tag:blogger.com,1999:blog-32023330732787564222024-02-07T18:35:41.431-08:00Independent IdentityPhil Hunt's blog on identity standards, privacy, and some other stuff...Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.comBlogger129125tag:blogger.com,1999:blog-3202333073278756422.post-59631922029844896582021-07-23T10:45:00.001-07:002021-07-23T10:45:24.646-07:00Standards: SCIM Birds of a Feather Meeting July 29 SCIM (RFC7643 and RFC7644) was published back in September 2015. SCIM has over 65 published implementations including the new open source project i2scim.io. There are deployments from small IoT systems all the way to large scale deployments in the billions. SCIM's primary benefit has been to serve as an industry standard way to provision and manage identities at service Phil Hunthttp://www.blogger.com/profile/13285113226814026783noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-23725960711956023472021-07-10T15:10:00.000-07:002021-07-10T15:10:04.123-07:00Launching i2scim.io and a new Independent IdentityIt has been a while since I last blogged. I had found myself writing on Oracle's platform and this blog took a back seat. Now that I am truly independent, I am blogging again! To date, the focus of this blog has been an independent view on standards and the protocols that make Identity systems work. Going forward, I will continue to comment on standards but I will also bring new content Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-62157260201744992342015-02-24T09:55:00.002-08:002015-02-24T09:55:53.020-08:00A 'Robust' Schema Approach for SCIMThis article was originally posted on the Oracle Fusion Blog, Feb 24, 2015.Last week, I had a question about SCIM's (System for Cross-domain Identity Management) approach to schema. How does the working group recommend handling message validation? Doesn't SCIM have a formal schema?
To be able to answer that question, I realized that the question was about a different style of schema than SCIM Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com2tag:blogger.com,1999:blog-3202333073278756422.post-982315203818009632014-12-16T07:41:00.000-08:002014-12-16T07:41:05.058-08:00Standards Corner: IETF SCIM Working Group Reaches ConsensusOn the Oracle Fusion blog, I blog about the recent SCIM working group consensus, SCIM 2's advantages, and its position relative to LDAP.Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-44115382987981404602014-05-30T04:30:00.000-07:002014-05-30T06:28:55.595-07:00Standards Corner: Preventing Pervasive Monitoring
On Wednesday night, I watched NBC’s interview of Edward Snowden. The past year has been tumultuous one in the IT security industry. There has been some amazing revelations about the activities of governments around the world; and, we have had several instances of major security bugs in key security libraries: Apple's ‘gotofail’ bug the OpenSSL Heartbleed bug, not to mention&Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-61097103948089071852014-05-12T21:20:00.000-07:002014-05-12T21:20:00.620-07:00Draft 05 of IETF SCIM SpecificationsI am happy to announce that draft 05 of the SCIM specifications has been published at the IETF. We are down to a handful of issues (8) to sort out.
draft-ietf-scim-api
draft-ietf-scim-core-schema
Major changes:
Clarifications on case preservation and exact match filter processing
Added IANA considerations
Formalized internationalization and encoding (UTF-8)
Added security considerations Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-25817829162906327572014-04-09T08:55:00.003-07:002014-04-09T08:57:49.186-07:00Standards Corner: Basic Auth MUST Die!Basic Authentication (part of RFC2617) was developed along with HTTP1.1 (RFC2616) when the web was relatively new. This specification envisioned that user-agents (browsers) would ask users for their user-id and password and then pass the encoded information to the web server via the HTTP Authorization header.
Basic Auth approach quickly died in popularity in favour of form based login where Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com4tag:blogger.com,1999:blog-3202333073278756422.post-38261279305174412092014-03-13T09:26:00.001-07:002014-03-13T09:26:48.803-07:00Standards Corner: Maturing REST Specifications and the Internet of Things
Cross-posted from the Oracle Fusion Middleware Blog.
