CISSP PRACTICE QUESTIONS – 20210623

Effective CISSP Questions

You are implementing OpenID Connect and OAuth 2.0 to support authentication and authorization. Which of the following is used for authorization between a client and a resource server? (Wentz QOTD)
A. Assertions
B. XACML
C. Access Token
D. Bearer Token

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Access Token.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

  • “Assertion” is a term used in SAML (Security Assertion Markup Language), which is equivalent to “claim” in OIDC (OpenID Connect). OIDC distinguishes ID Token (for authentication) from Access Token (for authorization). The access token used in OAuth2 is a “bearer” token. Any party that possesses the access token as a bearer token can get access to associated resources.
  • XACML is used for authorization, which is based on XML and a good fit with SAML.
  • Access token and bearer token are commonly used interchangeably. However, access token literally denotes the idea of access control or authorization. A bearer token is one type of token, which emphasizes the anonymous nature of a token. Both terms make sense. However, I suggest using Access Token is more specific in this context.

RFC 6750, OAuth 2.0 Bearer Token Usage, is a specification that “describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a “bearer”) can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport.”

However, it also depicts the communication between clients and resource servers using the term “Access Token,” as the following diagram shows:

     +--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorization Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+

                     Figure 1: Abstract Protocol Flow

Reference


您正在實施 OpenID Connect 和 OAuth 2.0 以支持身份驗證和授權。 以下哪項用於客戶端和資源服務器之間的授權? (Wentz QOTD)
A. Assertions
B. XACML
C. Access Token
D. Bearer Token


1 thought on “CISSP PRACTICE QUESTIONS – 20210623

  1. Pingback: 存取令牌(Access Token) – Choson資安大小事

Leave a Reply