Internet Identity Workshop 28 — IIW XXVIII
I got an amazing opportunity to attend Internet Identity Workshop 28, in short, IIW XXVIII.
IIW is an unconference where people gather and discuss the“Identity” world. These people include leaders in the identity world, newbies to the identity world, specification creators in the identity world, new trend creators of the identity world and what not.
It is a great privilege to participate in such an event, traveling across half the world from Sri Lanka to Silicon Valley!
IIW XXVIII had sessions from OAuth 2 to OIDC to privacy lows to FIDO to self-sovereign identity and many more. I mostly attended the sessions about OAuth 2/OIDC and Single Sign-On related sessions, which I was interested in and which are related to my career. Below are a few interesting sessions I could attend apart from the 101 sessions about WebAuthn, OIDC, and FIDO.
JWT Profile for OAuth 2.0 Access Tokens
The OAuth 2.0 Authorization Framework specification does not specify a format to the access token. But when the resource server needs to know information about the user and does not want to have a performance impact with the token introspection, people tend to use JWT access tokens. This discussion was about standardizing the norms different people use in different places. You can find the current draft version of the specification from here.
FastFed — Easy Connections IDP ↔ App + Governance — Who should have permissions in the app
FastFed defines metadata documents, APIs, and flows simplify the administrative effort to configure identity federation between an identity provider and an application that support common standards. We discussed the basics of FastFed 1.0 specification and how an identity governance provider can fit into the model and what are the advantages and disadvantages for each entity in each model.
Transactional authorization protocol XYZ
As discussed in the session, OAuth 2 has certain limitations. This newly proposed specification is intended to address the things OAuth 2 does not handle well. You can find more information about the proposal from this blog post and from this web site. Quoting from the web site,
OAuth 2 is one of the most successful security protocols in use today. Even so, in its wide use, the protocol has come up against some of its own limitations. This is a proposal for a transactional authorization protocol XYZ to address the things that OAuth 2 doesn’t handle well on its own. Optimizations and decisions that made sense in OAuth 2 don’t make as much sense today.
Continuous Access Evaluation Protocol
There can be several participants in a session of an identity provider. Change in state of one participant may be relevant to other participants of the session. This specification tries to define a pub-sub model for the participants to subscribe to events of interests and receive events using HTTP based messaging system.
Why “Specific & Informed Consent” is Nonsense (or Not)
The discussion was the Specific and Informed Consent over the norms and rules to protect the personal information of users. We discussed how to get specific and informed consent from the user, what are the factors need to be informed to the user, how it is going to scale and if it is possible to automate with an agent. Later we discussed how to build a set of norms and government enforced rules to protect the personal data and how they can differ in different countries.
Let's make a map of OAuth specs
Apart from core OAuth 2 specifications, there are a number of OAuth 2 specifications initiated by different working groups addressing different problems associated with different parts of OAuth 2 flows. In the same time for different types of client app developers (mobile, web, etc), for authorization server developers or resource server developers, there is no defined set of specifications needed to read before starting the implementation. This information is scattered in different places. This effort was to gather and categorize the different types of specifications and working groups available at the moment. This is how the whiteboard looked at the end.
I enjoyed every bit of the IIW. Thanks, Prabath Siriwardena and WSO2, Inc for providing me this amazing opportunity.
