We've established that the API ecosystem is complicated, and because it’s complicated everything in the ecosystem needs identity. We need to know what is talking to who or who is talking to what we need to be able to track these things and we need to make sure they're not talking to the wrong things
This is more than just a consumer identity access management platform -- this is a lot of different details that need to be managed through business process and then fed into a system that can give us unique identifiers and roles so that we can produce keys that can then be associated with products.
We need to be able to develop risk factors so if you are trying to use the API or service from two different places at the same time we can force a check that you are you. We need to understand what networks you're not allowed to be on, adding risk for compromised identity if you’re on a new network. And we need to add risk to that score based on behavior (like you don’t usually log in at 2am, so should we consider this risky?).
This isn't just for customers and consumers; this is for all the services whether we're talking web apps mobile apps or even the backend services. We need to know who owns those apps we need to have unique identifiers for those apps. Those apps need attributes so that we can control what they do. We need to manage their keys and their certificates…
That is to say, identity for services have the same sorts of controls as people with scopes and grants and endpoints and even geographic location -- if a key is supposed to be in a data center and starts calling from another location then you know there's something wrong. And just like people, we need to be looking at behavior patterns and developing risk scores before something goes wrong.
And, as the developer portal is part of that API ecosystem, it needs identity too. The dev portal allows consumers to keys and that process needs to be logged, monitored and controlled. The API gateway itself has identity so that it can talk to back-end services safely, and when it calls to those services the backend security can start to limit access based on compounding permissions from consumer to gateway to service.
Even those back-end services (or maybe especially those services) need their own identity and keys to talk to each other.
At the end of the day identity is not at the “end of the day.” Identity is something that we need to plan for at the beginning of building our ecosystem and building our platform so that we know what's going on especially as things are changing and growing.