Episode 100 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Is TBAC is the Next Big Thing?

• Host: Mike Schwartz, Founder/CEO Gluu

• Guest: Eve Maler, President, Founder Venn Factory (First appeared Episode 33)

• Linkedin Event

• Youtube Video

Description

The number of JWT tokens out there is rapidly expanding. Beyond traditional federation tokens, like OAuth access tokens, and OpenID identity assertions, there is whole new category of "decentralized tokens", i.e. verifiable credentials, with myriad issuers and potential ecosystem schemas. We are also seeing JWTs issued by platforms like Google to attest to the integrity of mobile software installed on a device. FIDO is defining JWT attestations about the security of authenticators (how is the key stored?). Tokens are used by federations to convey trust, for example the JWTs issued by open banking federations to fintech companies. The pace is not slowing down. The WIMSE working group at the IETF is likely to introduce several new tokens for workload identity. And another draft at the IETF called "transaction tokens" is enabling enteprises to embed business-specific details into tokens. How are access control models going to evolve to address this new important input to policies? There is one inevitable conclusion: person-centric access control models like RBAC can solve an increasingly smaller subset of the access control challenges enterprises are facing.

In this 100th episode, we'll discuss if a new solution has presented itself: Token Based Access Control. Does TBAC offer enterprises a way to implement continuous authentication and just in time access control for both humans and workloads across a range of mobile, cloud, and even disconnected applications? And if so, what would be the impact on how enterprises need to think about access control in the post token-explosion world we are living in?

Homework

• Part Two: TBAC or Token Based Access Control -- how is it different?
• Slides

Eve Mentioned:

• David Birch Article The “Sailing Ship Effect” In Financial Services

• CSA Article Agentic AI Identity Management Approach

• Justin Richer Federation Bubble Webinar

• Epiphenomenon Wikipedia page

Takeaways

• ⚡ TBAC resonates with Eve as something that's been there in the background.

• ⚡ Regarding token types... X.509 certificates aren't as easily extendible as JWTs (thanks audience for pointing that out). So although X.509 certificates (or even SAML assertions) are also tokens, JWT's are just a nice convenient (and secure) container for whatever data is needed.

• ⚡ The Venn Factory Founder agreed with Mike's venn diagram (in the slides) showing Workload authorization use cases outnumbering Person and Organization authorization.

• ⚡ If JWTs are the PIP, what does this mean for the architecture? What about revocation? Can the application assemble this data and send it as "unsigned" plain JSON payload, i.e. application-asserted data.

• ⚡ If a bundle of tokens (and not the person) is the subject of the authorization request, other questions remain about how TBAC would work: Governance? Policy Lifecycle? Threat Detection capabilities? Reporting/Dashboard? Developer outreach? Intersection with Zero Trust?

• ⚡ Sun history question of the month: Remember "The Fedlet"? Why did it have a "The" before the product name?

Livestream Audio Archive

Will be Here