Enhanced attribute retrieval and provisioning through the eIDAS digital identity infrastructure

In the realm of online security, ensuring secure and efficient user authentication and identification is crucial. In the digital landscape, preventing unauthorized access and identity theft is of utmost importance. To address these concerns, the eIDAS network, composed of eIDAS nodes in Member State countries, was established to implement the European Union (EU) Regulation 910/2014, which aims to connect electronic identity systems across EU countries. The primary objective of the eIDAS network is to provide a unified framework for electronic identification and trust services, guaranteeing the security, reliability, and legal validity of digital transactions across borders. When a user authenticates using a government issued electronic identity (eID) through the eIDAS network, certain core personal attributes such as name, surname, date of birth, and identifier are transmitted from the eIDAS nodes to service providers (SPs). However, certain long-term applications may require additional personal or domain-specific data, which SPs must acquire through alternative means. This introduces additional costs and risks as SPs need to establish separate verification procedures to gather this information. To tackle this challenge, the eIDAS network enables the request and retrieval of additional attributes beyond the basic information provided by an eID. The request for additional attributes must be authorized by the individual or entity that owns the electronic identity, ensuring compliance with data protection laws and regulations. Once these additional attributes have been verified, they can be utilized to establish a higher level of trust and security for the specific transaction, eliminating the need for SPs to obtain the supplementary data through alternative methods. In order to meet the requirement for acquiring additional attributes, the eIDAS network can be expanded to facilitate the retrieval and transmission of both person-specific and domain-specific attributes alongside the core information. However, this extension raises various concerns related to technical implementation, usability, and privacy. These concerns are thoroughly investigated in this thesis to ensure a comprehensive understanding of the implications. To address these concerns and enable the retrieval of additional attributes, a logical AP Connector is proposed as an intermediate component connecting the eIDAS node and the entities responsible for providing the supplementary attributes. This connector acts as a bridge, facilitating the secure and controlled transfer of additional attribute data. Within the proposed solution, two specific AP Connectors, namely AP-Proxy and AP-OAuth2, have been implemented and integrated with the Italian pre-production eIDAS node. The integration of AP-Proxy and AP-OAuth2 enhances the capabilities of the eIDAS network, enabling the retrieval of additional attributes from the backend system of Polytechnic University of Turin. In particular, the integration of AP-OAuth2 plays a significant role in the attribute retrieval process. By incorporating OAuth2 as an integral part of the implementation, the eIDAS network leverages its capabilities to retrieve the required additional attributes securely and efficiently.