We may be confused by the concept of ABAC (Attribute Based Access Control) and OAuth2. We don’t know when ABAC or OAuth2 can be applied.
I think this question can be translated into ‘what kind of problems OAuth and ABAC can solve’. Now I would like to share my opinions.
ABAC and OAuth are 2 different access control solutions, but they are not in the same dimension: ABAC is a methodology and OAuth2 is a RFC protocol. But in general, they can be used to answer the question:
Can A do_X on B ?
In OAuth, A is the ‘client’, it can be a native app or a backend service, but in general it should be a NPE (None Person Entity). B is the ‘resource’, which should belongs to the resource owner.
In ABAC, either A can be either a NPE or a person. And B could be everything without any context constraint.
According to above analysis, we can come to below conclusions:
- ABAC is much more generic than OAuth;
- When the access request subject is a person, then only ABAC can be applied to;
- But OAuth is simpler than ABAC. For the access control of machine-to-machine/service-to-service, we can use OAuth2 to make it simple;
For OIDC, it is a profile of OAuth. The main design purpose of OIDC is to provide the standard authentication flow and also an endpoint to fetch the userinfo.