BPuhl’s Blog

A little bit of everything without actually being much of anything

AuthA, B, C…no, no…AuthN & AuthZ – yeah, that’s it!

Posted by BPuhl on April 4, 2008

So in a previous post, I said:

I want the authentication of YOUR users accessing MY data, to be as credible as the authentication of YOUR users accessing YOUR data.

And this is ABSOLUTELY true.  But I ONLY want the authentication portion…please, authenticate the user against your identity store, but let’s just stop there.  Is there really any need to stuff his token full of claims?  After all, claims are for AUTHORIZATION, and have nothing to do with AUTHENTICATION.  Presence of a valid token indicates authN.

So why do I want to separate authN from authZ?  Because in my opinion:

Authentication needs to be performed by the party who has the most credible source of the users digital identity.

Authorization though, has nothing to do with the user.  Authorization is all about the data which is being protected.  Therefore, the source of the authorization, is the owner of the data.

This is where claims based systems get interesting today, because the ideas they are based on were largely formed for the “user-centric” identity metasystem…or, to say it another way…the consumer market.  Putting the authorization data into the authentication token makes sense when it’s the users data.  For example, if I’m putting my personal data into a web 2.0 application, then that is still my data.

But what about when the data doesn’t belong to the user (or even the users enterprise) who is accessing it?  For example, Microsoft hosts a DMZ network to provide business partners with access to our data.  Do we want to allow our partners to start deciding which data they get access to?  Probably not.

So as enterprise federation continues to gain traction, it’s time to start exploring what’s required for the authentication to come from the partner, while still allowing the enterprise applications to own the authorization to their own data.

More to come on this…


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: