Loading…

Accelerate Your Identity

3... 2... 1...
Ignition!

claims-based authorizations conversation

I was following a conversation on Twitter about claims-based authorizations … the guys having the conversation brought up some pretty good points and I thought it would be great to have a copy of this conversation.  Feel free to correct any mistakes I may have made in my notes.  I’d like to eventually follow up with Nishant and get more information on his last tweet about the RP not needing to know the decision context.  I generally agree with the statement but I am wondering about the use cases where the RP does want/need to know about the decision context.  … maybe you guys @nishantK, @paulmadsen, or @indpendentid could add some examples of what a “decision context” would or coud look like. 

paulmadsen

Is it within a PDPs job description to respond to queries of the form ‘I intend to do X at Y. That OK?’ with a signed ‘You can do X at Y’

4/7/11 1:40 PM

bobblakley 

@paulmadsen You’ve essentially described a subject-bound capability. You can do this as a bearer token too; “the bearer can do X at Y”

4/7/11 1:47 PM

bobblakley 

@bobblakley @paulmadsen (and to answer your actual question: it depends. On the PDP’s interface and semantic description)

4/7/11 1:50 PM

paulmadsen 

@bobblakley thanks Bob, that’s what I expected. So PDP not necessarily constrained to y/n answers

4/7/11 2:02 PM

independentid 

@paulmadsen Pre-use decisions carry the same issues as claims-based attributes. Tendency towards more information in case of need>gtr costs

4/7/11 2:17 PM

paulmadsen 

@independentid you seem to be interpreting ‘claims- based’ more narrowly than I, ie that they necessarily imply capabilities/pre-use authz?

4/7/11 2:27 PM

NishantK 

@paulmadsen But that’s the model that is needed to deliver on the promise of claims-based authorization, isn’t it? /cc @independentid

4/7/11 2:52 PM

paulmadsen 

@NishantK I think a claim can carry (as per Hal) either a property or a capability – the latter implies the issuer does some ‘pre-authz’

4/7/11 2:56 PM

NishantK 

@paulmadsen Agreed. But to @independentid’s point, both cases precede actual use, and force sender of claim to “plan” for all possibilities

4/7/11 3:28 PM

independentid 

@NishantK @paulmadsen How does sender know what decisions will be needed? Discovery – securityconstaint? Can decider decide without context?

4/7/11 3:32 PM

paulmadsen 

@NishantK but with the property model, the issuer doesnt need to know the particulars of the subsequent use – like a passport

4/7/11 3:32 PM

paulmadsen 

@independentid agreed. Capabilities model implies resource info made available to PAP

4/7/11 3:36 PM

independentid 

@paulmadsen Kind of like the “visa”s we use to have meetings in the US? The analogy that advance decisions are like passport visas.

4/7/11 3:36 PM

paulmadsen 

@independentid who issued the visa – Canada or the US? 🙂

4/7/11 3:41 PM

independentid 

@paulmadsen Well, I believe since you are in Canada, the PDP is US. I know its confusing, since your US PDP is actually in Ottawa

4/7/11 3:43 PM

paulmadsen 

@independentid its an exit visa Im thinking of, ie Canada saying Im allowed to leave

4/7/11 3:49 PM

NishantK 

@paulmadsen Yes, property model means issuer doesn’t need to know, but also can’t know if it wants to (which is a real issue for enterprise)

4/7/11 4:28 PM

NishantK 

@paulmadsen Also externalizing authZ is about RP not needing to know decision context (something they’re often bad at), leaving it to Issuer

4/7/11 4:41 PM

 

Additional comments made:  The conversation continued after I had left work … and then picked up briefly this morning.  I wanted to add the additional comments so that the entire thread was captured.
I agree with Steve and would like to see a collection of use cases that focus on externalized authorization.  @paulmadsen suggested that @ggebel was the go to source for such use cases.  I know that he has been blogging about these here (http://analyzingidentity.com/).
benatnovell
@brad_tumy I think @nishantk was right on about RP not needing to know decision context… I feel it is a core tenant of externalizing autZ
4/7/11 5:41 PM
benatnovell
@brad_tumy @nishantk I think it is a separation of duties issue… if info is to be shared with the RP, should be by the issuer not the PDP
4/7/11 5:45 PM
paulmadsen
RT @brad_tumy @benatnovell @nishantk agree they don’t “need” to know most cases … is there a case where would need to know? < Audit?
4/7/11 5:47 PM
Steve_Lockstep
@paulmadsen @brad_tumy CCW as in COM Callable Wrapper? Too tech for me 😉 I just say context usually clear to RP so design claims to match
4/7/11 5:50 PM
NishantK
@paulmadsen So you’re saying that “Because he told me to” won’t hold up under auditors stern (but loving) gaze? @brad_tumy @benatnovell
4/7/11 6:01 PM
NishantK
@brad_tumy @benatnovell Usually done for regulatory CYA. But sometimes it’s needed because of specifics in contract SLAs
4/7/11 6:02 PM
NishantK
@brad_tumy @benatnovell In any case, most RPs don’t know anyway. Role acts as proxy for context. RP usually doesn’t know why user has role
4/7/11 6:05 PM
Steve_Lockstep
@paulmadsen @benatnovell @brad_tumy @NishantK What’s a good catalog of externalised authz use cases? Issuer != PDP seems so academic to me
4/7/11 6:51 PM
Steve_Lockstep
@paulmadsen @benatnovell @brad_tumy @NishantK That was genuine request for catalog of extern’ed authz use cases please. I need enlightening
4/7/11 9:38 PM
paulmadsen
@Steve_Lockstep For externalized authz examples, ‘To the Cloud!’ ( well actually to @ggebel ) @benatnovell @brad_tumy @NishantK
4/8/11 6:39 AM
brad_tumy
@Steve_Lockstep @paulmadsen @benatnovell @nishantk I think the Federal ICAM BAE is a good source http://t.co/cUpFGEX
4/8/11 8:26 AM
brad_tumy
@brad_tumy @steve_lockstep @paulmadsen @benatnovell @nishantk I think @aniltj could add some insight as well to use cases for external authz
4/8/11 8:31 AM

2 thoughts on “claims-based authorizations conversation

  1. Hi Brad,

    This is Mahendra. I have the following requirement :

    Authenticate a resource based on custom token if it is null or not. There is no need to map the token with an user record.
    Environment is all 11g.

    What is the best way to implement it? Is it possible to do it with just OAM 11g alone? Or does it require Oracle STS too? Please provide your inputs.

    Also would you be able to provide a sample custom token format? Thanks in advance for your help.

    Regards
    Mahendra.

    1. Mahendra –

      Can you provide some additional details about the custom token? Where is it coming from, what is it’s format? Any additional information that you can provide would help me formulate an answer for you.

      Thanks,
      Brad

Leave a Reply