Episode 100: Is TBAC the Next Big Thing?
The number of JWT tokens out there is rapidly expanding. Beyond traditional federation tokens, like OAuth access tokens, and OpenID identity assertions, there is whole new category of “decentralized tokens”, i.e. verifiable credentials, with myriad issuers and potential ecosystem schemas. We are also seeing JWTs issued by platforms like Google to attest to the integrity of mobile software installed on a device. FIDO is defining JWT attestations about the security of authenticators (how is the key stored?). Tokens are used by federations to convey trust, for example the JWTs issued by open banking federations to fintech companies. The pace is not slowing down. The WIMSE working group at the IETF is likely to introduce several new tokens for workload identity. And another draft at the IETF called “transaction tokens” is enabling enteprises to embed business-specific details into tokens. How are access control models going to evolve to address this new important input to policies? There is one inevitable conclusion: person-centric access control models like RBAC can solve an increasingly smaller subset of the access control challenges enterprises are facing.
In this 100th episode, we’ll discuss if a new solution has presented itself: Token Based Access Control. Does TBAC offer enterprises a way to implement continuous authentication and just in time access control for both humans and workloads across a range of mobile, cloud, and even disconnected applications? And if so, what would be the impact on how enterprises need to think about access control in the post token-explosion world we are living in?
Episode 99: OpenID Provider Commands: New JWT Tokens for RP Acct Mgt
“OpenID Provider Commands” is a new proposed protocol via Dick Hardt and Karl McGuinness which introduces a mechanism for delivering backchannel “command tokens” (a JWT) that allows an OpenID Provider (OP) to send the following messages to an OpenID Relying Party (RP):
🔑 Activate an account
🔄 Maintain an account
⏸️ Suspend an account
🔓 Reactivate an account
📦 Archive an account
♻️ Restore an account
❌ Delete an account
đźš« Unauthorize an account
In this episode we’ll hear from the authors why they think this new protocol is needed, and why their solution is the right design for the Internet.
Episode 98: Eclipse Decentralized Claims Protocol
The Eclipse Decentralized Claims specification defines “Dataspaces” which enable participants to secure data access using credentials associated with an identity. The specification defines a set of protocols for asserting participant identities, issuing verifiable credentials, and presenting verifiable credentials using a decentralized architecture for verification and trust. Is this an example of TBAC? Join the discussion to find out!
Episode 97: Patterns and Anti-patterns in Privileged Access Management (PAM)
Managing privileged access is one of the most critical aspects of cybersecurity, yet organizations often struggle with implementing it effectively. In this episode of Identerati Office Hours, we’re joined by Rainer Hörbe, Senior Manager at KPMG, to explore the key patterns and anti-patterns in Privileged Access Management (PAM).
We’ll discuss:
🔹 Common PAM pitfalls and how to avoid them
🔹 Best practices for securing privileged accounts
🔹 Strategies for balancing security, usability, and compliance
🔹 Real-world insights on what works—and what doesn’t—in PAM
Join us for a deep dive into the do’s and don’ts of PAM with one of the industry’s leading experts. Whether you’re designing a PAM strategy or optimizing an existing one, this session will provide actionable takeaways to strengthen your security posture.
Episode 91: Powering Continuous Identity with OAuth and OpenID
Continuous identity requires new enterprise infrastructure to publish events related to a login session and token lifecycle. One solution could be Shared Signals Transmitters (SSTs) based on the OpenID Shared Signals Framework (SSF) and the Continuous Access Evaluation Protocol (CAEP). Another solution could leverage recent OAuth drafts for global token revocation and OAuth Status List JWTs. Join us as we discuss why continuous identity is the future and if it fits into a token based access control model.
Episode 96: iShare: Bringing Trust to Data with JWT-Based Access
The iShare ecosystems have been leveraging Token-Based Access Control (TBAC) for years to address the complex challenges of secure and seamless data sharing across enterprise boundaries within the European Union. This innovative framework enables organizations to establish trust, enforce fine-grained access policies, and ensure compliance while facilitating interoperability between different entities. Join this discussion to gain insights into how iShare’s approach works, the benefits it offers for cross-organizational data exchange, and how it compares to other access control models. Whether you’re a security professional, developer, or business leader, this session will provide valuable knowledge on the future of data sovereignty and access management in the EU.
Episode 93: Is TBAC the Future? Gluu, SGNL & Strata Weigh In
TBAC is a new access control model that leverages the rich context encoded in tokens, such as JWTs, to make dynamic, fine-grained access decisions. Unlike existing models like RBAC, ABAC, or ReBAC, which rely on roles, attributes, or relationships, TBAC evaluates access based on the information embedded in a bundle of tokens, providing unparalleled flexibility and contextual awareness.
But is a new access control model needed? Is TBAC a re-hashing of other access control models, like ABAC or PBAC? Can tokens contain the context necessary to make decisions without access to other data sources? Could enterprises implement “Zero Standing Priviledge” using a TBAC approach?
In this episode of Identerati Office Hours, three of the leaders in modern enterprise identity will discuss the merits of TBAC and the arguments for and against the approach.
Episode 95: Are JWTs bad for authz?
Relying on data in token claims for authorization is a slippery slope that can lead to unexpected failures and painful debugging sessions. JWT bloat—caused by excessive claims—can run into header size limitations, triggering intermittent outages due to constraints on proxies, load balancers, and firewalls. Beyond sheer size, data encoding schemes introduce additional complexity, especially when dealing with binary-encoded claim values. Dynamic claims in tokens can also risk inconsistency if not handled properly. And then there’s the issue of revocation. In this episode, we’ll break down the hidden dangers of overloading JWTs, consider real-world horror stories, and discuss best practices for keeping your tokens lean or when you should consider reference tokens instead.
Episode 91: Powering Continuous Identity with OAuth and OpenID
Continuous identity requires new enterprise infrastructure to publish events related to a login session and token lifecycle. One solution could be Shared Signals Transmitters (SSTs) based on the OpenID Shared Signals Framework (SSF) and the Continuous Access Evaluation Protocol (CAEP). Another solution could leverage recent OAuth drafts for global token revocation and OAuth Status List JWTs. Join us as we discuss why continuous identity is the future and if it fits into a token based access control model.
Episode 94: The IPSIE Standard: A New Era of Identity Interoperability
IPSIE (pronounced “ip-see”) stands for Interoperability Profiling for Secure Identity in the Enterprise. Its mission is to develop interoperability and security profiles of existing specifications. The current situation is that the enterprise deployments of OpenID, OAuth, passkeys and other identity technologies are so varied, two implementations are NOT guaranteed to work together. For example, is it acr or amr that shows how the user was authenticated? Can re-usable IPSIE profiles enable much sought after IT consolidation? In this epsiode with working group contributors… we’ll see!