client-id, access-token,-----+ | | | id-token, Evidence | | +---------+ +---------+ ]]>
Attestation Request and Response Payloads The Attestation Request and Response payload example contains an access_token that authorizes use of the attestation API of the RA and an id_token that identifies the End User. The response payload contains an Evidence value as described by a conceptual message wrapper . " ] ]]>
Appraisal Request and Response The OP requests appraisal of Evidence by sending the ‘access-token-appraisal’ token and Evidence to the RV. The token authorizes use of the appraisal API, which when appraisal completes, supplies Attestation Results. The verification response contains the Attestation Results and ‘access-token’, that the RV sends to the OP.
Appraisal Request-Response Flow (2.3) access-token, Evidence OP RV (2.4) access-token, Attestation Results | | | OP | | RV | | | | | | |<-- (2.4) access-token, Attestation----+ | | | Results | | +---------+ +---------+ ]]>
Appraisal Request and Response Payloads The Appraisal Request payload example contains an access_token that authorizes use of the appraisal API of the RV and the Evidence to be appraised. " ] ]]> The response payload contains an Attestation Results value as described by a conceptual message wrapper . " ] ]]>
AuthN Response The OP sends ‘client-id’, ‘id-token = “Alice”’, ‘access-token-uinfo’, and the Attestation Results to the RP. The RP processes the Attestation Results to determine if the UE device is trustworthy. Presumably, if the UE isn’t trustworthy, the protocol is terminated.
AuthN Response Flow OP (2) AuthN, AuthZ, Attest EU | EU | | | | | +---------+ +---------+ ]]>
AuthN Response Payload TODO add example
UserInfo Request and Response The UserInfo request is initiated by the RP, who sends ‘client-id’, ‘id-token = “Alice”’, and ‘access-token-uinfo’ to the UE to collect user identity information. The UserInfo response is initiated by the UE, who sends ‘client-id’, ‘id-token = “Alice”’, ‘access-token-uinfo’, and the UserInfo payload to the RP to process user claims and complete the OIDC protocol.
UserInfo Request-Response Flow (4) access-token, id-token RP client-id UE (5) access-token, id-token client-id, UserInfo | | | RP | client-id | UE | | | | | | |<-- (5) access-token, id-token,--------+ | | | client-id, UserInfo | | +---------+ +---------+ ]]>
UserInfo Request and Response Payloads TODO add example
Security Considerations TODO Security
IANA Considerations This document has no IANA actions.
References Normative References OpenID Connect Core 1.0 incorporating errata set 1 Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Remote ATtestation procedureS (RATS) Architecture In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. The OAuth 2.0 Authorization Framework The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] RATS Conceptual Messages Wrapper Fraunhofer SIT Intel arm This document defines two encapsulation formats for RATS conceptual messages (i.e., evidence, attestation results, endorsements and reference values.) The first format uses a CBOR or JSON array with two mandatory members, one for the type, another for the value, and a third optional member complementing the type field that says which kind of conceptual message(s) are carried in the value. The other format wraps the value in a CBOR byte string and prepends a CBOR tag to convey the type information.
Acknowledgments The authors would like to thank the following people for their input:
  • Jay Chetty - for review feedback.