Web Blog_blogentry_010317_1


Complexity and why OAuth 2.0 and OpenID Connect Help#

In a traditional WEB Access Management product there are three primary methods used:

How WEB Access Management product implemented#

In many, if not most, WEB Access Management product implementations only "course-grained" access is protected by the WEB Access Management product. "Fine-Grained" access is typically done within the Application. ( APIs and Microservices of course excluded here]).

So when a new application comes on-board a new application needs to be configured, the Access Management team must configure the setup the protected URLs. The WEB team knows what needs protected but not how to configure the Access Management tool. The Access Management team know how to configure the Access Management but not what to protect. This implies a communication, often via Change Control Process where information can be lost or miss-understood.

When using OAuth 2.0 and OpenID Connect, once OAuth Client is setup, the Web Team can control Application access using the security-constraint within the Web container which is a concept they are familiar.

As the Application can obtain Identity State using OpenID Connect the requirement for WEB Agents WAM becomes less important.

Many WEB Access Management product implementations#

Many of the WEB Access Management products use OpenID Connect to communicate with their agents.

The advantage of WEB Access Management products#

The big advantage provided by these WEB Access Management products is the management of the Policy Information Point where the policies which determine access to Protected Resources are stored. In many Organizations, the Policy Information Point is not well utilized as many organizations have never classified applications or performed Data Classification sufficiently to be able to make proper use of this centralized Policy Information Point. The effective Policy Information Point and Policy Enforcement Point is within the Application.

There is also some advantage of the WEB Access Management products in the use of a formalized and centralized Policy Administration Point providing the organization has performed the proper Data Classification

OpenID Connect, where the rubber meets the road#

OpenID Connect allows the Applications Team, who is, typically, really deciding the Access Control policy to implement Access Control in methodology they are most familiar without having to go through change control process to have the desired actions implemented by another group.

OpenID Connect #

OpenID Connect also has an advantage in that the Application never even sees the Credentials of the user which provides an added security benefit.

More Information#

There might be more information for this subject on one of the following: ...nobody