Fundamentals of API Authorization (It's All About Trust)
Regardless of the particular machinery involved, users and clients must identify themselves to a service. This means users and clients have identities and credentials
I think we can take these as axioms:
1) Internet2 has a recommended identity solution for people users --- Shibboleth and InCommon metadata.
2) Internet2 has an identity system for services --- Incommon Certificate Service.
3) Internet2 is all about federation and inter-institutional collaboration.
Users are already well taken care of with Shibboleth, InCommon metadata and person registries. We are developing APIs for the latter. A service can easily identify a user and know about her (via attributes). Federation allows services to identify users from different institutions.
What is needed is similar support for API clients---a registry of entities.
An Entity Registry, of both services and clients, supported by a standardized API, seems necessary. Entity attributes, while not the same as those of a person, are similar and could be handled by similar APIs.
I'll note that InCommon Certificate Authority already gives us one mechanism of entity federation. Possibly a client could use its certificate to register with an entity registry, or to get a credential from an authorization service.
Jim