As you are no doubt aware, the authorization systems you mention in your post are from a class of authorization systems that I call closed loop as opposed to open loop. The distinction I make between the two, is that in closed loop systems the issuer of the authorization (be it a token or a set of permissions tied to an accout) is also the verifier of the authentication of the accessor in order to release the resource or grant access to the presenter of the authorization. So the Issuer forms a closed loop with verification authentication and authorization grant. This of course is extended via federation so that IdP acts as both issuer and verifier.
Whereas in an open loop system the issuer of the authorization and verifier/grantor of authentication/access are two different entities. Open loop systems require extra infra-structure such as a neutral verifiable registry that maintains key state.
This open loop architecture enables cross trust domain transfer of authorizations without exposing each trust domain to privilege escalation
The cross trust domain problem is IMHO the root cause of privilege escalation attacks because in closed loop systems everyone, everyone's, vendor, and everyone's vendor's vendor i.e every connected system must belong to the same trust domain.
What this means is that closed-loop zero trust architectures are at best a half-measure. They still are vulnerable to privilege escalation attacks, albeit less vunerable because the frequency, and scope of verifications limits the extent of the attack.
Therefore, the ultimate solution to the authorization problem IMHO must solve the cross-trust domain problem which requires an open loop architecture.
As you are no doubt aware, the authorization systems you mention in your post are from a class of authorization systems that I call closed loop as opposed to open loop. The distinction I make between the two, is that in closed loop systems the issuer of the authorization (be it a token or a set of permissions tied to an accout) is also the verifier of the authentication of the accessor in order to release the resource or grant access to the presenter of the authorization. So the Issuer forms a closed loop with verification authentication and authorization grant. This of course is extended via federation so that IdP acts as both issuer and verifier.
Whereas in an open loop system the issuer of the authorization and verifier/grantor of authentication/access are two different entities. Open loop systems require extra infra-structure such as a neutral verifiable registry that maintains key state.
This open loop architecture enables cross trust domain transfer of authorizations without exposing each trust domain to privilege escalation
The cross trust domain problem is IMHO the root cause of privilege escalation attacks because in closed loop systems everyone, everyone's, vendor, and everyone's vendor's vendor i.e every connected system must belong to the same trust domain.
What this means is that closed-loop zero trust architectures are at best a half-measure. They still are vulnerable to privilege escalation attacks, albeit less vunerable because the frequency, and scope of verifications limits the extent of the attack.
Therefore, the ultimate solution to the authorization problem IMHO must solve the cross-trust domain problem which requires an open loop architecture.