ID spec's approval opens enterprise path to secure mobile, cloud

OAuth 2.0 is officially blessed, now it's on to fulfilling the promise of securing access to, and integration among, applications.

The Internet’s emerging identity era showed a peek at its enterprise future last week standardizing two simple, extendable and effective protocols poised to help define access control going forward.

The Internet Engineering Task Force (IETF) officially made OAuth 2.0 a standard by publishing two RFCs – 6749, the core OAuth 2.0 Authorization Framework, and 6750, which describes a specific access token type called “bearer” that is akin to a boarding pass.

OAuth 2.0 is an authentication/authorization mechanism that lets Web, enterprise, cloud and mobile applications securely access resources and data available via RESTful APIs. End-users don't surrender usernames and passwords, they establish identity and privileges based on access tokens issued by an authoritative source.

“This spec is another part of the consumerization of IT,” 

- Dick Hardt, editor of the OAuth 2.0 specification

Hardt said standardization isn’t so much a big shift for identity-based access control, but more a legitimizing of what has been happening. “It makes people in the enterprise more comfortable with the model,” he said.

OAuth 2.0 started life as a collaboration between Google, Microsoft, and Yahoo! to address issues in the first version of OAuth, according to Hardt.  Those companies and many others have since adopted the 2.0 framework in their products and services.

Hardt said 2.0 adds important advancements: simplicity for developers and token transfer, choice of tokens and options for signed tokens, and better performance/security.

“With this work now complete, many of us can now focus on the next layers in the identity stack,” Hardt wrote on his blog.

Those layers are another important OAuth 2.0 milestone because the spec is the foundation for a number of other proposed identity standards.

The combination of OAuth 2.0 and its derivatives hold the promise of re-defining end-user and data aaccess security, and anchoring an identity-layer for the Internet.

OpenID Connect, which is being developed by the OpenID Foundation, is built on the OAuth 2.0 framework and provides features such as authentication. In addition, User Managed Access – a protocol that provides users with tight access controls over their personal or sensitive data – is also built on an OAuth foundation.

“I believe that the completion of these RFCs will only accelerate the momentum behind the adoption of simple REST/JSON (JavaScript Object Notation) -based identity solutions,” Mike Jones, co-editor on RFC 6750, wrote on his blog.

Jones pointed out a number of related standardization efforts underway including the OAuth Assertion Framework, the OAuth SAML 2.0 Assertion Profile and a number of JSON–based specs including – JSON Web Signature (JWS)JSON Web Encryption (JWE)JSON Web Key (JWK), and JSON Web Algorithms (JWA).

One of the most recent OAuth-related proposals RFCs is for a URI registry that will ensure all current and future complementary frameworks, profiles and extensions to OAuth have unique identifiers for resources they define. The registry provides identifiers that tell OAuth systems what types of grants or assertions a spec is using. Both the Security Assertion Markup Language (SAML) and JSON Web Tokens (JWT) are included. covered.

"The completion of the two primary OAuth 2.0 specifications represents a major milestone in the progress of the next generation of lightweight identity protocols,” said Brian Campbell,  co-author of the OAuth URI registry proposal and former co-chair of the SAML Technical Committee  at the Organization for the Advancement of Structured Information Standards (OASIS). “That, combined with more OAuth related work coming out of the IETF that enables integration with SAML and JWT, should position OAuth 2.0 as a central piece of identity enablement going forward for both consumer and enterprise usage."

(Disclosure: Campbell also is a senior architect for my employer - Ping Identity.)