The proliferation of micro-services along with the changing threat landscape means it is no longer possible to rely on network segmentation to establish a secure permitter while allowing broad access between services inside the perimeter. As a result, we have to assume that the attackers are inside the perimeter and apply fine grained authorization at the microservice level to ensure least privilege access based on the context of each transaction. This context includes details of the transaction, the user, other services, or workloads in the call chain as well as the trust domains in which the services operate.
The good news is that there are two new complimentary standards being developed in the IETF OAuth working group that provide a standardised mechanism for preserving transaction context. The Transaction Tokens draft provides a mechanism for preserving context for fine grained authorization decisions within a trust domain, while Identity Chaining across Trust Domains provides a mechanism for preserving that context even when crossing trust boundaries. In this session we will provide an overview of these two emerging standards and describe how they are used to enable fine grained authorization in microservices.
