This presentation explores how Identity APIs have evolved over the time to cater the consumer and enterprise requirements, and real-world scenarios where tough identity challenges have been successfully tackled by using them.
5. ● Same physical user digitally represented in different siloes
with different credentials
● No single sign-on across silos
● Higher probability of identity mismanagement
● Identity integrations across department/enterprise borders
are difficult or impossible
IAM Challenges in Kermit Corp
8. Customer (is the king!) IAM
● Social login and BYOI
● Seamless experience across devices (Omnichannel)
● Privacy
○ Consent management
○ Ownership of user information
● Party-to-party delegation
14. User Provisioning with SCIM
Self Care
Portal
Identity
Provider
Foo Org Zee Org
Identity
Provider
Bar Org
Identity
Provider
SCIM
SCIM SCIM
Inbound Outbound
Inbound
15. Delegated Authorization with OAuth 2.0
Authorization Code Grant
Suitable for web applications
SAML Bearer Grant
Suitable for apps already using SAML SSO for authentication
JWT Grant
Suitable for apps already using a JWT mechanism for authentication
Client Credentials Grant
Suitable to retrieve data not specific to end users - e.g. Weather/Stocks -
and for machine-to-machine communications
16. Application (OAuth
Client)
OAuth
Authorization
Server
2
3
4
1
5
6
7
8
Authz Code Grant Flow
OAuth
Resource
Server
Introspect
Authenticate +
Consent
302
Access
Token Rq
Access Token
Access Token
Access Token
Resource Request
Prerequisite
Client application
registered with the
Authz Server manually
or via Dynamic Client
Registration
Resource
Owner
Authz Code
17. Authentication with OIDC
● OpenID Connect was created on top of OAuth 2.0 to provide
an identity layer
● Introduces a new scope named “openid”
● Introduces a new token named ID Token, containing user
claims
● Introduces a new endpoint named ‘userinfo’, to fetch
additional user claims
18. OIDC Flow
Application (OAuth
Client)
OAuth Authorization
Server
Resource
Owner
2
3
4
1
5
6
9
OAuth
Resource
Server
Introspect
Authz Code
302
Access
Token Rq
Access Token
ID Token
User Info Request
7
Access Token
Access Token
8
Access Token
Resource Request
scope=openid
Authenticate +
Consent
19. Party-to-party Delegation with UMA 2.0
● Developed on top of OAuth 2.0
● Introduces an entity named ‘Requesting Party’, and two
access tokens named ‘Protection API token’ (PAT) and
‘Requesting Party Token’ (RPT)
● Lots of use cases in CIAM and IoT:
○ E.g. A patient granting access to Doctor and Insurer to their health
records
○ E.g. Homeowner granting rotate access of the CCTV camera to the
housemaid
20. UMA 2.0 in Action
OAuth
Resource
Server
Application (OAuth
Client)
Resource
Owner
Requesting
Party
Protection API
Authorization API
OAuth Authorization
Server
Register
Resource
Access
Protected
Resource
Request
Authorization
Authorize to
register
resources
Define policies
Introspection API
Validate RPT
Result: RPT
Result: PAT
21. Fine-grained Authorization with XACML
● Standard for attribute based access control
● Decouples authorization logic from the application code by
introducing XML based policies
● Consists of 4 key components:
○ Policy Administration Point
○ Policy Decision Point
○ Policy Information Point
○ Policy Enforcement Point
22. Policy
Store
Policy Administration
Point
Policy Decision Point
Identity Provider
HR Application
Policy Enforcement
Point
End-user
Policy Information Point
XACML in Action
Entitlement
Administrator
CRUD Policies
Do operation
XACML Request
23. Open Policy Agent (OPA)
Enforcement API : Service requests
decisions
Management API : Management
pushes updates
Service
OPA
Query Decision
Data
Policy