> Modern integration patterns, however, dismantle these essential boundaries, relying heavily on modern identity protocols (e.g., OAuth) to create direct, often unchecked interactions between third-party services and firms’ sensitive internal resources.
I recently got an email from a big banking vendor about certain APIs requiring OAuth moving forward. Getting a lot of mixed signals from leadership in this industry.
Regardless, certificate-based authentication is a really good thing when done "all the way" (i.e., with proper, audited HSMs and cert management processes on both sides). I think OAuth begins to turn into a screen door once we get into Azure/AWS as the IdP and lazily stringing services together with platform-managed keys. Determining the effective permissions of a given user principal in Azure Active Directory might as well be a celestial navigation exercise.
I think which identity provider we are trusting and how they are enforcing our use of their services is ~99% of the problem space.
I recently got an email from a big banking vendor about certain APIs requiring OAuth moving forward. Getting a lot of mixed signals from leadership in this industry.
Regardless, certificate-based authentication is a really good thing when done "all the way" (i.e., with proper, audited HSMs and cert management processes on both sides). I think OAuth begins to turn into a screen door once we get into Azure/AWS as the IdP and lazily stringing services together with platform-managed keys. Determining the effective permissions of a given user principal in Azure Active Directory might as well be a celestial navigation exercise.
I think which identity provider we are trusting and how they are enforcing our use of their services is ~99% of the problem space.