Identerati Office Hours Episode

The number of JWT tokens out there is rapidly expanding. Beyond traditional federation tokens, like OAuth access tokens, and OpenID identity assertions, there is whole new category of “decentralized tokens”, i.e. verifiable credentials, with myriad issuers and potential ecosystem schemas. We are also seeing JWTs issued by platforms like Google to attest to the integrity of mobile software installed on a device. FIDO is defining JWT attestations about the security of authenticators (how is the key stored?). Tokens are used by federations to convey trust, for example the JWTs issued by open banking federations to fintech companies. The pace is not slowing down. The WIMSE working group at the IETF is likely to introduce several new tokens for workload identity. And another draft at the IETF called “transaction tokens” is enabling enteprises to embed business-specific details into tokens. How are access control models going to evolve to address this new important input to policies? There is one inevitable conclusion: person-centric access control models like RBAC can solve an increasingly smaller subset of the access control challenges enterprises are facing. In this 100th episode, we’ll discuss if a new solution has presented itself: Token Based Access Control. Does TBAC offer enterprises a way to implement continuous authentication and just in time access control for both humans and workloads across a range of mobile, cloud, and even disconnected applications? And if so, what would be the impact on how enterprises need to think about access control in the post token-explosion world we are living in?

“OpenID Provider Commands” is a new proposed protocol via Dick Hardt and Karl McGuinness which introduces a mechanism for delivering backchannel “command tokens” (a JWT) that allows an OpenID Provider (OP) to send the following messages to an OpenID Relying Party (RP): 🔑 Activate an account 🔄 Maintain an account ⏸️ Suspend an account 🔓 Reactivate an account 📦 Archive an account ♻️ Restore an account ❌ Delete an account 🚫 Unauthorize an account In this episode we’ll hear from the authors why they think this new protocol is needed, and why their solution is the right design for the Internet.

The Eclipse Decentralized Claims specification defines “Dataspaces” which enable participants to secure data access using credentials associated with an identity. The specification defines a set of protocols for asserting participant identities, issuing verifiable credentials, and presenting verifiable credentials using a decentralized architecture for verification and trust. Is this an example of TBAC? Join the discussion to find out!

Managing privileged access is one of the most critical aspects of cybersecurity, yet organizations often struggle with implementing it effectively. In this episode of Identerati Office Hours, we’re joined by Rainer Hörbe, Senior Manager at KPMG, to explore the key patterns and anti-patterns in Privileged Access Management (PAM). We’ll discuss: 🔹 Common PAM pitfalls and how to avoid them 🔹 Best practices for securing privileged accounts 🔹 Strategies for balancing security, usability, and compliance 🔹 Real-world insights on what works—and what doesn’t—in PAM Join us for a deep dive into the do’s and don’ts of PAM with one of the industry’s leading experts. Whether you’re designing a PAM strategy or optimizing an existing one, this session will provide actionable takeaways to strengthen your security posture.

Continuous identity requires new enterprise infrastructure to publish events related to a login session and token lifecycle. One solution could be Shared Signals Transmitters (SSTs) based on the OpenID Shared Signals Framework (SSF) and the Continuous Access Evaluation Protocol (CAEP). Another solution could leverage recent OAuth drafts for global token revocation and OAuth Status List JWTs. Join us as we discuss why continuous identity is the future and if it fits into a token based access control model.

The iShare ecosystems have been leveraging Token-Based Access Control (TBAC) for years to address the complex challenges of secure and seamless data sharing across enterprise boundaries within the European Union. This innovative framework enables organizations to establish trust, enforce fine-grained access policies, and ensure compliance while facilitating interoperability between different entities. Join this discussion to gain insights into how iShare’s approach works, the benefits it offers for cross-organizational data exchange, and how it compares to other access control models. Whether you’re a security professional, developer, or business leader, this session will provide valuable knowledge on the future of data sovereignty and access management in the EU.

TBAC is a new access control model that leverages the rich context encoded in tokens, such as JWTs, to make dynamic, fine-grained access decisions. Unlike existing models like RBAC, ABAC, or ReBAC, which rely on roles, attributes, or relationships, TBAC evaluates access based on the information embedded in a bundle of tokens, providing unparalleled flexibility and contextual awareness. But is a new access control model needed? Is TBAC a re-hashing of other access control models, like ABAC or PBAC? Can tokens contain the context necessary to make decisions without access to other data sources? Could enterprises implement “Zero Standing Priviledge” using a TBAC approach? In this episode of Identerati Office Hours, three of the leaders in modern enterprise identity will discuss the merits of TBAC and the arguments for and against the approach.

Relying on data in token claims for authorization is a slippery slope that can lead to unexpected failures and painful debugging sessions. JWT bloat—caused by excessive claims—can run into header size limitations, triggering intermittent outages due to constraints on proxies, load balancers, and firewalls. Beyond sheer size, data encoding schemes introduce additional complexity, especially when dealing with binary-encoded claim values. Dynamic claims in tokens can also risk inconsistency if not handled properly. And then there’s the issue of revocation. In this episode, we’ll break down the hidden dangers of overloading JWTs, consider real-world horror stories, and discuss best practices for keeping your tokens lean or when you should consider reference tokens instead.

Continuous identity requires new enterprise infrastructure to publish events related to a login session and token lifecycle. One solution could be Shared Signals Transmitters (SSTs) based on the OpenID Shared Signals Framework (SSF) and the Continuous Access Evaluation Protocol (CAEP). Another solution could leverage recent OAuth drafts for global token revocation and OAuth Status List JWTs. Join us as we discuss why continuous identity is the future and if it fits into a token based access control model.

IPSIE (pronounced “ip-see”) stands for Interoperability Profiling for Secure Identity in the Enterprise. Its mission is to develop interoperability and security profiles of existing specifications. The current situation is that the enterprise deployments of OpenID, OAuth, passkeys and other identity technologies are so varied, two implementations are NOT guaranteed to work together. For example, is it acr or amr that shows how the user was authenticated? Can re-usable IPSIE profiles enable much sought after IT consolidation? In this epsiode with working group contributors… we’ll see!

As identity-based attacks grow more sophisticated, traditional IAM solutions need a boost. In this episode of Identerati Office Hours, we dive into Identity Threat Detection & Response (ITDR)—a critical enhancement for modern IAM strategies. How can ITDR go beyond access management to detect, mitigate, and respond to identity threats in real-time? Will a ITDR become essential for security teams to stay ahead of evolving threats? Tune into this IOH episode to learn more!

MOSIP requires a foundation of complementary technologies and human expertise–no one company or firm can deploy robust digital public infrastructure for a nation. In this episode, we’ll explore how MOSIP is building an ecosystem of software vendors, infrastructure providers, IT integrators, custom development firms, and other domain experts who provide the business, legal and cloud technology capable of delivering their solution to diverse markets. We’ll also discuss how this collaborative approach positions nations to expand MOSIP’s reach by linking identity credentials to critical public and private services.