+
+Figure 1: Components of CIAM Architecture
+
+### Credential and Profile Stores
+
+At a minimum, a CIAM system provides a credential store or integrates
+with an existing one. This store is where user accounts are maintained
+and shared secrets, if any, are housed. The implementation of the
+credential store can range from a relational database to an LDAP
+directory to a NoSQL database and beyond.
+
+The CIAM system may have a profile store that could contain profile,
+preference, and consent data. Profile storage, however, is not a strict
+requirement. Consider that organizations often centralize this kind of
+information in a customer data platform or marketing automation system.
+In such cases, the CIAM system will have the minimum amount of
+information needed for personalization and communication (e.g., a
+verified email address used to facilitate password resets) while the
+rest of the profile information is stored elsewhere.
+
+### Policy Store and Admin Interface
+
+This repository houses configuration information for the CIAM system and
+serves as an authoritative source of that information. Such information
+could include single sign-on configurations, OAuth token lifecycle
+policies, and user registration workflow definitions. It might also
+house authorization policies that govern which resources an individual
+can access. The artifacts in this repository are managed by the Admin
+Interface or via changes to configuration files. The Admin Interface, if
+provided, presents a user experience where identity professionals can
+configure and manage the CIAM system.
+
+### Authentication and Orchestration Service
+
+This service can serve multiple roles. At a minimum, it authenticates
+credentials. It can also manage the user’s session and broker single
+sign-on. It may act as an OAuth authorization service. Lastly, it can
+act as an orchestration service. In this final context, it relies on
+policies in the policy store to determine, for example, what information
+must be gathered from an individual as they register, when to present an
+additional authentication challenge (often mediated by a third-party
+risk modeling service), or the steps required to reset a password.
+
+### CIAM Component
+
+In each of the example websites in the above figure, the reader will
+notice the CIAM Component. This is an optional component that can help
+broker user registration and authentication. Often a piece of
+JavaScript, web component, or library, this piece of the puzzle can
+securely interact with the authentication and orchestration service.
+Often, in cases where this component is not present, the individual is
+redirected to a user experience that the authentication service provides
+to register and authenticate; they are then redirected to the site or
+app where they started.
+
+Constraints and Challenges
+==========================
+
+Like other domains within the digital identity industry, CIAM comes with
+its own unique set of hills to climb. What follows is not an exhaustive
+list, and readers have likely discovered others.
+
+Risks of Being on the Internet
+------------------------------
+
+CIAM systems, by their very nature, are on the public internet. After
+all, that’s where an organization’s customers are. It may go without
+saying that the internet is a space fraught with adversaries and risks,
+but it is especially important to say it about the identity systems of
+the internet. Every major touchpoint in a customer journey is
+susceptible to attack, especially sign-up, password reset, and login.
+Three kinds of attacks to be aware of are:
+
+- Fraudulent Registration
+
+- Credential Stuffing (aka cred stuffing)
+
+- Account Takeover (ATO)
+
+###
+
+### Fraudulent Account Registration
+
+In this attack, the adversary (including bots) registers a new user
+account in the CIAM system using either bogus or stolen personal
+information. Their motivations vary from wanting to fill forums and chat
+groups with spam and malware links to harvesting new customer discount
+codes. Mitigations to these attacks can include anti-fraud systems for
+detection and reCAPTCHA-type puzzles, although the latter have been
+shown to be less effective than in years past.
+
+### Credential Stuffing
+
+In this attack, an adversary tests whether lists of username and
+password pairs work in a given CIAM system. Often, adversaries acquire
+credentials (e.g., they may purchase them on the dark web) and test
+whether those credentials work at different online services. Their value
+on the black market is determined by the types of services those
+usernames and passwords can access. In many cases, the adversary is not
+interested in abusing an organization’s service itself; instead, they
+are testing to see if the credentials work with your service so that
+they can sell it at a higher price. The reason why credential stuffing
+is even a thing is because people have a habit of reusing passwords.
