> Modern integration patterns, however, dismantle these essential boundaries, relying heavily on modern identity protocols (e.g., OAuth) to create direct, often unchecked interactions between third-party services and firms’ sensitive internal resources.<p>I recently got an email from a big banking vendor about certain APIs requiring OAuth moving forward. Getting a lot of mixed signals from leadership in this industry.<p>Regardless, certificate-based authentication is a really good thing when done "all the way" (i.e., with proper, audited HSMs and cert management processes on both sides). I think OAuth begins to turn into a screen door once we get into Azure/AWS as the IdP and lazily stringing services together with platform-managed keys. Determining the <i>effective</i> permissions of a given user principal in Azure Active Directory might as well be a celestial navigation exercise.<p>I think which identity provider we are trusting and how they are enforcing our use of their services is ~99% of the problem space.