As many of you know, much of today's standards around REST center around IETF based specifications. As such, I thought I would share some RESTful services related news coming from last week's IETF meetings. Many working groups are now in the final stages of moving key specifications into standard status…
JSON
A new standard draft for Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-35614062220556549452014-02-27T08:32:00.003-08:002014-03-13T09:17:18.347-07:00Standards Corner: SCIM and the Shifting Enterprise Identity Center of GravityMy latest blog post on SCIM is available over on the Oracle Fusion Middleware blog.Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com2tag:blogger.com,1999:blog-3202333073278756422.post-49176522201487078932014-02-14T11:47:00.001-08:002014-02-14T11:47:52.771-08:00New IETF SCIM drafts - Revision 03 DetailsYesterday, the IETF SCIM (System for Cross Domain Identity Management) Working Group published new draft specification revisions:
draft-ietf-scim-api-03
draft-ietf-scim-core-schema-03
This draft was essentially a clean-up of the specification text into IETF format as well as a series of clarifications and fixes that will greatly improve the maturity and interoperability of the SCIM drafts. Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-78636796417430562732013-12-17T11:46:00.002-08:002013-12-20T08:51:39.314-08:00Double-blind IdentityNote: Cross-posted from the Oracle Fusion Blog.
On November 13 and 14, the Government of British Columbia, Canada, launched the first in a series of public consultations on identity and digital services. For several years now, BC has been working on a new identity services project that would enable citizens to securely access government services online. For BC, there is clear motivation: Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-8533061265982925542013-11-04T10:01:00.001-08:002013-11-05T11:39:10.719-08:00Standards Corner: OAuth WG Client Registration ProblemUpdate: Cross-Posted on the Oracle Fusion Middleware blog.
This afternoon, the OAuth Working Group will meet at IETF88 in Vancouver to discuss some important topics important to the maturation of OAuth. One of them is the OAuth client registration problem.
OAuth (RFC6749) was initially developed with a simple deployment model where there is only monopoly or singleton cloud instance of a web APIPhil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-73300473820487683582013-08-27T09:26:00.001-07:002013-08-27T09:27:18.201-07:00New Draft for Enabling OAuth2 To Be Used for AuthenticationIn my last blog post, I discussed the issue of OAuth2 and authentication: Simple Authentication for OAuth 2? What is the Right Approach? As promised, I submitted a draft to the IETF for discussion in Berlin at the beginning of the month. While the working group didn't get a lot of time in the meeting to talk about the authentication issue (it wasn't formally on the charter), the Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-31376181739165972612013-07-18T13:08:00.000-07:002013-07-18T13:08:59.500-07:00Simple Authentication for OAuth 2? What is the Right Approach?Over a year ago, several people, including myself, raised concerns about using OAuth (RFC6749) for authentication. By this I mean, that application developers are using OAuth enabled service providers as a way to authenticate their users (using Google, Facebook, LinkedIn, Twitter, or another major provider). They do this because they want to eliminate friction by forcing customers to create Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-16998809856825680502013-03-28T10:11:00.001-07:002013-03-28T10:11:27.322-07:00Why You Should Care About PrivacyOn April 4, at 10am Pacific, Oracle Identity Management (@OracleIDM) will be hosting a twitter conversation on privacy (#PrivQA). I am pleased to confirm that the Ontario Commissioner of Information & Privacy, Dr. Cavoukian will be joining the conversation. In particular, I would like to encourage privacy and security industry folks to participate. For more information, see our recent Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-41858283875673717412013-02-28T13:11:00.000-08:002013-02-28T13:11:48.521-08:00Standards Corner: Tokens. Can You Bear It?This week's post is all about tokens. What are the different types of tokens that may be used in RESTful services? How are they the same/different from browser cookies? What are access tokens, artifacts, bearer tokens, and MAC tokens? If I asked you what are tokens used for, many of you would answer authentication. But there is a bit more to it than that. First, I'd like to point you to a post I Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-28713782610487306882013-02-14T13:07:00.002-08:002013-02-14T13:07:55.819-08:003 Parts to AuthenticationAt the IETF85 meeting in Atlanta, I ran into Phillip Hallam-Baker after a meeting on HTTP Authentication (you may recall, Phillip is one of the editors of RFC2617 - Basic and Digest Access Authentication). We were talking about how the term "authentication" is very poorly defined and means different things to different people and different service components.
