For those of us who have worked in the identity industry for a bit, we might remember the excitement around single sign-on and federated identity when it was first introduced. I was fortunate to lead a company - Trustgenix - that was heavily involved in the development of the Liberty Alliance and SAML 2.0 standards. We, in fact, defined the concept of a “federation server”!

Standards are important because they result in multi-vendor interoperability. But they’re especially important in the security space, since the specifications are reviewed heavily, any security issues are quickly surfaced (and most often fixed).

So, it was truly satisfying to see interoperable standards-based single sign-on solutions rapidly replace proprietary solutions that had limited applicability. Fast forward to today, and we have near ubiquity in OpenID Connect (OIDC) and SAML 2.0-based authentication. Passkeys and the associated WebAuthN standards are rapidly ushering in the era of passwordless access.

With that, the bleeding edge of identity-driven security now shifts from “who has access” to “what can they do with that access”, in other words, access management or authorization. Just to be clear, authorization is the decision of whether or not to grant a specific user access to a specific resource. Access Management is the management of such authorization decisions.

Current Authorization Standards

It’s not that people haven’t tried to standardize authorization - XACML has been around since 2003 - but it’s safe to say that the standards are not popular and interoperability is lacking. The authorization model formulated by XACML, roughly captured in this diagram, with the components such as Policy Administration Point (PAP), Policy Information Point (PIP), Policy Decision Point (PDP), Policy Enforcement Point (PEP) and so on is now accepted much more broadly than just when one is talking about XACML.

Recently, excitement has built up around Open Policy Agent (OPA), and its associated policy language, Rego. One can think of OPA as both a PDP and a PEP, and access management administrators need to push Rego policies to each OPA node (i.e. each application) in order to enforce policies across the organization. Even with the policy distribution support built into OPA, this gets challenging to manage at scale. Secondly, OPA does not specify how the information needed to make policy decisions reaches each application. Some organizations provide solutions to overcome such limitations of OPA.

Dynamic Session Authorization

When I was at Google, I wrote a blog that defined the Continuous Access Evaluation Protocol (CAEP) to address the issue of dynamic session authorization. This morphed into the Shared Signals Framework, and the Continuous Access Evaluation Profile on top of it. This defines how signals, including authorization information, can be conveyed between different entities that share user sessions. Apple recently announced that they will require custom IDPs to use Shared Signals in order to work with Apple Business Manager. Okta has also announced support for Shared Signals and CAEP.

Authorization for Microservices

The compute environment has also changed dramatically; Instead of monolithic applications, you now have tens of different microservices (and possibly a large number of instances of each type) that now comprise an application. Software supply chain attacks, VPC compromise through privileged user compromise can enable attackers to insert their own microservices into VPCs or make existing microservices behave differently.

How can we ensure that APIs within such a network of microservices aren’t exploited by attackers to make unauthorized requests. This is where the work on Transaction Tokens (informally called TraTs) comes into play. It is currently being discussed in the IETF OAuth working group. TraTs ensure that calls within a microservices network cannot impersonate users other than the one initiating the external call, and can assure that critical parameters of the external call are not modified.

Centralized Access Management

Finally, a new authorization architecture is emerging, called “Centralized Access Management”. This has a number of advantages such as being able to leverage the latest data in order to make authorization decisions, and having one location to change policies without having to make code changes in each application. Centralized Access Management also enables real-time audit logging, which makes regulatory compliance much more robust and easy.

A new working group is in the process of getting formed in the OpenID Foundation, called the AuthZEN working group. As a part of this working group, an API is being defined that will standardize the communication between PDPs and PEPs. This will ensure that applications can simply code to this API and offload all authorization decisions. A working draft of the current API proposal is here.

These standardization initiatives are just getting off the ground, and it’s a long road before anything gets adopted. The recent announcements from Apple and Okta are extremely encouraging, and support seems to be building for TraTs too. The AuthZEN group has a number of enthusiastic members so we hope to see some of that getting adopted soon too.