TBAC is a new access control model that leverages the rich context encoded in tokens, such as JWTs, to make dynamic, fine-grained access decisions. Unlike existing models like RBAC, ABAC, or ReBAC, which rely on roles, attributes, or relationships, TBAC evaluates access based on the information embedded in a bundle of tokens, providing unparalleled flexibility and contextual awareness.
- Existing Limitations: RBAC: Too static, limited to predefined roles normally about people not workloads. ABAC: Too arbitrary--everything is an attribute; ReBAC: Relationship-driven but lacks broader context.
- TBAC Advantage: Combines the strengths of all three by directly leveraging token claims (e.g., roles, attributes, session info, and more) for real-time decision-making.
- Token-Centric Authorization: Evaluates access based on a bundle of tokens provided with a request.
- Dynamic Context Awareness: Decisions depend on real-time information like device type, session location, or expiration times.
- Multi-Token Support: Processes tokens from multiple sources (e.g., federated identity providers).
- Fine-Grained Policies: Allows policies to incorporate detailed claims like role, department, or custom_claim.
- Edge or Local Evaluation: Supports efficient, WebAssembly-based policy evaluation for low-latency environments.
- Cloud Platforms: Enforce fine-grained permissions for APIs and multi-tenant resources.
- FinTech: Dynamically restrict transactions based on token claims (e.g., fraud detection).
- Zero Trust Architectures: Fit seamlessly into systems that require context-driven, dynamic access.
- IoT: Enable policy enforcement on edge devices using locally evaluated tokens.
- Multi-Tenant SaaS: Simplify tenant-specific policies with token-based contextual decisions.
- Complexity: Token validation and policy management can become intricate.
- Token Security: Requires robust safeguards to protect token integrity and transport.
TBAC opens the door to dynamic, token-centric authorization, suitable for modern, distributed systems where real-time context matters. It represents a significant evolution in access control, aligning with the needs of today's cloud-native, multi-tenant, and federated architectures.
Would you like to explore how TBAC can fit into your application or infrastructure? Let's discuss!
Co-Founder and Technical Lead at adorsys
2 周Great article, Mike Schwartz—your insights on TBAC brilliantly highlight how leveraging token claims can transform access control. I fully agree that TBAC is essential for implementing resilient zero trust environments, paving the way for more secure, dynamic infrastructures.
Identity & Access Management Architect | Identity Standard Specialist | Founder
3 周Great article, Mike! I will start using the TBAC concept when explaining authorization with token claims.
Gluu Founder / CEO
3 周Don't want to send JWTs over the network? Don't mind token introspection? I wrote up this quick acticle to show how you can use your reference tokens, but still have a JWT version for policy evaluation: https://www.dhirubhai.net/pulse/reference-tokens-versus-jwts-mike-schwartz-6uwtc/?trackingId=EriVearzSjkmPCwbOBu3kw%3D%3D
Shaping the Future with Secure Digital Identity – Empowering Trust | eIDAS2.0
1 个月But TBAC alone does not tackle the real "authentication crisis". Because who request access? An user account. Who is bound to that user account? Currently, we can not say for 100% sure right. There is a lack of true digital identity. I'm a big fan of TBAC because it enforces something I call "least privilege". But how do you ensure the account used is the legitimate person? This is something what the EU tries to solve with eIDAS2.0. Mike Schwartz some homework for your readers ??
Gluu Founder / CEO
1 个月I wrote a more flushed out article due to the very positive response from y'all: https://www.dhirubhai.net/pulse/part-two-tbac-token-based-access-control-how-mike-schwartz-dkjec/?trackingId=ADUX7PFHRyqT8v17pYBnlQ%3D%3D