IMPERSONATION METHOD ON AUTHORIZATION SERVER USING CLIENT-INITIATED BACK-CHANNEL AUTHENTICATION PROTOCOL

Abstract

There is an impersonation (login as) feature in several applications that can be used by system administrators who have special privileges. This feature can be utilized by development and maintenance teams that have administrator rights to reproduce errors or bugs, to check specific features in applications according to the specific users’ login sessions. Beside its benefits, there is a security vulnerability that allows administrators to abuse the rights. They can access users’ private data or execute some activities inside the system without account or resource owners’ consents.This research proposes an impersonation method on authorization server using Client-Initiated Back-channel Authentication (CIBA) protocol. This method prevents impersonation without account or resource owners’ consent. The application will ask users’ authentication and permission via authentication device possessed by resource owners before the administrator performs impersonation. By utilizing authentication device, the impersonation feature should be preceded by users’ consent and there is no direct interaction needed between the administrator and resource owners to prove the users’ identities. The result shows that the implementation of CIBA protocol can be used to complement the impersonation method and can also run on the authorization server that uses OAuth 2.0 and OpenID Connect 1.0 protocols. The system testing is done by adopting FAPI CIBA conformance testing.