-
Notifications
You must be signed in to change notification settings - Fork 528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Identity and Access Management Whitepaper #1332
Comments
This would be a great service to the community if you took it on. One thought though... as great as KeyCloak is, I don't think any such white paper should be proscriptive about specific solutions when it comes to authn / authz standards. On the authn topic, there are many great open source IDPs--Janssen Project, Ory, Shibboleth just to name a few. Some of these solutions are tailored for specific use cases, for example, Janssen Project for enterprise, or Shibboleth for universities. Also let's not forget that Dex at the CNCF is an "OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors". Ultimately, we want to recommend an IDP that supports open standards like OAuth, OpenID and FIDO. There are also a number of Authz solutions domains should consider--AWS Cedar, OPA, OpenFGA just to name a few that are popular in the cloud native space. |
@nynymike
|
@y-tabata I have tentatively marked you as the Project Lead and myself as the supporting STAG Representative. Our next step will be to gather interest from the community to support in the research and writing processes. After sufficient interest has been garnered, I will help kick things off by creating the project schedule, slack channel, TAG calendar meeting entry, and a shared drive location for the group to begin collaborating. For anyone else who is interested, please comment here with a note regarding how you would like to contribute to this Whitepaper effort! |
I would like to participate the activity as a member. |
Hi, I'm interested in contributing to this whitepaper project. |
Hello I am interested in participating the activity as a member. |
Hi, I am interested in contributing to this whitepaper. I wish to contribute towards the research paper writing. |
For me, it would be great to get in. Hoping we will find out some practices that help integrators to find their way through the hill of specs. |
@tnorimat @wadahiro @daian183 @Satarupa22-SD @patatoid |
I’d like to contribute as well. My time zone is CEST. Unfortunately, I have a full-day workshop scheduled next week from Tuesday to Thursday. Would it be possible to record the session for those who are unable to attend? |
@dadrus |
I m interested in contributing especially wrt to federated-identity setups (like pod-identity etc) |
@eddie-knight
|
@Satarupa22-SD Unfortunately, we haven't yet created an LFX recurring meeting for this, so it will start next week at the earliest. |
Sorry that I missed the ping on this! I've just submitted the request for an LFX meeting. |
Zoom meeting has been created and added to all of the calendars we are part of. The last thing we'll need to do is update the repo with information about this project. |
In the first meeting today, determine the scope according to the Process for Creating Papers. |
Currently, we moved to phase 2, "Tasking Assignment". |
Description:
Authentication and authorization are the most important security considerations in the cloud-native ecosystem, as evidenced by their high ranking in the OWASP Top 10 and OWASP Top 10 API Security Risks.
On the other hand, authentication and authorization frameworks have a wide range of related specifications, including OAuth and OpenID Connect, and it can be difficult for implementers to implement the frameworks, so it would be beneficial to publish best practices for identity and access management.
Fortunately, Keycloak, a powerful IAM OSS, has joined the CNCF ecosystem as a CNCF incubating project, so it may be time to consider what IAM should be like in the cloud-native world.
Impact:
As seen in the high rankings in the OWASP Top 10 and OWASP Top 10 API Security Risks, security risks related to authentication and authorization remain of great concern to customers. Once IAM best practices are published, they can mitigate these concerns and realize a more secure cloud-native ecosystem.
Scope:
not yet determined.
Authentication and authorization are broad terms, and some of them are related to other areas like zero trust currently the WP being promoted, so it is very important to decide what the scope should be.
Intent to lead:
interested in pursing this work. This statement of intent does not preclude
others from co-leading or becoming lead in my stead.
Proposal to Project:
lead
with call for participation in #tag-security slack channel thread add link
and mailing list email add link
TO DO
Representative
see progress!
The text was updated successfully, but these errors were encountered: