Web Blog_blogentry_231215_1


Zero-knowledge proof#

OAuth 2.0 & XACML[1]#

Authorization has many different facets, and to describe OAuth solely as an ‘authorization standard’ begs confusion with the other authorization facets. For instance, the EXtensible Access Control Markup Language (XACML) is manifestly focused on authorization, but there is effectively no overlap at all between XACML and OAuth 2.0 (in fact they are nicely composable).

In the case of obtaining the Resource Owner’s consent before the token is issued to the client, the OAuth 2.0 Authorization Server effectively plays the role of the XACML Policy Information Point, in which the policy is defined and subsequently stored as an XACML policy. In this case, the XACML policy might record the fact that the Resource Owner consented to the client being able to read their attributes held at the Resource Server, but not make any changes. Once it receives the token from the AS, the client can then use that token on its API calls to the RS. At the resource server, an XACML policy enforcement point (PEP) would intercept the API call (let’s assume it was an HTTP POST that attempted to add some new attribute to the resource owner’s store) and call out to the XACML policy decision point (PDP) to obtain an access control decision. In this case, as the resource owner has previously specified that the client could read but not write, the POST request would be denied and the PDP would respond accordingly to the PEP.

To be clear, OAuth does not presume or require an underlying XACML infrastructure. The point here is only that OAuth and XAMCL, while both authorization-centric, are compatible.

OAuth 2.0 & SAML[2]#

As you might expect for two general purpose security frameworks, there are a number of different integration points between OAuth 2.0 and the Security Assertion Markup Language (SAML), including:

We show compare some of the various facets of Standards Based SSO.

More Information#

There might be more information for this subject on one of the following: ...nobody