A quick metaphor to understand their importance lies in comparing information to life giving blood stream in a 21st century service organization, and these techniques acting as "valves" allowing safe, reliable and correct passage ways for this information to flow.
In days long gone by, these techniques (concerns) were bundled and recreated inside of every single app. Luckily, this wasteful practice soon changed: organization wide user directory services were built out, and applications interrogated these new directory services to validate users and accept/ deny information access appropriately.
The advent of world wide internet changed this situation, as information could (needed to) flow across multiple organizations. As a result, information became more broad, and users became more productive. However, the internet is decentralized and user information is spread (fractured) across multiple directory services. This causes confusion for the application provider, and the user.
The application provider needs to support multiple heterogenous directory services and users have to replicate their information and guarantee consistency across these.
Unfortunately, this is the reality of today. I am not aware of any elegant solution to this fundamental problem. Lots of open standards (CAS, OAuth, Open ID, SAML, CBA, ...) have been proposed and succeeded marginally, but failed to meet their desired goal eventually. These standards have caused more work and confusion for the application developer and provided no solution for the user to manage his information across different directories.
The situation is not so grim however, and we hope to make progress on making both the experience of the user (of the application) and the application developer much more pleasant than today.
The idea utilizes a well known (and one could argue trivial) technique to all computer science students: introduce an abstraction which hides away complexity of dealing with multiple directory services. For brevity, we can name this abstraction as bis - brokered identity services. This works well in the decentralized internet as now this abstraction can change independently of the user or the application developer.
For bis to be effective, following assumptions must hold true:
- bis mediates (proxies) communication from an application to to a given directory
- bis normalizes (translates) identity tokens from a given directory
- bis manipulates user entries (replicates) data subsets in a given directory on an as needed basis
We will study more in detail on each of these points in upcoming posts.
No comments:
Post a Comment