Download your copy of our State of Authorization: Playbook Edition Get it now »

EIC 2024 Recap with David Brossard

Read about David's visit to the European Identity and Cloud Conference in Berlin, and the latest developments in the identity industry.

Our team had a great time at the European Identity and Cloud Conference in Berlin discussing the latest innovations and trends in the identity industry.

Now that we have had some time to collect our thoughts. We spoke with our Chief Technology Officer, David Brossard, about his time at the conference.

What were the major authorization trends or issues highlighted at the event?

David: There is definitely a new trend as well as emerging standards. With regards to trends, we used to talk about admin-time authorization and runtime authorization. We now have event-time authorization. The folks within the OpenID Foundation’s Shared Signals Working Group are spearheading this initiative. And that’s not all: the goal of event-time authorization is to acknowledge the fact a lot of the authorization today is session-based or token-based but that those tokens may need to be amended during their lifetimes (broadened or tightened depending on context). This is an interesting pattern to applying contextual authorization to a largely OAuth-driven world.

authorization pyramid

Additionally, policy is no longer the only kid in town when it comes to externalized authorization. Graph-based authorization and access control lists (ACLs) are viable alternatives. This was illustrated during the pre-conference workshop, Unpacking Authorization Approaches: Policy as Code Versus Traditional Business Needs. You can watch the video here and download the slides here. My friend and peer Alex Babeanu explained how graphs can be used to tackle authorization in a low-code way.

And since I mentioned graphs, I also need to mention two new acronyms: policy-as-code (PAC) and policy-as-data (PAD). Some frameworks and products (e.g. OpenFGA and 3Edges) need all the data upfront to be able to create an ontology and reason on the ontology. Others such as Axiomatics and generally any policy-driven approach only need data at runtime. Both approaches have their pros and cons (easier setup when not having to suck in data for instance) and customers should be aware they exist.

Generally, though, the main takeaway was the fact EIC generously gave OpenID and OpenID’s AuthZEN Working Group time to talk about the WG’s deliverables and in particular the interop that took place the week prior. The bottom line is that 12 vendors & frameworks got together and delivered 14 different implementations that conform to AuthZEN’s implementor’s draft. You can watch the panel on AuthZEN here.

This year’s event featured a track devoted to authorization. How did that build on last year’s event?

David: I’m always secretly worried the hype about authorization is going to fizzle out. But the past couple of years have shown otherwise. In 2023, we had a dedicated track here as well as the closing panel at Identiverse. In 2024, both EIC and Identiverse put authorization front and center. I’d even state that the three hot topics were decentralized identity & verifiable credentials; AI of course; and authorization. The organizers did a great job of weaving sessions together. For instance, my session on AI and Authorization was followed by Alex Olivier’s session on Authorization for Developers. And those 2 sessions were capped with the AuthZEN panel.

What was the most surprising or insightful session?

David: There were a few that struck a chord with me – none related to authorization though. Mike Kiser, Eve Maler, and Kaliya Young gave a beautiful panel on what happens to our digital estate once we pass. Sadly, this has been a relevant topic for our community as we lost loved and respected ones, not least one of my heroes, Vittorio Bertocci.

Vittorio and DavidI on stage at Identiverse 2019

Vittorio and DavidI on stage at Identiverse 2019.

Generally, I’m very excited about DID and VCs in particular: I’ve lived in seven countries and each time I have to prove who I am, what I’m worth, and why I’m here. VCs will help solve that and will hopefully also eliminate fraud.

Are there any authorization trends you believe will emerge in the next year based on what you heard at the conference?

David: Yes! First of all, right now, there are – as previously mentioned – different approaches. Attribute-based access control (ABAC), relationship-based access control (ReBAC), Zanzibar, etc… I think we’ll see a convergence of those approaches. Much like OpenFGA has had to adapt and introduce limited policies in their framework, policy-based tooling will need to address ACLs (or what I’d call discretionary access control).

Secondly, a call to arms. My co-chairs and I at AuthZEN want to encourage, dare I say entice non-authorization vendors to embrace AuthZEN. This starts with API gateways and proxies but also cloud platforms, infrastructure products e.g. Kubernetes, and lastly but most importantly SaaS and COTS vendors. To my friends at Salesforce, I say join our merry band of authorati. (credits to Roland Baum and Sebastian Rohr for having coined this new term).

What would you like to see covered at EIC in 2025?

David: There are three things that I would like to see next year at EIC.

The first being pragmatic authorization: let’s see it in action. Let’s take a “naked” API and secure it in 5 minutes or less.

The second thing is authorization lifecycle: what does it mean to write policies? How do you handle the governance of attributes, policies, and more? How do you recertify?

Lastly, out-of-the-box integrations: let’s see software as a service (SaaS) and commercial-off-the-shelf (COTS) embrace AuthZEN.

Thank you for visiting us!

Didn’t get the chance to talk with us at EIC in Berlin? Request a demo and join the movement towards modernized, scalable authorization and access control with policy-driven authorization.

Want to read more about what we talked about at the conference? Here are three great resources for you to look into:

Have 30 minutes? Let's show you a demo!

See how our award-winning solution can help you meet today's access control and Zero Trust needs.

Request a demo

  Join us on LinkedIn for more insights
Archived under:
About the author

As the Marketing Communications Specialist, Emme Reichert helps execute content that resonates with customers, partners, and influencers. She has experience with marketing in the healthcare and tourism industries.