Lately I got involved in discussions that had “OAuth and Step-Up Authentication” as its topic. The question always was about how to tie OAuth access_token and other credentials together.
The idea of Step-Up Authentication is that an API can only be consumed if a credential with a higher (or different) assurance level is available. For example, a transaction API may require an access_token for general use. In addition, because that access_token is used with parameters that indicate a high risk transaction, the API wants to assure that the current resource_owner is still the one associated with the access_token. For that, it requires an OTP as an additional input parameter.
After considerable debate we discovered that it comes down to this:
- Step-Up Authentication is a hierarchical order of credentials. It may be a list of individual credentials or credentials derived from each other
Looking at it that way may simplify things. Instead of finding of a way on how to tie credentials together it may be sufficient to simply require multiple ones of different types.
Imagine something like this:
- the transaction API will handle two cases: lower assurance level required, higher assurance level required. This decision on what is required can be based on incoming parameter values or in conjunction with systems like CA Advanced Auth
- the transaction API will process credentials in an hierarchical order, from low to high
- it first requires and validates an access_token. This is the minimum requirement to get access to this API and reflects the lower assurance level in this scenario
- for the higher assurance level the API requires an additional OTP
This is a simplified view but it shows the logic that could be used.
In order to make this work, it is certainly required that the API is well documented. Documentation also needs to explain how to retrieve a valid access_token and/ or an OTP and in which case they have to be provided.