Identerati Office Hours Episode

“OpenID Provider Commands” is a new proposed protocol via Dick Hardt and Karl McGuinness which introduces a mechanism for delivering backchannel “command tokens” (a JWT) that allows an OpenID Provider (OP) to send the following messages to an OpenID Relying Party (RP): 🔑 Activate an account 🔄 Maintain an account ⏸️ Suspend an account 🔓 Reactivate an account 📦 Archive an account ♻️ Restore an account ❌ Delete an account 🚫 Unauthorize an account In this episode we’ll hear from the authors why they think this new protocol is needed, and why their solution is the right design for the Internet.

The Eclipse Decentralized Claims specification defines “Dataspaces” which enable participants to secure data access using credentials associated with an identity. The specification defines a set of protocols for asserting participant identities, issuing verifiable credentials, and presenting verifiable credentials using a decentralized architecture for verification and trust. Is this an example of TBAC? Join the discussion to find out!

Managing privileged access is one of the most critical aspects of cybersecurity, yet organizations often struggle with implementing it effectively. In this episode of Identerati Office Hours, we’re joined by Rainer Hörbe, Senior Manager at KPMG, to explore the key patterns and anti-patterns in Privileged Access Management (PAM). We’ll discuss: 🔹 Common PAM pitfalls and how to avoid them 🔹 Best practices for securing privileged accounts 🔹 Strategies for balancing security, usability, and compliance 🔹 Real-world insights on what works—and what doesn’t—in PAM Join us for a deep dive into the do’s and don’ts of PAM with one of the industry’s leading experts. Whether you’re designing a PAM strategy or optimizing an existing one, this session will provide actionable takeaways to strengthen your security posture.

Continuous identity requires new enterprise infrastructure to publish events related to a login session and token lifecycle. One solution could be Shared Signals Transmitters (SSTs) based on the OpenID Shared Signals Framework (SSF) and the Continuous Access Evaluation Protocol (CAEP). Another solution could leverage recent OAuth drafts for global token revocation and OAuth Status List JWTs. Join us as we discuss why continuous identity is the future and if it fits into a token based access control model.

The iShare ecosystems have been leveraging Token-Based Access Control (TBAC) for years to address the complex challenges of secure and seamless data sharing across enterprise boundaries within the European Union. This innovative framework enables organizations to establish trust, enforce fine-grained access policies, and ensure compliance while facilitating interoperability between different entities. Join this discussion to gain insights into how iShare’s approach works, the benefits it offers for cross-organizational data exchange, and how it compares to other access control models. Whether you’re a security professional, developer, or business leader, this session will provide valuable knowledge on the future of data sovereignty and access management in the EU.

TBAC is a new access control model that leverages the rich context encoded in tokens, such as JWTs, to make dynamic, fine-grained access decisions. Unlike existing models like RBAC, ABAC, or ReBAC, which rely on roles, attributes, or relationships, TBAC evaluates access based on the information embedded in a bundle of tokens, providing unparalleled flexibility and contextual awareness. But is a new access control model needed? Is TBAC a re-hashing of other access control models, like ABAC or PBAC? Can tokens contain the context necessary to make decisions without access to other data sources? Could enterprises implement “Zero Standing Priviledge” using a TBAC approach? In this episode of Identerati Office Hours, three of the leaders in modern enterprise identity will discuss the merits of TBAC and the arguments for and against the approach.

Relying on data in token claims for authorization is a slippery slope that can lead to unexpected failures and painful debugging sessions. JWT bloat—caused by excessive claims—can run into header size limitations, triggering intermittent outages due to constraints on proxies, load balancers, and firewalls. Beyond sheer size, data encoding schemes introduce additional complexity, especially when dealing with binary-encoded claim values. Dynamic claims in tokens can also risk inconsistency if not handled properly. And then there’s the issue of revocation. In this episode, we’ll break down the hidden dangers of overloading JWTs, consider real-world horror stories, and discuss best practices for keeping your tokens lean or when you should consider reference tokens instead.

Continuous identity requires new enterprise infrastructure to publish events related to a login session and token lifecycle. One solution could be Shared Signals Transmitters (SSTs) based on the OpenID Shared Signals Framework (SSF) and the Continuous Access Evaluation Protocol (CAEP). Another solution could leverage recent OAuth drafts for global token revocation and OAuth Status List JWTs. Join us as we discuss why continuous identity is the future and if it fits into a token based access control model.

IPSIE (pronounced “ip-see”) stands for Interoperability Profiling for Secure Identity in the Enterprise. Its mission is to develop interoperability and security profiles of existing specifications. The current situation is that the enterprise deployments of OpenID, OAuth, passkeys and other identity technologies are so varied, two implementations are NOT guaranteed to work together. For example, is it acr or amr that shows how the user was authenticated? Can re-usable IPSIE profiles enable much sought after IT consolidation? In this epsiode with working group contributors… we’ll see!

As identity-based attacks grow more sophisticated, traditional IAM solutions need a boost. In this episode of Identerati Office Hours, we dive into Identity Threat Detection & Response (ITDR)—a critical enhancement for modern IAM strategies. How can ITDR go beyond access management to detect, mitigate, and respond to identity threats in real-time? Will a ITDR become essential for security teams to stay ahead of evolving threats? Tune into this IOH episode to learn more!

MOSIP requires a foundation of complementary technologies and human expertise–no one company or firm can deploy robust digital public infrastructure for a nation. In this episode, we’ll explore how MOSIP is building an ecosystem of software vendors, infrastructure providers, IT integrators, custom development firms, and other domain experts who provide the business, legal and cloud technology capable of delivering their solution to diverse markets. We’ll also discuss how this collaborative approach positions nations to expand MOSIP’s reach by linking identity credentials to critical public and private services.

APIs are the lifeblood of modern digital ecosystems, driving 80% of internet traffic and enabling seamless integration between applications, services, and devices. The gap between API specifications and production behavior—known as “API drift”—is a major source of inefficiency and friction in the API ecosystem. Drawing insights from APIContext’s recent white paper, this discussion will explore the state of API specifications, their critical role in ensuring interoperability, and why keeping them up-to-date and accurate is essential for robust API governance. Join us for Identerati Office Hours to uncover insights on: 🚀 The Role of APIs: Powering 80% of all internet traffic, APIs are the backbone of modern digital applications. 📉 The Problem of API Drift: 25% of APIs don’t conform to their specifications. What is the impact to performance and reliability? 🛠️ Best Practices for API Governance: Explore actionable strategies to mitigate API drift, from publishing clear OpenAPI Specifications to proactive monitoring. 🤖 Agentic AI: Amplifying API Drift: The rise of autonomous AI agents adds a new layer of complexity to the existing challenge of API drift. Managing agent interactions and ensuring they adhere to evolving API specifications makes maintaining accuracy and preventing drift even more critical.