+Mitigations to these attacks include specialized credential stuffing
+detection technology (often closely aligned with bot management and
+protection) and enforced multi-factor authentication (MFA).
+
+It is important to note that credential stuffing differs from brute
+force attacks. In the brute force attack, the adversary is interested in
+testing whether an array of passwords works with a specific username.
+Brute force attacks can be mitigated in a variety of ways, including
+failed login throttling, in which multiple failed logins for the same
+user trigger either a slowdown in the number of times the user is
+allowed to log in or even a cooldown period during which all logins for
+the user are blocked. Credential stuffing cannot be mitigated with these
+measures because a CIAM system will only see one failed login per
+username/password pair.
+
+### Account Takeover
+
+In this attack, an adversary possesses the means to act like the genuine
+authenticated user. The adversary may have the user’s password (e.g.,
+via a phishing campaign). The adversary might have found a weakness in
+the password reset process and forced a password change on a genuine
+user’s account. Regardless of the means, the outcomes are the same: the
+adversary is in control of the user account – and may very quickly take
+steps to block the user from regaining access (such as changing the
+phone number). From that point forward, all means of nefarious actions
+can happen. Early detection is important but not sufficient to mitigate
+account recovery. Please refer to the IDPro Body of Knowledge article
+“[Account Recovery](https://bok.idpro.org/article/id/64/)” for
+more information.
+
+Migrating CIAM Systems
+----------------------
+
+Today, most organizations have an existing CIAM system. It might be
+tightly bound to an eCommerce platform or collaboration platform. If the
+organization has decided to modernize or replace its CIAM, then it is
+likely that IAM team members will be confronted with a migration. While
+migrating usernames is reasonably straightforward, migrating passwords
+is not. Two significant challenges are exporting passwords from the old
+system and getting them into the new one.
+
+Exporting passwords presents significant challenges. It is important to
+note, for the avoidance of doubt, this article assumes that the word
+“password,” in the context of secure storage, means a password hash:
+systems should never store passwords in their recoverable plain text
+form. If exports are allowed, further data must be exported, including
+those comprising the security features known as “salt” and “pepper.”[21]
+With all three, taking extensive protective measures during migration is
+essential since they represent “loaded weapons.”[22]
+
+Importing passwords requires not only the appropriate “salt” and
+“pepper” data but also the hashing scheme used by the previous system.
+Some CIAM solutions have specific features that support this process,
+but not all do.
+
+Not all systems allow password exports at all. When organizations cannot
+migrate passwords, then at least two choices exist. Choice one involves
+telling the users to reset their passwords. This is not a great choice –
+it will certainly invite the attention of a grumpy Chief Digital Officer
+or other stakeholder(s). Choice two involves keeping the old CIAM alive
+and using it as a “dumb” credential store. When the user arrives and
+attempts to log in, the new CIAM tests the provided username and
+password against the old CIAM repository. If the credentials are good,
+the new CIAM records the password and marks the user as migrated. This
+approach is more complicated to deploy and requires that the old CIAM
+stays operational for a much longer period of time than the team might
+hope for (or want to pay for).[23]
+
+Budget and Ownership
+--------------------
+
+As discussed in the “The Team and Measurements” section, there are
+multiple stakeholders at the CIAM table. Besides bringing a diverse set
+of requirements and language, they bring their own teams and
+stakeholders, their motivators, their priorities, and their opinions.
+Who funds, operates, enhances, and is responsible for a CIAM stack can
+become a difficult set of questions to answer. It is not unusual to have
+the Chief Digital Officer take responsibility for the CIAM experience, a
+large percentage of the requirements, and funding. Partnered with them
+is the Security team, who have other requirements and are responsible
+for monitoring and incident response. The Identity team might be part of
+either organization or a separate Information Technology team.
+Regardless, expect that upper management will need to establish clear
+lines of demarcation between the various interested parties and,
+furthermore, to ensure there is a clear set of priorities that aligns
+the collective.
