This slide deck explores how Identity APIs have evolved over the time to cater the consumer and enterprise requirements, and real-world scenarios where tough identity challenges have been successfully tackled by using them.
Learn more: https://wso2.com/library/conference/2018/08/wso2con-asia-2018-identity-apis-is-the-new-black/
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
[WSO2Con Asia 2018] Identity APIs is the New Black
1. Identity APIs is the New Black
Technical Lead, WSO2
Ishara Karunarathna
2. Story of Kermit Corporation
LDAP
HR Application Payroll Application License Application
AD RDB
Kermit Corp
John John
Li
JohnL
3. ● Same physical user digitally represented in different siloes
with different credentials
● No single sign-on across silos
● Higher probability of identity mismanagement
● Identity integrations across department/enterprise borders
are difficult or impossible
IAM Challenges in Kermit Corp
8. Customer (is the king!) IAM
● Social login and BYOI
● Seamless experience across devices (Omnichannel)
● Privacy
○ Consent management
○ Ownership of user information
● Party-to-party delegation
16. Delegated Authorization with OAuth 2.0
Authorization Code Grant
Suitable for web applications
SAML Bearer Grant
Suitable for apps already using SAML SSO for authentication
JWT Grant
Suitable for apps already using a JWT mechanism for authentication
Client Credentials Grant
Suitable to retrieve data not specific to end users - e.g. Weather/Stocks -
and for machine-to-machine communications
17. Application (OAuth
Client)
OAuth
Authorization
Server
2
3
4
1
5
6
7
8
Authz Code Grant Flow
OAuth
Resource
Server
Introspect
Authenticate +
Consent
302
Access
Token Rq
Access Token
Access Token
Access Token
Resource Request
Prerequisite
Client application
registered with the
Authz Server manually
or via Dynamic Client
Registration
Resource
Owner
Authz Code
18. Authentication with OIDC
● OpenID Connect was created on top of OAuth 2.0 to provide
an identity layer
● Introduces a new scope named “openid”
● Introduces a new token named ID Token, containing user
claims
● Introduces a new endpoint named ‘userinfo’, to fetch
additional user claims
19. OIDC Flow
Application (OAuth
Client)
OAuth Authorization
Server
Resource
Owner
2
3
4
1
5
6
9
OAuth
Resource
Server
Introspect
Authz Code
302
Access
Token Rq
Access Token
ID Token
User Info Request
7
Access Token
Access Token
8
Access Token
Resource Request
scope=openid
Authenticate +
Consent
20. Party-to-party Delegation with UMA 2.0
● Developed on top of OAuth 2.0
● Introduces an entity named ‘Requesting Party’, and two
access tokens named ‘Protection API token’ (PAT) and
‘Requesting Party Token’ (RPT)
● Lots of use cases in CIAM and IoT:
○ E.g. A patient granting access to Doctor and Insurer to their health
records
○ E.g. Homeowner granting rotate access of the CCTV camera to the
housemaid
21. UMA 2.0 in Action
OAuth
Resource
Server
Application (OAuth
Client)
Resource
Owner
Requesting
Party
Protection API
Authorization API
OAuth Authorization
Server
Register
Resource
Access
Protected
Resource
Request
Authorization
Authorize to
register
resources
Define policies
Introspection API
Validate RPT
Result: RPT
Result: PAT
22. Fine-grained Authorization with XACML
● Standard for attribute based access control
● Decouples authorization logic from the application code by
introducing XML based policies
● Consists of 4 key components:
○ Policy Administration Point
○ Policy Decision Point
○ Policy Information Point
○ Policy Enforcement Point
23. Policy
Store
Policy Administration
Point
Policy Decision Point
Identity Provider
HR Application
Policy Enforcement
Point
End-user
Policy Information Point
XACML in Action
Entitlement
Administrator
CRUD Policies
Do operation
XACML Request
24. Open Policy Agent (OPA)
Enforcement API : Service requests
decisions
Management API : Management
pushes updates
Service
OPA
Query Decision
Data
Policy