D4 - User access
Integration with IETF GNAP
Summary of work carried out
Direct user access shouldn't be allowed (and priviledged access in particular). Instead, in accordance with standards such as IEC 62443, we advocate that the device makes connection to remote services if required (for instance to check for updates). Users may access a cloud based secure digital twin, such as Azure Digital Twins.
Therefore the important requirement is that devices embed:
a mutual authentication protocol and an end-to-end encrypted channel, to automatically send data to the cloud (see D3 deliverable)
an indirect interaction with end-users (e.g. for enrollment, update, etc.), in which the device acts as the client for a protocol such as IETF GNAP.
A goal for GNAP is to enable human centric authorization flows, enabling better privacy for patients and delegation between healthcare professionals. Another major improvement compared to existing protocols such as OAuth2 is that GNAP also enables to work with identity wallets.
Contrary to OAuth2 (and SIOP in particular), handling the authorization server as a token factory enables many types of interactions, including communications with native devices.
Implemented use cases
All these prototypes are available as opensource projects.
Hospital IT/IoT use case
The remote update includes an authorization layer based on GNAP.
BMS use case
We made a prototype that demonstrate the flexible delegation of rights within an organisation, using biscuit tokens (that are now integrated into GNAP):
Deliverable
The IETF GNAP draft (of which I'm co-editor). We published a prototype implementation of the IETF GNAP server in javascript, and is currently being rewritten in rust, as well as a research article at the Open Identity Summit 2021. The final paper shall be published by LNI. A longer version is available at https://blog.fimbault.com/managing-authorization-grants-beyond-oauth-2.
As a result of that work, we recently started an initiative to standardize biscuit tokens (IETF SEC DISPATCH).
Last updated