+
+Topics for Future Investigation
+===============================
+
+This Body of Knowledge article is meant to be an introduction to
+Customer Identity and Access Management. The topic is both broad and
+deep: exploring the entire landscape is beyond the scope of an
+introductory article. The following is an incomplete list of what could
+and should be explored in the future:
+
+- Incident response playbooks and documenting who to call when
+ customers cannot register or log in
+
+- Identity verification and proofing’s role in CIAM
+
+- High availability architectures for CIAM
+
+- The use of fraud prevention tools to protect sign-up and sign-in
+
+- Use of government- or financial services-issued credentials
+
+- Emergent trends in credentials, including verified credentials
+
+- Cross-channel or “omnichannel” CIAM
+
+Conclusion
+==========
+
+CIAM represents one of the biggest opportunities for identity
+professionals to demonstrate the value of their work. Through CIAM,
+identity professionals can help organizations reach new customers and
+grow the top and bottom lines. In this way, it is different from
+workforce IAM. These differences invite stakeholders from new parts of
+the organization – new partners, like Brand, Marketing, and Digital.
+Each new stakeholder brings their own set of requirements, languages,
+and business objectives. CIAM is, fundamentally, an internet-facing set
+of identity services that brings unique risks to model and mitigate. For
+more experienced identity professionals, CIAM may represent a fresh
+opportunity to reinvigorate their passion for digital identity. For
+newer members of the identity profession, it represents an exciting
+opportunity to have a meaningful positive impact on their organizations.
+
+Author
+======
+
+Ian Glazer
+
+
+
+Ian Glazer is the founder and president of Weave Identity – an advisory
+services firm. Prior to founding Weave, Ian was the Senior Vice
+President for Identity Product Management at Salesforce. His
+responsibilities include leading the product management team, product
+strategy, and identity standards work. Earlier in his career, Ian was a
+research vice president and agenda manager on the Identity and Privacy
+Strategies team at Gartner, where he oversaw the entire team’s research.
+He is a Board Emeritus and the co-founder of IDPro and works to deliver
+more services and value to the IDPro membership, raise funds for the
+organization, and help identity management professionals learn from one
+another. During his career in the identity industry, he has co-authored
+a patent on federated user provisioning, co-authored and contributed to
+user provisioning specifications, and is a noted blogger, speaker, and
+photographer of his socks.
+
+[1] Flanagan (Editor), H., (2022) “Terminology in the IDPro Body of
+Knowledge”, *IDPro Body of Knowledge* 1(11).
+doi:
+
+Figure 1: High-level diagram of OAuth2 flows
+
+When looking into the OAuth2 specification space, you are quickly
+surrounded with many documents, making it difficult to determine the
+easiest path to follow.
+
+Let’s see where to start the journey and where to head.
+
+Terminology
+-----------
+
+| | |
+|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Term** | **Definition** |
+| Client | A client application consuming an API |
+| Protected Resource | An API in the OAuth2 terminology |
+| Resource Owner | An end-user using the client application and granting it access to the protected resource |
+| Authorization Server (AS) | The OAuth2 server is able to authorize a client, issue tokens, and potentially validate tokens |
+| Scope | A string designating a (part) of a protected resource that a client is authorized to access |
+| Bearer token | A token whose possession is sufficient to enable access to a protected resource |
+| Sender constrained token | A token whose possession is not sufficient to enable access to a protected resource (additional proof of identity by the client application is required) |
+| Access token | The OAuth2 token that allows a client to get access to a protected resource |
+| Refresh token | The OAuth2 token that allows a client to renew an access token when it is expired without the user’s presence |
+
+**Where to start**
+==================
+
+OAuth2 is defined through a series of IETF RFC documents that each
+describe a specific aspect, use case, or profile of use of the protocol.
