Gluu Blog

Follow us:
Back to Blog

The case for OAuth2 Multi-Party Federation

Mike S. June 2, 2015


If you look to the history of the financial industry, you’ll see a good example of how creating the tools and rules for inter-domain collaboration can create huge value. Just consider mortgage backed securities. Agreement on a standard contract for mortgages enabled an entire industry to emerge–one that got so huge it almost took down the world’s largest economy. This is the potential of multi-party federations: to grease the wheels of a diverse number of ecosystems, some of which may be more or less visible to us.

The higher education community’s early adoption of federations like InCommon perhaps encouraged a sort of optimism that was hard to maintain. Important lessons were learned, but at the same time, new requirements have emerged around mobile and Internet of Things (IOT) devices that have limited the ability of existing federations to gain adoption.

Perhaps there is some good news though. We have recently proposed a new working group at Kantara to define a standard federation framework that leverages OAuth2 which would enable support for mobile and IoT devices, as well as websites and applications. This new framework is called the Open Trust Taxonomy for OAuth2, or OTTO.

Think of it like this… I still have a magnetic swipe credit card. Why? Because US retailers have that infrastructure in place. Perhaps early adoption of SAML, the technology behind existing federations, is a similar handicap towards OAuth2 adoption in EDU. When I speak to people in EDU about OAuth2 federation, the idea is usually dismissed because “well, no one’s using it, and we all use SAML.”

But in fact, consumer IDPs and SaaS providers are using OAuth2 quite extensively. OAuth2 solves new authorization uses cases and presents developers with an API that they prefer (REST versus SOAP). How can you expect more adoption of multi-party federations based on an API paradigm that developers generally dislike? You might hate their privacy practices, but Google does a lot of admirable work getting feedback from developers. I don’t think the same developer-centric choices have necessarily been made in the EDU circles.

In the future, maybe we’ll have new standards that better support UDP networks and constrained devices… things will keep changing. We can’t build the perfect field, because we don’t know what kind of field to build right now. But luckily instead of giving up on the field, we can just improve it as we go. Our work is cut out for us… but the business case is there for multi-party federations to move forward, perhaps just not as originally envisioned.

You can read the Kantara Initiative OTTO Working Group announcement here.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.