Developers getting JSON-based options for enterprise authentication

Distributed cloud services and mobile-device clients are driving Web-friendly protocols for identity and security.

Options for building enterprise authentication infrastructure are expanding as new RESTful service alternatives emerge to support identity and security needs, such as federation, digital signatures, encryption, security keys, and token exchange.

The new options are creating debate around the future of existing technologies and how evolution of identity protocols will progress over the next few years as distributed cloud services and mobile device clients proliferate.

The debate escalated last year when some pundits called the venerable identity protocol Security Assertion Markup Language (SAML) stagnant.

In reality, SAML, a standard federation protocol based on XML, is still very much in use in the enterprise, and viable for federation among business units or with outside partners. In fact, work on a 2.1 version of SAML is ongoing.

But technology never stands still.

"On the bleeding edge, there has been a shift of resources and investment," said Brian Campbell, the former co-chair of the SAML technical committee at the Organization for the Advancement of Structured Information Standards (OASIS). Campbell is also co-author of a specification to bridge SAML and the RESTful OAuth 2.0 authentication/authorization protocol, and an active contributor to emerging protocols developed with a RESTful flair.

The resource shift is moving toward RESTful services built using JavaScript Object Notation (JSON) and related technologies.

JSON, a lightweight data exchange format, is used as a foundation to create Web-friendly ways to perform well-understood security practices, such as token exchange, within identity infrastructures.

JSON is intertwined with technologies such as OpenID Connect, an authentication framework, OAuth 2.0, and an emerging Internet Engineering Task Force (IETF) provisioning standard called System for Cross-Domain Identity Management (SCIM).

"We might end up changing the way the industry thinks about things like token exchange, key rotation, and other security services used for identity," said Campbell.

Today, for example, Google uses a public/private key rotation that allows it to change how public-key information is collected by partners, and to add flexibility and efficiency in changing private key data. The goal is to minimize management of expiring key pairs and to harden security.

Campbell noted, however, that debates around the range, capabilities, and limitations of emerging RESTful services are still a vocal chorus of varied opinions.

The new technologies are rooted in JSON, a subset of the JavaScript programming language being used to build mechanisms for identity and security.

Where SAML relies on XML formats, comparable technologies, such as OpenID Connect and JSON Web Token, rely on JSON.

Among the important work going on at the IETF are protocols leveraging JSON, including JavaScript Object Signing and Encryption (JOSE), a secure object format that ensures confidentiality and integrity, much like S/MIME does for email.

JOSE can incorporate a number of features, including JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Token (JWT), and JSON Web Key (JWK).

JWS lets developers represent content secured with a digital signature; JWE is used for encrypting the contents of a message; and JWT (which is being developed in the IETF's OAuth working group) is a way to represent claims or attributes between two entities.

With JWT, the claims/attributes are encoded as a JSON object, delivered as a payload protected by JWS or as ciphertext in a JWE package. The claims/attributes can be digitally signed and/or encrypted.

JWK is a JSON representation of public keys, along with bits of data about those keys. It can represent RSA or Elliptic Curve-based keys.

"Developers are voting with their feet," said Campbell. "They tend to prefer JSON-based interfaces and tooling, and more and more services are trending toward JSON. People think XML is too heavy for platforms such as mobile devices."

Disclosure: Campbell also works for Ping Identity.