|
|
|
|
|
|
by wsh
449 days ago
|
|
|
I’ve always thought of Kerberos as a centralized authentication system, to establish users’ identities. Authorization, in the sense of deciding to allow or deny a requested action by a known user on a specific object, remains distributed, even with Kerberos. For example, a Windows file server, having received a Kerberos ticket showing a user’s identity and security group memberships, consults its own access control lists to determine what operations to allow on files and directories. The article here argues that those authorization decisions should also be centralized, presumably using the sponsor’s “cloud-native authorization platform,” instead of being made within each service or application. |
|
|
Outsourcing "authorization" to an external service comes across as a really bad idea with huge "backdoor" potential.
[1] https://security.stackexchange.com/questions/36072/what-is-i...