A New Venn Of Access Control For The API Economy

转载 2012年03月21日 10:14:54

Cloud providers and many federated IAM practitioners are excited about OAuth, a new(ish) security technology on the scene. I’ve written about OAuth in Protecting Enterprise APIs With A Light Touch. The cheat-sheet list I keep of major OAuth product support announcements already includes items from Apigee, Covisint, Google, IBM, Layer 7, Microsoft, Ping Identity, and salesforce.com. (Did I miss yours? Let me know.)

OAuth specializes in securing API/web service access by a uniquely identified client app on behalf of a uniquely identified user. It has flows for letting the user explicitly consent to (authorize) this connection, but generally relies on authorizing the actions of the calling application itself through simple authentication. So does the auth part of the name stand for authentication, authorization, or what? Let’s go with “all of the above.”

However, OAuth is merely plumbing of a sort similar to the WS-Security standard (or, for that matter, HTTP Basic Authentication). It doesn’t solve every auth* problem known to humankind, not by a long shot. What other IAM solutions are popping up in the API-economy universe? Two standards communities are building solutions on top of OAuth to round out the picture:

  • OpenID Connect for single sign-on (SSO): This protocol from the OpenID Foundation solves for SSO, session management, and identity claims retrieval. I first wrote about it here. You can think of it as a lightweight SAML that enables dynamic B2E, B2B, and B2C use cases, in a way that’s of particular interest to efforts such as the National Strategy for Trusted Identities in Cyberspace.
  • User-Managed Access (UMA) for access management: This protocol from the Kantara Initiative solves for access control by third parties. (Disclosure: I founded the UMA standards effort and still serve as its group chair.) The initial use cases included an individual Web 2.0 user sharing calendars, health data, and more with friends, family, and organizations in their lives. New business-related use cases include enterprise oversight of employees’ use of cloud services. You can think of it as a lightweight XACML without the policy expression language, which enables loose coupling of authorization decisions and enforcement.

Time for a new Venn diagram, methinks…

Venn of access control for the API economy, comparing OAuth 2.0, OpenID Connect, and UMA

There's no doubt about it: these OAuth-based efforts are nascent. The Implementer’s Draft specs for OpenID Connect just passed a vote of the OpenID Foundation membership on February 16 and interoperability testing among seven implementers, including Google and eBay is under way. UMA has four implementations to date, and will hold its first face-to-face interop event in April. But I’ve been discovering in a number of client conversations that IT and business organizations already have “holes” in their solution spaces that this union of Venn features helps to solve, and they welcome news of solutions that are web-friendly, lightweight, and able to be loosely coupled.

The new universe of open APIs that need serious protection – Accessibility with Security, as Google engineer Steve Yegge termed it in his famous rant – is yet more reason why I believe the “identity singularity” is on its way. We’ll be publishing some research soon on this phenomenon writ large, which we’re calling Zero Trust Identity. For now I’ll leave the obvious comparisons within the Venn as exercises for the reader, and I welcome your thoughts, questions, challenges, and use cases.


Categories:


Media Access Control

The Media Access Control (MAC) data communication protocol sub-layer, also known as the Medium Acces...
  • ssucc
  • ssucc
  • 2010年07月19日 16:06
  • 1243

Node.js使用MongoDB3.4+Access control is not enabled for the database解决方案

今天使用MongoDB时遇到了一些问题出现这个警告的原因是新版本的MongDB为了让我们创建一个安全的数据库 必须要进行验证解决方案如下:创建管理员use admin db.createUser( ...
  • q1056843325
  • q1056843325
  • 2017年04月28日 22:48
  • 8158

NEW RULE FOR THE NEW ECONOMY

读书就是和它博弈
  • APRIL_HU
  • APRIL_HU
  • 2017年06月27日 21:45
  • 79

MongoDB安装及基本使用

MongoDB是一个使用C++编写的、开源的、面向文档的NoSQL(Not Only SQL)数据库,也是当前最热门的NoSql数据库之一。 NoSQL简介 NoSQL的意思是“不仅仅是SQL”,...
  • xiaoxing598
  • xiaoxing598
  • 2017年01月08日 17:11
  • 6604

【WebGoat笔记】之二 --- Access Control Flaws

主要内容: Access Control Flaws 访问控制缺陷,这个栏目下的Bug属于将业务的关键逻辑放在了前台,而后台也没有作相应的校验,导致用户可以通过修改前台页面,跳过验证逻辑操作后台数...
  • cqf539
  • cqf539
  • 2011年08月16日 11:24
  • 422

Access Control List 访问控制列表

AccessControl ListACL可以应用于很多场合,最为常见的是以下情形:1.    过滤邻居设备间传递的路由信息;2.    控制交互访问,以此阻止非法访问设备的行为-如对console接...
  • lgx910307
  • lgx910307
  • 2015年10月05日 13:16
  • 635

MAC地址,ARP协议运行原理(Medium/Media Access Control)地址

MAC(Medium/Media Access Control)地址:      在OSI模型中,第三层网络层负责 IP地址,第二层数据链路层则负责 MAC位址。因此一个网卡会有一个全球唯一...
  • THISISPAN
  • THISISPAN
  • 2012年05月21日 17:01
  • 1913

基于CT-RBAC模型的继承性研究

  基于CT-RBAC模型的继承性研究* 欧阳凯1 蔡婷1 周敬利2 王恒青1 1武汉科技大学计算机学院 武汉 430081 2华中科技大学计算机学院系统结构 武汉 430074 摘要:基于条件时态的...
  • reandy
  • reandy
  • 2008年05月07日 22:41
  • 439

使用 matplotlib 绘制文氏图(venn)

包的安装pip install matplotlib-venn依赖于以下的包: numpy scipy matplotlib matplotlib-venn 主要用于绘制 two-circles 以及...
  • lanchunhui
  • lanchunhui
  • 2016年02月15日 10:21
  • 3268

Linux具体权限规划之ACL(Access Control List)

ACL机制涉及两条命令:setfacl 、getfacl ACL来源 owner,group,othre搭配的三种权限rwx中,没办法针对单一用户或者某个组。 ACL可以...
  • Jammg
  • Jammg
  • 2016年03月30日 18:56
  • 689
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:A New Venn Of Access Control For The API Economy
举报原因:
原因补充:

(最多只允许输入30个字)