Authentication/Authorization

The purpose of this service functions is to enable Gaia-X Participants to authenticate users and systems in a trustworthy and decentralised self-sovereign manner without need for a central source of authority and assure authorization of access and data usage based on such identity data and decentrally managed credentials.

At the core of this enablement stays assurance of compatibility to the existing and well established Authentication protocols such as OpenID Connect and Authorization frameworks like OAuth2 or enabling X.509-based mutual TLS authentication.

The authentication and authorization in a decentralized concept follows the terms of self-sovereignty. This means that a holder must be able to present his identity just under the site condition to trust the requesting party for authentication and data exchange. This is a relevant change to a centralized approach. In a centralized approach, the user must create an account with any kind of information that the central identity provider owner requests. In this case, the central identity provider is then the controller about the user data. In the decentral approach a service just requests data which is necessary for the service itself. The holder is then a kind of decentralized identity provider which can deliver this information by trusting the requesting party. This changes the way to authenticate. In the past, the authentication happened on the central Identity Provider (IdP), now the authentication is on the holder’s side e.g. with a Personal Credential Manager (e.g. Smartphone Wallet) or in the Organisational Credential Manager (Server Wallet) which acts in a decentralized system as identity provider and/or as identity information hub. All the security-related considerations and assurance levels, including but not limited to requirements for multi-factor authentication, must be therefore fulfilled by those self-managed Credential Manager agents. In return the Credential Manager allows for presentation of a proof of control over an Identity identified by its private/public keys to the Requesting party. Same is for Authorization requests, the holder presents the required credentials that include the claims to enable the resource owner to make the decision on defined policies to grant or permit access.
The GAIA-X concept of Authentication and Authorization is based on the SSI Standards W3C VerifiableCredentials and decentralized key management (DPKI) defined by the W3C DID Core Specification and extended with Aries Specifications for DID-based message exchange (DIDComm) supported by high level Aries protocols for proof request and presentation.

For interoperability and easy integration the service function offers components which bridge between SSI-based authentication and the established OpenID Connect 1.0 specification for authentication and request of claims including related proofs. In the same manner a bridge function is offered to authenticate system-to-system interactions utilising OAuth2 authorisation framework, with Dynamic Client Registration [rfc7591] or establish trustworthy mutual TLS-authentication link [rfc8705] backed by SSI-based self-sovereign and decentralised authentication and authorisation.

The overall scope of the service functions enables, by application of supporting SSI Shell components, such as SSI OIDC Provider and SSI IAT Provider, to employ any OAuth2/OIDC standards-based local IAM solution for decentralised authentication and authorisation within Gaia-X ecosystem. The components integrate with the other elements of the Identity&Trust package, e.g. Trust Services and Personal Credential Manager in order to fulfill their full scope of function.


Specification Document