+
+
+
+Figure 2: An artistic rendering of OAuth and related standards, courtesy
+of Aaron Parecki
+
+Everything starts with two RFC documents:
+
+- [RFC 6749 - The OAuth 2.0 Authorization
+ Framework](https://www.rfc-editor.org/info/rfc6749) defines four
+ ways for a client application to obtain a token from an
+ authorization server (two of those are now deprecated). Those are
+ called flows or authorization grants.[2]
+
+- [RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token
+ Usage](https://www.rfc-editor.org/info/rfc6750) defines the way
+ for a client application to use a token in a subsequent request to a
+ protected resource.[3]
+
+- Later on, different documents would help with the validation step:
+
+ - [RFC 7662 - OAuth 2.0 Token
+ Introspection](https://www.rfc-editor.org/info/rfc7662)
+ defining token introspection against the authorization server,
+ which can be used to verify token validity and extract data from
+ the token.[4]
+
+ - or [RFC 9068 - JSON Web Token (JWT) Profile for OAuth 2.0
+ Access Tokens](https://www.rfc-editor.org/info/rfc9068)
+ defining a JWT profile for the access token.[5]
+
+Let’s use this breakdown to see what OAuth2 offers.
+
+**Get a Token:**
+----------------
+
+This step can be seen as a two-step process: first, the client must be
+authorized for an access token, then the client will perform a token
+request.
+
+- As mentioned above, of the four initial ways to obtain a token, two
+ are deprecated following
+ [OAuth2.1](https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/)
+ (currently draft):
+
+ - Resource Owner Password Credentials, which encouraged an
+ anti-pattern of sharing end-user credentials with the client
+ application
+
+ - Implicit flow, which made extensive use of the browser’s front
+ channel and therefore introduced security issues
+
+- The two recommended flows remaining are the following:
+
+ - **Authorization code flow** is the recommended way to obtain a
+ token when a resource owner is present and needs to authenticate
+ first and then consent to delegate access for the client
+ application to the protected resource. This flow uses
+ redirections within a user-agent, typically the user’s browser,
+ as well as a back-channel request to eventually obtain the
+ OAuth2 Access Token.
+
+> There is a first step to authorize the client to get an access token
+> and then a second step where the client actually gets the token.
+>
+> An additional protection to the original Authorization Code flow is
+> now recommended in order to tighten the security of OAuth2
+> authorization and deliver the Access Token to the legitimate client
+> that initiated the request. The name of this additional protection is
+> PKCE (for Proof Key Code Exchange, pronounced “pixie,” as defined in
+> [RFC 7636](https://www.rfc-editor.org/info/rfc7636)) and is
+> considered a good approach to handle public clients.[6]
+
+- **Client credentials** aim to authenticate the client application
+ only to deliver the access token (in that case, the AT is not linked
+ to an end user’s identity but only to the client application
+ identity). This flow is suited for application-to-application
+ access.
+
+**Use the Token**
+-----------------
+
+This step aims to use the access token while calling the protected
+resource.
+
+RFC 6750 describes how an access token should be conveyed to a protected
+resource. In a very brief summary, and in order of preference, the token
+should be passed as:
+
+- An HTTP header as a bearer token (Authorization: Bearer <access
+ token>)
+
+- A POST parameter
+
+- A GET parameter (aka Query String parameter)
+
+**Validate the Token**
+----------------------
+
+Finally, the protected resource receiving a token needs to check the
+token’s validity. This token validation was, for a long time, left to
+implementations to define how to proceed:
+
+- The token format is not specified and can be anything from a
+ randomly generated opaque string acting as a reference token to a
+ quite frequently witnessed JWT signed value token ([RFC
+ 7519](https://www.rfc-editor.org/info/rfc7519)), but it can be
+ anything that would fit the designers of any given
+ implementation.[7]
+
+- If the token is opaque to the client as per the RFC, no specific
+ instructions are defined regarding how the protected resource should
+ validate it. It relies on an out-of-band and
+ beyond-the-scope-of-the-specification process to agree between
+ protected resource and authorization server on how to validate a
+ token: digital signature validation and possibly decryption of a
+ self-contained token (see RFC 9068 for standardization of this
+ approach using JWT as the token format) or introspection of a
+ reference token against an Authorization Server (AS) endpoint (see
+ RFC 7662 for standardization of this approach).
