• Modern Authentication Protocols: Rely on federation. Use asymmetric key-based digital certificates to isolate authentication and leverage external IDP for web-based apps. Federation leads to SSO, enabling multiple apps to benefit from a single login.
• Limitations with Current Protocols: Federations have limitations in native mobile apps. For example, in an insurance provider's mobile app, SSO doesn't work when opening a banking partner web app as mobile apps can't share IDP sessions with web apps using browser cookies. A potential solution is using a shared identifier other than a browser cookie.
• Identity Bridge Concept: Attempts to provide a secure native-to-web SSO architecture close to OIDC protocol. Relies on central IDP's inbound federation ability and deploys a Bridge service as an inbound IDP.
• A Model Bridge Framework: Details the basic architecture. The user authenticates in the mobile app, gets an authentication token, clicks a web link, and the token is passed through various OIDC authentication steps between the IDP and the bridge to create a web session.
• Security Considerations and Limitations: Has security risks like needing a proxy service and not handling token security well. Security enhancements include using a separately scoped ultra-short-lived ID token and direct protocol support.
• Implementation: Using Okta as the primary IDP, the bridge implements three primary APIs: /authorize, /token, and /keys. A working prototype is available.
• Security Analysis: The bridge is transparent and uses secure OIDC with ephemeral key pairs. The authentication token should be short-lived and the bridge should be configured with whitelisted IPs.
• Real-World Use Cases: Common in corporate portals, online travel agencies, healthcare, streaming/e-commerce, and vendor portals. Allows users to access web-based applications without re-authentication.
• Conclusion: Applications use different platforms and devices. The OIDC bridge complements existing standards to provide authentication and SSO services across all devices and platforms.