Skip to main content

Identity and Access

In the context of a platform, identity and access is most frequently a service that can be used to wire up Authentication and Authorization in a common well understood manner. By offering Identity and Access management as a capability of the platform, we can avoid product applications from having to reinvent the wheel for such critical functionality.

This capability can differ greatly depending on the needs of applications and services that consume it, but generally it will allow for an application to delegate the login, or challenge for proof of identity to the platform. Then the application can utilize the results of that challenge process to use credentials presented to the user by the identity access process to access sensitive information or processes.

The technical aspects of how the Identity and Access service can be consumed by client apps should use rigourously tested standards. Often the Identity and Access service will allow for client apps to bring their own sources of identity through a process of federation. This allows for client apps to root their identity in their existing systems but still make use of the common Auth service offered by the platform.

Machine identity and in particular the SPIFFE Protocol is a relatively new method to make use of trust built into workloads running in known good environments as an authentication mechanism. This is considered more secure than the use of long lived pre-shared secrets like those used by services users or API tokens.

  • Must provide authentication
  • May provide primitives or framework for authorization
  • Must be well understood and easy to reason about
  • Reduces duplication of effort through delegation
  • Can be tested independently and in conjunction with consumer applications
  • Identity can be federated
  • Machine Identity can use modern protocols like SPIFFE
  • Examples of Standard Protocols:
    • OAuth and OpenID Connect
    • SAML
    • Mutual TLS and pre-shared certificates
    • API tokens or Bearer Authentication