+
+It is generally recommended to rely on one of those two documents to
+help with interoperability between the protected resource and the
+authorization server
+
+**Beyond the Basics**
+---------------------
+
+This section of the article now gives additional details on more aspects
+of the OAuth2 protocol and additional specification documents.
+
+**Scopes**
+----------
+
+OAuth2 does not allow a client application to access any resource
+without restriction once it has an access token. An authorization
+request and, ultimately, the issued token holds a scope (which is a list
+of space-delimited, case-sensitive strings) that will allow the
+protected resource to determine if the authorization was indeed given to
+access it.
+
+**Get a Token (Also)**
+----------------------
+
+A few additional ways to obtain an access token were later provided
+through additional specifications:
+
+- [SAML profile](https://www.rfc-editor.org/info/rfc7522) and
+ [JWT profile](https://www.rfc-editor.org/info/rfc7523) will
+ allow the delivery of an access token in exchange for, respectively,
+ a SAML token or a JWT token issued for a specific end-user or
+ crafted by the client application itself in order to authenticate
+ itself.[8]
+
+- [Device flow](https://www.rfc-editor.org/info/rfc8628) will
+ allow Internet-connected devices to retrieve an access token even if
+ they can’t display a browser or are input-constrained.[9] This flow
+ will rely on the end-user using another device (e.g., a browser on a
+ smartphone) to complete part of the sequence.
+
+- [Token exchange](https://www.rfc-editor.org/info/rfc8693)
+ will enable an access token to be issued in exchange of any other
+ security token and will provide guidelines to correctly implement
+ delegation or impersonation.[10]
+
+**Tokens**
+----------
+
+Until now, only the access token was mentioned. It is the core token
+that OAuth2 provides to client applications. This token is generally a
+bearer token, meaning that any entity that gets access to it can use it
+to access the protected resource. This characteristic has several
+security implications:
+
+- The protected resource cannot be sure that the client application
+ currently requesting access is the same one that initially obtained
+ the token
+
+- The end user that may have had to be authenticated to allow the
+ token to be generated may not be present anymore
+
+Access tokens, therefore, can have different characteristics to mitigate
+those implications:
+
+- Time-limited tokens. The specification recommends that the access
+ token has a limited lifetime.
+
+- Sender-constrained tokens. Recent specifications (mTLS,
+ [DPoP](https://www.rfc-editor.org/info/rfc9449), etc.) allow
+ that access tokens can be bound to the initial client application
+ using various mechanisms, generally involving proof-of-possession of
+ a cryptographic key both at the token request and at the token usage
+ and that the token is linked to that key material (through a public
+ key thumbprint for instance).[11] As a consequence, a
+ sender-constrained token can only be used by the application that
+ requested the token. It is worth noting that while approaches like
+ DPoP can protect against a stolen token, they do not protect against
+ a stolen client ID/secret for a client\_credential grant.
+
+OAuth2 also defines the concept of a **refresh token** issued by the
+Authorization Server and shared with the client app. This refresh token
+will allow the client app to request a fresh AT (e.g., once it expires)
+and potentially a refreshed refresh token without having to involve the
+end-user, for instance. This can be used to maintain a decent UX in a
+single-page application (SPA) or to allow for offline access when the
+user is not present anymore, but the client app needs access to the
+protected resource.
