Authors:
Carlos Villarán
and
Marta Beltrán
Affiliation:
Department of Computing, ETSII, Universidad Rey Juan Carlos, Madrid, Spain
Keyword(s):
GDPR, Identity and Access Management, OpenID Connect, Privacy, Social Login.
Abstract:
Social login allows end-users to identify and authenticate in different applications and services using their social network providers (Facebook, Twitter, Google, LinkedIn) instead of using specific accounts and passwords. This kind of single-sign-on approach relies on federated identity management specifications that significantly simplify login processes. However, this kind of solution also implies new threats for end user’s privacy, because identity providers (social network providers) have access to sensitive information that allows them to perform processing without explicit consent (to profile or track their users, for example) or that can be shared with third parties. This paper proposes the inclusion of new capabilities within the authentication flows, intending to mitigate these privacy threats guaranteeing compliance with the General Data Protection Regulation (GDPR) through transparency and efficient use of already existing mechanisms and technologies such as back-channel
logout or consent receipts. Furthermore, the integration of these capabilities in OpenID Connect flows has been validated with a real prototype of the proposed solution.
(More)