The OpenID Foundation’s FAPI working group is pleased to announce the public review period has started for new Implementer’s Drafts of the FAPI 2.0 Security Profile and the FAPI 2.0 Attacker Model. These drafts coincide with the recently completed formal security analysis of the FAPI 2.0 specifications, the result of a first-of-its-kind collaboration between security researchers at the University of Stuttgart and the OpenID Foundation in the area of web protocols, work co-funded by the Australian government.
Why FAPI 2.0?
The FAPI 1.0 standards have been widely implemented and the working group has gained valuable insight from ecosystems, vendors and developers. The FAPI 2.0 suite of standards builds on this insight and wider learnings from the OAuth ecosystem including the latest OAuth Security Best Current Practice.
FAPI 2.0 aims to meet and exceed the security characteristics as FAPI 1.0 while reducing the overall complexity and the optionality in the core security profile. This will make FAPI 2.0 easier and more cost-effective to implement and will ensure interoperability across ecosystems. Add-on specs such as Grant Management, Message Signing and CIBA provide ecosystems with additional features where required. The attacker model of FAPI 2.0 makes the standard more amenable to formal security analysis and helps to delineate security boundaries, enabling implementers to better understand the security FAPI 2.0 provides.
Why a Formal Security Analysis?
The standardization process in the OpenID Foundation ensures a comprehensive review of standards under development from experts both at the OpenID Foundation and external organizations . Nonetheless, complex attacks and subtle problems can evade scrutiny and therefore, additional safeguards are required to ensure that protocols are secure even under adverse conditions.
Formal methods allow for a rigorous and systematic in-depth analysis of standards and have proven to be a useful tool to ensure the security of protocols, famously demonstrated during the development of TLS 1.3. While the current methods for formal security analysis of web protocols require highly specialized knowledge, they are the best tool for uncovering vulnerabilities rooted in the logic of the protocols and can even discover previously unknown types of attacks. Conversely, formal proofs of security can exclude large classes of attacks. In OAuth 2.0, the main building block for OpenID Connect and FAPI, new attacks were found and fixed using formal analysis although its security had been studied extensively before, demonstrating the power of formal security analysis.
The OpenID Foundation’s FAPI 1.0 underwent formal security analysis by a team of researchers at the University of Stuttgart. This analysis uncovered several potential attack vectors that the FAPI working group were able to either mitigate or document.
With co-funding from the Australian Government and the OpenID Foundation, the FAPI working group was able to commission the formal analysis of FAPI 2.0 by the same team at the University of Stuttgart.
The analysis on FAPI 2.0 took place over the summer of 2022 and has now been published. This marks the first time1 that a detailed formal security analysis has directly accompanied the development of a new web authentication/authorization standard from the very beginning
Results of the Security Analysis
The researchers at the University of Stuttgart, Institute of Information Security led by Prof. Ralf Küsters, Pedram Hosseyni, and Tim Würtele were able to prove the security properties of the FAPI 2.0 Security Profile (formerly known as FAPI 2.0 Baseline). This is a great result and should give implementers of FAPI 2.0 further confidence in the security benefits of implementing the specifications.
As part of the analysis, the FAPI working group worked with the research team to further refine the FAPI 2.0 Attacker Model and the FAPI 2.0 Security Profile.
There is a good summary of these changes in the formal security analysis.
Attacks and Mitigations
The security analysis uncovered a few potential attacks that are now dealt with in the FAPI 2.0 Security Profile.
Some of these attacks are rooted in the foundations of how the web works and are impossible to fully prevent with existing technology, however they are applicable to all redirect-based authentication and authorization protocols. Since the attacks were already known from FAPI 1.0 and other protocols, it was expected that they would come up during the detailed analysis. Nonetheless, to provide adopters of FAPI 2.0 with all information required to make the best security decisions, the attacks are now described in the security considerations section of the FAPI 2.0 Security Profile. Here are a few examples:
Cuckoo’s Token Attack (Injection of stolen access tokens)
This is a theoretical attack where an attacker has managed to steal a valid access token and gain control of an authorization server trusted by both a client and the target resource server. This is a very high bar, but is a theoretical possibility. FAPI 2.0 requires sender-constrained access tokens, which is a huge improvement over most OAuth 2.0 based deployments that are currently live. If tokens are not sender-constrained, this attack only requires a stolen access token and is much simpler. Essentially the formal model has shown that even with sender-constrained access tokens there are some scenarios where a sender-constrained token could be used by an attacker, if the attacker is able to control an authorization server trusted by the client. In many FAPI ecosystems the preconditions for this attack are such that this attack is all but impossible. The FAPI 2.0 Security Profile details three possible mitigations for this attack if an ecosystem decides it is necessary to defend against.
Authorization Request Leaks that lead to CSRF
This is an attack where via a CSRF vulnerability, an attacker can break session integrity and engineer a situation where the honest user is tricked and let to believe they have accessed their own account, while in reality they have accessed an attacker’s account. In some circumstances this is dangerous, for example, a user could end up uploading sensitive data to the attacker’s account. All redirect-based flows are vulnerable to this type of attack and the FAPI 2.0 Security Profile details three possible mitigations to this type of attack.
All redirect-based flows are vulnerable to this particular attack. Again, it has unlikely preconditions: the attacker has to trick a user into following a link, and then be able to capture the authorization code issued to that user following successful authentication. FAPI 2.0 details possible mitigation strategies for this attack.
The FAPI working group is committed to helping international ecosystems deliver secure APIs. The FAPI 2.0 Security Profile is an important resource and we encourage implementers to consider adopting it.
The first-of-its-kind collaboration with researchers and the formal security analysis help to make sure FAPI 2.0 is highly secure and its properties well-understood and documented.
To ensure that implementations are secure and interoperable, the FAPI 2.0 specifications will soon have a comprehensive set of open source, conformance tests and a low-cost, flexible certification program. The OpenID Foundation and FAPI WG strongly encourage all implementors of FAPI 2.0 to pursue certification to ensure their implementations and communities benefit fully from the security and interoperability inherent to the FAPI 2.0 protocols, and whenever possible, to mandate ongoing conformance to ensure the ongoing benefits. The OpenID Foundation supports direct self-certification or will license 3rd party entities to perform certification, as a service to all entities that select FAPI for their Open Banking, Open Finance and Open Data implementations.
The FAPI working group is free to attend and membership in the Foundation is not required but encouraged. Working group contributors are required to accept the OpenID IPR Policy by signing a Contribution Agreement.