Published: May 25, 2023
The following paper has been accepted at the 37th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2023):
- Title: Assurance, Consent and Access Control for Privacy-Aware OIDC Deployments
- Author: Gianluca Sassetti, Amir Sharif, Giada Sciarretta, Roberto Carbone, Silvio Ranise
- Abstract: The large amount of personal data that is shared in the digital age has proportionally increased the risks of user privacy violations. The same privacy risks are reflected in OpenID Connect, which is one of the most widespread protocols used for identity management to access both private and public administration services. Since personal data is collected and shared via OpenID Connect, appropriate technologies to protect user privacy should be adopted as suggested by data protection guidelines and regulations (e.g., the General Data Protection Regulation). Unfortunately, it is difficult to make the privacy-enhancing technology suggestions in such documents actionable and available to IT professionals who are required to configure them within their OpenID Connect deployments. To overcome this problem, we present a practical approach to improving user privacy in OpenID Connect-based solutions by identifying a set of privacy-preserving features extracted from the available OpenID Connect specifications. We conduct a privacy compliance analysis on popular private and governmental OpenID Providers to determine how widely these privacy best practices are used in the wild. The findings indicate that different OpenID Providers grant varying levels of assurance and address different aspects of privacy, failing to provide full support for data protection principles.
- DOI: 10.1007/978-3-031-37586-6_13
About the conference
- Name: 37th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2023)
- Date: from July 19, 2022 to July 21, 2022
- Location: Sophia Antipolis, France
- Website: http://www.dbsec2023.unimol.it