A New Venn Of Access Control For The API Economy

Cloud providers and many federated IAM practitioners are excited about OAuth, a new(ish) security technology on the scene. I’ve written about OAuth in Protecting Enterprise APIs With A Light Touch. The cheat-sheet list I keep of major OAuth product support announcements already includes items from Apigee, Covisint, Google, IBM, Layer 7, Microsoft, Ping Identity, and salesforce.com. (Did I miss yours? Let me know.)

OAuth specializes in securing API/web service access by a uniquely identified client app on behalf of a uniquely identified user. It has flows for letting the user explicitly consent to (authorize) this connection, but generally relies on authorizing the actions of the calling application itself through simple authentication. So does the auth part of the name stand for authentication, authorization, or what? Let’s go with “all of the above.”

However, OAuth is merely plumbing of a sort similar to the WS-Security standard (or, for that matter, HTTP Basic Authentication). It doesn’t solve every auth* problem known to humankind, not by a long shot. What other IAM solutions are popping up in the API-economy universe? Two standards communities are building solutions on top of OAuth to round out the picture:

  • OpenID Connect for single sign-on (SSO): This protocol from the OpenID Foundation solves for SSO, session management, and identity claims retrieval. I first wrote about it here. You can think of it as a lightweight SAML that enables dynamic B2E, B2B, and B2C use cases, in a way that’s of particular interest to efforts such as the National Strategy for Trusted Identities in Cyberspace.
  • User-Managed Access (UMA) for access management: This protocol from the Kantara Initiative solves for access control by third parties. (Disclosure: I founded the UMA standards effort and still serve as its group chair.) The initial use cases included an individual Web 2.0 user sharing calendars, health data, and more with friends, family, and organizations in their lives. New business-related use cases include enterprise oversight of employees’ use of cloud services. You can think of it as a lightweight XACML without the policy expression language, which enables loose coupling of authorization decisions and enforcement.

Time for a new Venn diagram, methinks…

Venn of access control for the API economy, comparing OAuth 2.0, OpenID Connect, and UMA

There's no doubt about it: these OAuth-based efforts are nascent. The Implementer’s Draft specs for OpenID Connect just passed a vote of the OpenID Foundation membership on February 16 and interoperability testing among seven implementers, including Google and eBay is under way. UMA has four implementations to date, and will hold its first face-to-face interop event in April. But I’ve been discovering in a number of client conversations that IT and business organizations already have “holes” in their solution spaces that this union of Venn features helps to solve, and they welcome news of solutions that are web-friendly, lightweight, and able to be loosely coupled.

The new universe of open APIs that need serious protection – Accessibility with Security, as Google engineer Steve Yegge termed it in his famous rant – is yet more reason why I believe the “identity singularity” is on its way. We’ll be publishing some research soon on this phenomenon writ large, which we’re calling Zero Trust Identity. For now I’ll leave the obvious comparisons within the Venn as exercises for the reader, and I welcome your thoughts, questions, challenges, and use cases.

Comments

OAuth support

Hi Eve,

Thanks for writing this article, what a great overview of the current state of affairs of OAuth. You asked to let you know if you missed any product vendors that support OAuth. I just wanted to let you know that ForgeRock's OpenAM (formerly OpenSSO) supports OAuth. Here is a link to more information:

https://wikis.forgerock.org/confluence/display/openam/OpenAM+OAuth+Imple...

Thanks,
Brad Tumy

Thanks for your comments!

Susan and Brad, thanks very much for writing in. Brad, thanks for the ForgeRock info -- much appreciated.

By the way, I realized belatedly that there's a small error in the Venn. I'll have to correct this eventually! For now, let's treat this as an "Easter egg." :-) Anyone want to find it?

Access Control

Thanks for creating such a wonderful site. This site was not only knowledgeable but also very stimulating too.

OAuth Support again

Hi Eve,

Several more from Intel for your pot on OAuth support:

Expressway Cloud Access 360 - for SSO and identity provisioning:
http://software.intel.com/en-us/articles/SAML-Cloud-Access-SSO-XACML-Aut...

Intel SSO - SSO & identity provisioning from the cloud:
http://intelcloudsso.com

Expressway Service Gateway - API security and acceleration:
http://software.intel.com/en-us/articles/Perimeter-Security-Products/

Cheers & keep up the good work.

Intel and OAuth: check :-)

Todd, thanks very much for this contribution!

Open Source API Management and OAuth

Eve,

WSO2 is working actively on a new offering : API Manager, which is very much aligned with your blog contents and the first Open Source API management.

You can see more at : http://wso2.com/products/api-manager

Isabelle.

WSO2

Isabelle, thanks for supplying this info!

Great Info.. I am researching

Great Info.. I am researching oAuth , and this article of yours is great help

My IAM Contact http://siteminderconsulting.com