开发者社区> cnbird> 正文
阿里云
为了无法计算的价值
打开APP
阿里云APP内打开

A New Venn Of Access Control For The API Economy

简介: Cloud providers and many federated IAM practitioners are excited about OAuth, a new(ish) security technology on the scene.
+关注继续查看

Cloud providers and many federated IAM practitioners are excited about OAuth, a new(ish) security technology on the scene. I’ve written about OAuth in Protecting Enterprise APIs With A Light Touch. The cheat-sheet list I keep of major OAuth product support announcements already includes items from Apigee, Covisint, Google, IBM, Layer 7, Microsoft, Ping Identity, and salesforce.com. (Did I miss yours? Let me know.)

OAuth specializes in securing API/web service access by a uniquely identified client app on behalf of a uniquely identified user. It has flows for letting the user explicitly consent to (authorize) this connection, but generally relies on authorizing the actions of the calling application itself through simple authentication. So does the auth part of the name stand for authentication, authorization, or what? Let’s go with “all of the above.”

However, OAuth is merely plumbing of a sort similar to the WS-Security standard (or, for that matter, HTTP Basic Authentication). It doesn’t solve every auth* problem known to humankind, not by a long shot. What other IAM solutions are popping up in the API-economy universe? Two standards communities are building solutions on top of OAuth to round out the picture:

  • OpenID Connect for single sign-on (SSO): This protocol from the OpenID Foundation solves for SSO, session management, and identity claims retrieval. I first wrote about it here. You can think of it as a lightweight SAML that enables dynamic B2E, B2B, and B2C use cases, in a way that’s of particular interest to efforts such as the National Strategy for Trusted Identities in Cyberspace.
  • User-Managed Access (UMA) for access management: This protocol from the Kantara Initiative solves for access control by third parties. (Disclosure: I founded the UMA standards effort and still serve as its group chair.) The initial use cases included an individual Web 2.0 user sharing calendars, health data, and more with friends, family, and organizations in their lives. New business-related use cases include enterprise oversight of employees’ use of cloud services. You can think of it as a lightweight XACML without the policy expression language, which enables loose coupling of authorization decisions and enforcement.

Time for a new Venn diagram, methinks…

Venn of access control for the API economy, comparing OAuth 2.0, OpenID Connect, and UMA

There's no doubt about it: these OAuth-based efforts are nascent. The Implementer’s Draft specs for OpenID Connect just passed a vote of the OpenID Foundation membership on February 16 and interoperability testing among seven implementers, including Google and eBay is under way. UMA has four implementations to date, and will hold its first face-to-face interop event in April. But I’ve been discovering in a number of client conversations that IT and business organizations already have “holes” in their solution spaces that this union of Venn features helps to solve, and they welcome news of solutions that are web-friendly, lightweight, and able to be loosely coupled.

The new universe of open APIs that need serious protection – Accessibility with Security, as Google engineer Steve Yegge termed it in his famous rant – is yet more reason why I believe the “identity singularity” is on its way. We’ll be publishing some research soon on this phenomenon writ large, which we’re calling Zero Trust Identity. For now I’ll leave the obvious comparisons within the Venn as exercises for the reader, and I welcome your thoughts, questions, challenges, and use cases.


Categories:


版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
ONVIF Device Manager v2.2.146
对接ONVIF使用软件,用于对接支持onvif协议的IPC厂家设置 http://download.csdn.net/detail/li_dabo/9761415
936 0
MacOS 下安装 Homebrew
Homebrew 是 MacOS 下的软件包管理工具,
451 0
DX控件中鼠标双击(或鼠标右键同理)点击GridControl(GridView)的实现
版权声明:欢迎评论和转载,转载请注明来源。 https://blog.csdn.net/zy332719794/article/details/7407285 据了解,dxexpress的数据表GridContral没有直接提供鼠标双击事件 可以样用一下方法替代实现。
518 0
Windows 下的高 DPI 应用开发(UWP / WPF / Windows Forms / Win32)
原文 Windows 下的高 DPI 应用开发(UWP / WPF / Windows Forms / Win32) 本文将介绍 Windows 系统中高 DPI 开发的基础知识。由于涉及到坐标转换,这种转换经常发生在计算的不知不觉中;所以无论你使用哪种 Windows 下的 UI 框架进行开发,你都需要了解这些内容,以免不断踩坑。
1018 0
Swift实用小册24: AccessControl访问控制的使用
在本章中,你将学会AccessControl访问控制的使用方法。
0 0
Data Access 之 MyBatis(三) - SQL Mapping XML(Part C)(下)
Data Access 之 MyBatis(三) - SQL Mapping XML(Part C)
0 0
+关注
cnbird
阿里云安全专家,主要负责阿里云云产品安全。
文章
问答
文章排行榜
最热
最新
相关电子书
更多
Higher-Level APIs in TensorFlo
立即下载
Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence
立即下载
低代码开发师(初级)实战教程
立即下载