+
+**Discovery**
+-------------
+
+In order to help clients dynamically register against an authorization
+server or programmatically get information about the authorization
+server features and level of support, some discovery and dynamic
+registration specifications are also available:
+
+- Client dynamic registration ([RFC
+ 7591](https://www.rfc-editor.org/info/rfc7591))[12]
+
+- Authorization Server Metadata ([RFC
+ 8414](https://www.rfc-editor.org/info/rfc8414))[13]
+
+**Beyond OAuth2**
+=================
+
+Now that most OAuth2 specifications have been introduced, you can easily
+imagine how difficult it can sometimes be to navigate through them and
+ensure one’s implementation is solid and secure. OAuth2 working group
+members created additional documents to help:
+
+- [RFC 6819](https://www.rfc-editor.org/info/rfc6819) - OAuth 2.0
+ Threat Model and Security Considerations[14]
+
+- [OAuth 2.0 Security Best Current
+ Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics)
+ (currently draft)
+
+- [OAuth
+ 2.1](https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/)
+ (currently draft) is a minor but important revision to the standard
+ that incorporates security best practices
+
+- [RFC 8252](https://www.rfc-editor.org/info/rfc8252) - OAuth 2.0 for
+ Native Apps for best practices around native application clients on
+ different platforms[15]
+
+- [OAuth 2.0 for Browser-Based
+ Apps](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps)
+ (currently draft) for best practices around Single Page Applications
+
+OAuth2 is also a foundation upon which other protocols were developed,
+the most known among these being OpenID Connect.
+
+- [OpenID
+ Connect](https://openid.net/specs/openid-connect-core-1_0.html),
+ as described in the specification, is a “simple identity layer on
+ top of the OAuth 2.0 protocol.”[16] Contrary to OAuth2, which
+ focuses on authorization delegation, OIDC focuses on authentication.
+ It introduces another token (**ID Token**), which is shared between
+ the Authorization Server (or OpenID provider) and the client (or
+ Relying Party). This token is a JWT formatted token. It conveys
+ information about the authenticated identity through
+ standard-defined claims and information about the authentication
+ itself (time of authentication, method used, etc.).
+
+- [User-Managed Access
+ 2.0](https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html)
+ is another protocol defined on top of OAuth2 (as a new authorization
+ grant).[17] It introduces additional tokens, but most importantly,
+ it does introduce a new player in the picture: the **requesting
+ party,** which can be different from the resource owner (in OAuth2,
+ the resource owner is the requesting party).
+
+Additional Reading
+==================
+
+For additional information on implementing OAuth2, these resources may
+be of assistance:
+
+- Richer, Justin, and Antonio Sanso. 2017. *OAuth 2 in Action*.
+ Manning.
+
+- Parecki, Aaron. 2018. *OAUTH 2.0 Simplified*. Lulu.com.
+
+Author
+======
+
+Bertrand Carlier is a senior manager in the Cybersecurity & Digital
+Trust practice at Wavestone consultancy with 20 years of experience. He
+has been leading major Identity & Access Management projects, working
+with many client companies in a variety of industries.
+
+He is devoted to promoting and encouraging the use of open standards and
+has done so through leading projects and talks at various international
+conferences.
+
+He likes nothing more than to tackle the newest problems in the Identity
+and Access Management space: API & microservices security, IAM of
+Things, AI for IAM and IAM for AI, and, of course, the longstanding
+problem of “how to cope with both the legacy and the ever more shiny
+(and accumulating) new toys?”
+
+[1] Dingle, P., (2020) “Introduction to Identity - Part 2: Access
+Management”, *IDPro Body of Knowledge* 1(2). doi:
+Authentication and Authorization, Introduction to Consumer Identity and Access Management
An identity federation is a group of computing or network providers that agree to operate using standard protocols and trust agreements. In a Single Sign-On (SSO) scenario, identity federation occurs when an Identity Provider (IdP) and Service Provider (SP) agree to communicate via a specific, standard protocol. The enterprise user will log into the application using their credentials from the enterprise rather than creating new, specific credentials within the application. By using one set of credentials, users need to manage only one credential, credential issues (such as password resets) can be managed in one location, and applications can rely on the appropriate enterprise systems (such as the HR system) to be the source of truth for a user’s status and affiliation.
Identity federations can take several forms. In academia, multilateral federations, where a trusted third party manages the metadata of multiple IdPs and SPs, are fairly common. 1 This article focuses, however, on the enterprise use case where bilateral federation arrangements, where the agreements are one-to-one between an IdP and an SP, are the most common form of identity federation in use today.