Episode 100: Is TBAC is the Next Big Thing? - GluuFederation/identerati-office-hours GitHub Wiki
Title: Is TBAC is the Next Big Thing?
-
Host: Mike Schwartz, Founder/CEO Gluu
-
Guest: Eve Maler, President, Founder Venn Factory
Description
The number of JWT tokens out there is rapidly expanding. Beyond traditional federation tokens, like OAuth access tokens, and OpenID identity assertions, there is whole new category of "decentralized tokens", i.e. verifiable credentials, with myriad issuers and potential ecosystem schemas. We are also seeing JWTs issued by platforms like Google to attest to the integrity of mobile software installed on a device. FIDO is defining JWT attestations about the security of authenticators (how is the key stored?). Tokens are used by federations to convey trust, for example the JWTs issued by open banking federations to fintech companies. The pace is not slowing down. The WIMSE working group at the IETF is likely to introduce several new tokens for workload identity. And another draft at the IETF called "transaction tokens" is enabling enteprises to embed business-specific details into tokens. How are access control models going to evolve to address this new important input to policies? There is one inevitable conclusion: person-centric access control models like RBAC can solve an increasingly smaller subset of the access control challenges enterprises are facing.
In this 100th episode, we'll discuss if a new solution has presented itself: Token Based Access Control. Does TBAC offer enterprises a way to implement continuous authentication and just in time access control for both humans and workloads across a range of mobile, cloud, and even disconnected applications? And if so, what would be the impact on how enterprises need to think about access control in the post token-explosion world we are living in?
Homework
Takeaways
TBD