Oauth enlivens the identity and access management landscape

By Alan Earls – For his part, Scott Morrison, CTO at Layer7, a provider of API security and governance for service-oriented, Web-oriented and cloud-oriented integration, argues that OAuth is the most interesting thing happening in identity and access management services.

Morrison says a plus with OAuth is that it is a “good basic idea that sits well with modern developers.” On the other hand, because it is a pure, open standard, it lacks the discipline needed to ensure wide interoperabilty.” With much that remains undefined, Morrison says there is a tension between OAuth as a “quick, grassroots standard and the more rigorous requirements of a formal standard.” But OASYS is now working to formalize OAuth, which may yield positive results.

From his perspective, Morrison says that developers should be mindful of the huge role mobile devices are playing in driving identity management. “With mobile there has been a move toward specific, focused apps, most using RESTful-style protocols. Many of them find themselves depending on OAuth as a means of establishing identity to a remote server,” he says. That, in turn, is driving APIs to be more OAuth aware. “Mobile apps are really driving the whole API explosion,” he continues.

Another important issue to consider, says Morrison, is the increasing importance of multiple identities being established through mobile communications. For example, a mobile device may need to establish the identity of the app it is using and then (for activities requiring security) the identity of the individual user of the app. In other words, identity management can be a multiple layer challenge.