PAPE

Provider Authentication Policy Extension

Security
Introduced in Rel-9
PAPE is an extension to the OpenID authentication protocol that allows a Relying Party to request specific authentication policies from an OpenID Provider. In 3GPP, it is profiled in TS 33.924 to enhance security for web-based services by enabling policy-driven authentication strength requirements.

Description

The Provider Authentication Policy Extension (PAPE) is a specification originally developed by the OpenID community and later profiled within 3GPP TS 33.924. It extends the core OpenID authentication protocol, which is used for decentralized single sign-on (SSO) across websites. PAPE enables a Relying Party (RP) – the website or service the user wants to access – to communicate its authentication policy requirements to the OpenID Provider (OP) – the entity that authenticates the user. This policy dictates how the user must be authenticated, going beyond simple identity assertion to specify the required level of assurance (LoA).

Technically, PAPE works by adding new parameters to the OpenID authentication request and response. When an RP wishes to enforce a specific authentication policy, it includes `openid.pape.preferred_auth_policies` and optionally `openid.pape.max_auth_age` parameters in its redirect to the OP. The `preferred_auth_policies` parameter is a space-separated list of policy URIs that define acceptable authentication methods, such as `http://schemas.openid.net/pape/policies/2007/06/multi-factor` for multi-factor authentication or `http://schemas.openid.net/pape/policies/2007/06/phishing-resistant` for phishing-resistant mechanisms. The `max_auth_age` parameter specifies the maximum allowable time since the user's last authentication at the OP.

The OpenID Provider processes the request, attempts to authenticate the user according to the requested policies (or its own capabilities), and then includes a corresponding `openid.pape.auth_policies` parameter in the authentication response back to the RP. This response lists the authentication policies that were actually applied during the session. The RP can then verify that the policies meet its security requirements before granting access. Within the 3GPP ecosystem, this mechanism is integrated into the security framework for web-based services, allowing network operators or service providers acting as Relying Parties to demand stronger authentication from Identity Providers, aligning with regulatory or service-specific security needs.

Purpose & Motivation

PAPE was created to address a critical shortcoming in the original OpenID protocol: it only verified *who* the user was, but not *how* they were authenticated. An RP had no way to know if the user simply entered a password (vulnerable to phishing) or used a stronger method like a hardware token or biometrics. This was inadequate for services handling sensitive data or requiring compliance with specific assurance levels. PAPE provides a standardized extension to communicate authentication policy requirements, enabling risk-based access control.

3GPP's adoption and profiling of PAPE in TS 33.924, starting in Release 9, was motivated by the growing use of web-based and IP Multimedia Subsystem (IMS) services that could leverage OpenID for identity management. As operators opened their networks to third-party application providers, there was a need for a common, extensible way to convey authentication strength requirements across administrative domains. PAPE solved this by allowing a service (RP) in one domain to insist that the authenticator (OP, potentially run by the network operator) uses a high-strength method before asserting the user's identity. This facilitated secure service delivery and helped meet regulatory requirements for electronic transactions and access to sensitive resources, bridging web authentication standards with telecommunications-grade security expectations.

Key Features

  • Extends OpenID protocol to communicate authentication policy requirements
  • Allows Relying Parties to request specific authentication methods via policy URIs
  • Supports requesting a maximum authentication age to force re-authentication
  • Enables OpenID Providers to declare which policies were applied in the response
  • Facilitates higher levels of assurance (LoA) for sensitive transactions
  • Profiled by 3GPP for secure web-based and IMS service authentication

Evolution Across Releases

Rel-9 Initial

PAPE was initially introduced in 3GPP Release 9 within TS 33.924. This release profiled the OpenID Provider Authentication Policy Extension for use in 3GPP security architectures. It defined how Relying Parties (e.g., service providers) could request specific authentication policies from OpenID Providers, enabling policy-driven authentication strength for web services.

TS 33.924

Defining Specifications

SpecificationTitle
TS 33.924 3GPP TR 33.924