Question to ask for request

From IIW

Convener: Alan Karps

Most important question: is the request authorized? Delegatable authorization: without it the private in the army would be saying "yes sir, mr. obama", that would be the only way. OAuth consciously conflated authz, authn and identity. The goal was not to exchange credentials service side gets token "letting it be me for a period of time"

Tyler Close "web key"  : REST based federation. Good paper: "ACL's don't" Authorization based access control is safer than SSO.

Sample Case:

Two Companies: A and B Memorandum of Understanding between companies Authz: Only US citizens can perform this action: Use XACML to express policy When user invokes service, he prevents delegation chain.

Alan Karps - might be wrong. Look for papers.

ZBack : Authorization based access control