The Other Side of Open is Not Closed | CIVICS.com The Other Side of Open is Not Closed | A Public Information Resource of Dazza Greenwood, JD

" ... Resources on the web could be apps and other software, or large-scale enterprise network services, or just a single text file with few lines of html. The concept of a enabling access permission to 'protected resources' on the web is the cornerstone of OAuth2 and is now being extended by the OpenID Connect standard, the User Managed Access protocol and other specifications to enable a powerful array of REST-based authorization possibilities. The core Web 2.0 OAuth2 standard is primarily about enabling authorization to use an otherwise inaccessible web-based resource by grant of consent of the resource owner.  The protected resource, whether identity data, a photo stream or a location data service or otherwise, is accessible by a third party only according to a scope authorized by the consent of the resource owner. This design pattern has the potential to unleash as much or perhaps far more value and impact outcomes than open data access alone. When a parent can consent to the sharing of educational records to after school reading programs for their children, or patients can authorize access to financial, transactional and meta data related to their health records and citizens can consent to the sharing of their civic participation or disaster relief efforts, then a new plateau of collaboration and engagement is possible. Web 2.0 identity services provide the essential capabilities needed to enable properly controlled access to protected resources. For reference, OpenID Connect is the quintessential expression of Wed 2.0 identity services. The first key capability enables users to reuse their identity credentials to login to a wide range of apps and services and conversely enables apps and services to accept and rely upon externally issued identity credentials. The second key capability enables users to leverage the same SSO identity service to verify ownership of and grant authorized access to their protected resources. The third key capability is the service-enabled onboarding or apps and services as “third party clients” that are eligible to be granted access to protected resources. These and other important Web 2.0 identity service capabilities have expected business, legal and technical dimensions that can be reflected in highly scalable system rules and architectures [fn 1] When information is classified as protected rather than open, good policy, good government and good sense suggests inquiring how and when, not whether, access should be granted. In some cases when the risks, harms and likelihood of issues are light then an OAuth2 based authorization solution may be a major win. This may be especially so when the value of access is high, the purpose is important or there is a widely common need for sharing the protected resource. However, the first step in gaining access to the profound benefits available by enabling common approaches to secure and accessible protected resource systems is mastering the line between open access and secure protection. Understanding when a given data-set or other resource is truly open and should be made available for unfettered access to the public at large requires a capacity to recognize the patterns associated with a condition that should prevent open access. Classifying records and other resources as open presumes acknowledgement that no requirements or constraints apply that should prohibit release of or access to that resource ..."