Episode 093 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Is TBAC the Future? Gluu, SGNL & Strata Weigh In

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Atul Tulshibagwale, Co_Founder, CTO SGNL
• Guest: Gerry Gebel, VP Product & Standards at Strata Identity

Channels

• Linkedin Event
• Youtube Video

Description

TBAC is a new access control model that leverages the rich context encoded in tokens, such as JWTs, to make dynamic, fine-grained access decisions. Unlike existing models like RBAC, ABAC, or ReBAC, which rely on roles, attributes, or relationships, TBAC evaluates access based on the information embedded in a bundle of tokens, providing unparalleled flexibility and contextual awareness.

But is a new access control model needed? Is TBAC a re-hashing of other access control models, like ABAC or PBAC? Can tokens contain the context necessary to make decisions without access to other data sources? Could enterprises implement "Zero Standing Priviledge" using a TBAC approach?

In this episode of Identerati Office Hours, three of the leaders in modern enterprise identity will discuss the merits of TBAC and the arguments for and against the approach.

Homework

• Introducing Token-Based Access Control (TBAC)

• Token Based Acces Control: Part II

Past Episodes

• Episode 4 with Gerry Gebel and David Brossard : Authz Renaissance: Why now
• Episode 44 with Atul Tulshibagwale: Securing identity and context in microservices

Takeaways

• ⚡ TBAC is not new per se... we've been making policies based on the contents of tokens in many existing ecosystems. But within the enterprise IAM space, making policies less person-centric, and more token-centric, does seem like a change.
• ⚡ Are tokens input to policy? It's a little circular, because you also need policies to issue the tokens in the first place.
• ⚡ Do transaction tokens--one more new type of OAuth JWT--too ambitiously increase the cognitive load on developers? Is one transaction token even enough for an authorization decision in the backend? This technology is still very new and it is yet to be seen if it will get adoption. But it is certainly a sign that we're going to see a lot more tokens to consider in our policies in the future.
• ⚡ A bundle of tokens implicitly identifies a number of different entities--person, workload, or even organization(s). A PDP that implements Token based access control can reduce the cognitive load on developers by handling the mapping of tokens to users and workloads.
• ⚡ Older access control systems that answer "who can do what" are just a subset policies to control access to resources. Enterprises will need new ways to govern the breadth of policies required for TBAC.
• ⚡ Authzen defines how you can send a PARC request (Principal, Action, Resource, Context). But it doesn't provide any guidance on what goes in that request. For example in the Cedarling, you can send an AuthZen request with a bundle of tokens as the Principal. That would break any AuthZen PDP that is expecting an email address as the Principal.

Livestream Audio Archive

here