Phil pointed me to a WG draft he putPhil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-12183659149507345292013-02-14T11:12:00.001-08:002013-02-14T11:13:24.217-08:00OAuth2: Is OAuth the End of SAML? Or a New Opportunity?I mentioned in my year in review post that rather then spell the end of SAML, OAuth2 might in fact greatly expand SAML's adoption. Why is that?
The OAuth2 Working Group is nearing completion on the OAuth2 SAML Bearer draft which defines how SAML Bearer assertions can be used with OAuth2 essentially replacing less secure user-id and passwords with more secure federated assertions.
Before I Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com4tag:blogger.com,1999:blog-3202333073278756422.post-17103290905355029932013-01-15T14:58:00.004-08:002013-01-15T16:13:13.453-08:00OAuth2: How does OAuth2 Make Crypto Easier for DevelopersNote: cross-posted on OracleIDM blog.
On my last blog post on Oracle IDM, Marc asks some very good questions that deserve a longer response:
Phil,
Here's where I get confused about OAuth2. I keep hearing you don't need crypto (which is often where developers get so tripped up on other federation protocols) but how do you securely have a self contained token without crypto? You Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-44794394057939104732013-01-15T10:11:00.003-08:002013-01-15T16:13:47.334-08:00Is OAuth2 Ready for Use?In what seems to be becoming a regular thing, I have another blog post on the Oracle IDM blog, "Standards Corner: A Look at OAuth2", where I answer some tough questions:
What is the difference between OAuth1 and OAuth2?
Is OAuth2 mature enough to use?
Should customers deploy OAuth1?
What's happening with OAuth2?
Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-54707106496100164232013-01-08T11:58:00.001-08:002013-01-15T16:14:29.838-08:00No Time To REST For The HolidaysI was invited to sum up 2012 and make my predictions for 2013 on the Oracle IDM blog. Check out my post here covering:
Emergence of REST-based Cloud
Fat Apps are now Phat!
Web 3 Drives Forward a New Authorization Model: OAuth2
Is SAML Dead or Just Starting?
Provisioning to the Cloud
Looking Forward - The Emergence of the Identity Cloud and the Interop Language
Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-39255229608556750962013-01-07T16:17:00.001-08:002013-01-15T16:15:24.923-08:00OAuth2 Threat Model is now RFC 6819OAuth2 has proven to be a broadly successful tool for authorizing access to web resources from a variety of browser and non-browser web clients. With such wide applicability came an incredibly broad set of security scenarios that OAuth2 needed to cover. It is testimony to the working group that this was achievable while maintaining the simplicity of the original OAuth specification.
The contentsPhil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-60748661844384441672012-03-14T14:31:00.000-07:002012-03-14T15:53:20.203-07:00SCIM - What Should A New SCIM WG Address?In my last blog post, I mentioned that SCIM 1.0 defines as a simple provisioning API for cloud application service providers. SCIM is architecturally oriented as a connector API specification in a hub and spoke architecture typically with an enterprise provisioning system at the hub and a cloud application service provider being a spoke. Other variations could include provisioning for Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0tag:blogger.com,1999:blog-3202333073278756422.post-34730727105210392882012-03-12T13:43:00.004-07:002012-03-12T13:43:55.964-07:00Simple Cloud Identity Management - Getting StartedGood news! The folks behind SCIM have decided to begin the process to formalize SCIM at the IETF. To kick things off, there will be a birds-of-a-feather session planned for the upcoming IETF meeting in Paris at the end of the month.
The above diagram shows the typical scenario that SCIM attempts to solve. The perspective of SCIM is to provide a common RESTful API for cloud SaaS providers that Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com1tag:blogger.com,1999:blog-3202333073278756422.post-25529737083173458742012-01-17T21:58:00.000-08:002012-01-17T21:58:05.948-08:00Going on strikeThis blog will be going on strike January 18 from 8AM to 8PM in support of the SOPA/PIPA protest.
This protest reflects my personal concerns about the upcoming US legislation and does not necessarily reflect those of my employer.Phil Hunthttp://www.blogger.com/profile/08974996068290136413noreply@blogger.com0