Skip to main content



OAuth is DAC. What do you do for MAC?

OAuth's design goal is to let end users grant applications access to their resources in the cloud. In other words, the underlying access control model is discretionary: it's my toy, so I decide who gets to play with it. A perfect fit for our brave new world of social media. Or is it?
Most corporations are not so happy to let individual users decide who can access data - they want centralised control and grant access according to a security policy. In other words, Mandatory Access Control, or MAC for short. It is mandatory in the sense that, whatever the people involved in creating the data think or do, access rules laid down in the policy will be enforced. Not only staid brick-and-mortar firms cling to such old-fashioned ideas.
Social media also has a need for MAC. Consider, for example Twitter, which uses OAuth to give users' control over their accounts. To Donald Trump's chagrin, a helpdesk worker suspended @realdonaldtrump in the fall of 2017. There had been no cons…

Latest Posts

tl;dr: OAuth 2.0

Externalising the Security Token Service and Identity Provider

Problems with Basic Authentication for REST services

Bearer tokens are susceptible to theft and what you can do about it

In the (back)end, JWT is all that matters

Protect your REST APIs with JWT tokens

API gates and fences

Technology stack for a static web site