This slide deck discusses how identity APIs have evolved over time and real-world scenarios where tough identity challenges have been successfully tackled by using them.
5. ● Same physical user digitally represented in different siloes
with different credentials
● No single sign-on across silos
● Higher probability of identity mismanagement
● Identity integrations across department/enterprise borders
are difficult or impossible
Problems of Siloed IAM
8. Customer (is the king!) IAM
● Social login and BYOI
● Seamless experience across devices (Omnichannel)
● Privacy (Consent management)
● Ownership of user information
● Party-to-party delegation
15. Delegated Authorization with OAuth 2.0
Authorization Code Grant
Suitable for web applications
SAML Bearer Grant
Suitable for apps already using SAML SSO for authentication
JWT Grant
Suitable for apps already using a JWT mechanism for authentication
Client Credentials Grant
Suitable to retrieve data not specific to end users - e.g. Weather/Stocks -
and for machine-to-machine communications
16. Application (OAuth
Client)
OAuth
Authorization
Server
2
3
4
1
5
6
7
8
Authz Code Grant Flow
OAuth
Resource
Server
Introspect
Authenticate + Consent
Authz Code
302
Access
Token Rq
Access Token
Access Token
Access Token
Resource
Request
Prerequisite
Client application
registered with the
Authz Server manually
or via Dynamic Client
Registration
Resource
Owner
17. Authentication with OIDC
● OpenID Connect was created on top of OAuth 2.0 to provide
an identity layer
● Introduces a new scope named “openid”
● Introduces a new token named ID Token, containing user
claims
● Introduces a new endpoint named ‘userinfo’, to fetch
additional user claims
18. OIDC Flow
Application (OAuth
Client)
OAuth Authorization
Server
Resource
Owner
2
3
4
1
5
6
9
OAuth
Resource
Server
Introspect
Authenticate + Consent
Authz Code
302
Access
Token Rq
Access Token
ID Token
User Info
Request
7
Access Token
Access Token
8
Access Token
Resource
Request
scope=openid
19. Party-to-party Delegation with UMA
● Developed on top of OAuth 2.0
● Introduces an entity named ‘Requesting Party’, and two
access tokens named ‘Protection API token’ (PAT) and
‘Requesting Party Token’ (RPT)
● Lots of use cases in CIAM and IoT:
○ E.g. A patient granting access to Doctor and Insurer to their health
records
○ E.g. Homeowner granting rotate access of the CCTV camera to the
housemaid
20. UMA in Action
OAuth
Resource
Server
Application (OAuth
Client)
Resource
Owner
Requesting
Party
Protection API
Authorization
API
OAuth
Authorization
Server
Register
Resource
Access
Protected
Resource
Request
Authorization
Authorize to
register
resources
Define
policies
Introspection
API
Validate
RPT
Result: RPT
Result: PAT
21. Fine-grained Authorization with XACML
● De facto standard for attribute based access control
● Decouples authorization logic from the application code by
introducing XML based policies
● Consists of 4 key components:
○ Policy Administration Point
○ Policy Decision Point
○ Policy Information Point
○ Policy Enforcement Point
22. Policy
Store
Policy Administration
Point
Policy Decision Point
Identity Provider
HR Application
Policy
Enforcement Point
End-user
Policy Information
Point
XACML in Action
Entitlement
Administrator
CRUD
Policies
Do
operation
XACML
Request