The emerging digital business landscape needs a modernized identity protocol stack that is baked into every application, that scales to Internet proportions, and hides its complexity from developers and end-users, according to Patrick Harding, CTO of Ping Identity.
Harding, speaking Wednesday at the opening of the Cloud Identity Summit in Napa, Calif., said what's needed is something akin to TCP/IP for identity.
"This is key for the emerging business landscape that includes federated business, mobile ubiquity, social integration and the coming Internet of things," said Harding. "We need to focus on this standardized secure identity layer that all of this stuff can plug in to."
In order for this layer to handle tens of thousands of applications running across the Internet and eventually millions of attached devices with their own ID, the layer must service native and web-based applications, eliminate the need for passwords, and automate all authentication steps, including discovery.
Harding acknowledged there is still a lot of work to do, but he said the foundation is shaped by a trio of emerging protocols -- OAuth, OpenID Connect (OIDC) and the System for Cross-Domain Identity Management (SCIM).
OAuth is a framework for authentication/authorization and is the basis for both OIDC (authentication) and SCIM (provisioning).
"These [elements] are the foundation of what this identity stack needs to look like," Harding said.
The key is simplifying everything as much as possible. "It is automation for developers, for end-users, we have to eliminate all the friction here," he said. "Developers should not have to know how OIDC and SCIM work."
And Harding said it is up to service providers to push the complexity behind interfaces. "It is behind those interfaces where all the hard work happens, and those interfaces are exposed to end-users and developers in very simple ways."
From the developer perspective, for example, an API interface is used to complete authentication of a user and in turn eliminate the use of passwords.
"OpenID Connect is the API for authentication," Harding said.
The interface would mask the authentication end-point and its variables, such as local or remote, mobile or web, federated or non-federated.
"I'm not talking about identity-enabled APIs with access tokens in their requests," Harding said. "This is deliberately APIs for identity."
For example, OAuth is seen as the basis of a security API in general, which could be identity, or a financial services APIs, or an HR API.
Harding provided a couple of scenarios after his demos failed to cooperate. (Demo video now posted online). One was single sign-on to native mobile applications using OAuth and OpenID Connect as the foundation for APIs.