Identity events and why we joined the ID-event effort

2016-08-20

Sourcing of user logins, logouts, token issue, revocation and other identity related events can be useful or even mandatory for an enterprise's audit, risk management and BI systems.

Support for event feeds has been on the Connect2id server roadmap since the beginning of 2016, and we spent time thinking about a common event format and interface for plugging various mechanisms for their delivery (message queues, etc). Events will also be a part of the upcoming Connect2id cloud service for OpenID Connect IdP, SSO and OAuth 2.0 access management.

We are really delighted that there is now an effort at the IETF to standardise identity events. The first milestone of that was the release of a draft spec for the Security Event Token (SET), which utilises the well known JWT format.

Sample SET for user "alice" logging in, detailing the authentication factors and strength, and the IP address of her browser:

{
  "jti"    : "3d0c3cf797584bd193bd0fb1bd4e7d30",
  "events" : [ "https://events.c2id.com/login" ],
  "iat"    : 1458496025,
  "iss"    : "https://c2id.com",
  "aud"    : [ "https://example.com/feeds/98d52461fa5bbc879593b7754" ],
  "https://events.c2id.com/login" : { "sub" : "alice",
                                      "amr" : [ "mfa", "pwd", "otp" ],
                                      "acr" : "https://loa.c2id.com/high",
                                      "ip"  : "192.168.0.1" }
}

The SET may be signed with the IdP's RSA key, and optionally encrypted for the intended audience, using the standard JWT crypto facilities.

Delivery may be via HTTP notifications (asynchronous and not guaranteed) or via a message queue (if a delivery guarantee is required).