Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authorization is on the rise. What if there was...

Authorization is on the rise. What if there was an API for it?

APIs are eating the world. Over the past 10 years, we've seen the rise APIs for dev and infra teams that have revolutionized how we solve problems like payments (Stripe), communications (Twilio), authentication (Auth0).

In a world where users are starting to care more about their privacy, expect collaboration capabilities from their software, and where adhering to compliance standards is table stakes, Authorization is starting to become one of those concerns to be addressed.

In this talk, we'll go over what Authorization is, some of its core concepts, the context that is making it a rising topic, and explain how developers can use APIs their authorization use cases.

Damian Schenkelman

October 27, 2021
Tweet

More Decks by Damian Schenkelman

Other Decks in Technology

Transcript

  1. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  2. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  3. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  4. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  5. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  6. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  7. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  8. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  9. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  10. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  11. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  12. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  13. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  14. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  15. I want it to be reliable and fast… DELETE /customers/{id}

    // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  16. Mental Picture public enum Decision { Allow, Deny, … }

    public Decision {policy_name} (subject, permission, object, context) { // rules… }
  17. Example Architecture 3. get user and customer data 2. can

    user delete customer? 1. can user delete customer? Manage Policies PAP Policy Decision Point Policy Information Point 6. delete customer 5. user is authorized Policy Repository Customer Service 4. evaluate policy
  18. Advantages • Easier to understand what authorization logic applies •

    Authorization change management is simpler than having it in code • Auditing is implemented outside of business logic
  19. Disadvantages • Requires operating more components • Does not handle

    storage of authz data • 👉 latency + reliability + scale • 👉 collaboration scenarios •
  20. Architecture Sandcastle in "PDP Mode" 2. check(user, delete, customer) 1.

    can user delete customer? Customer Service PDP Sandcastle 4. delete customer 3. user is authorized nginx
  21. Advantages • Auditing is part of "aaS" • Authorization change

    management is simpler than having it in code • Easier to understand what authorization logic applies • Multi-region and operated by someone else
  22. Architecture Sandcastle in "PIP Mode" 4. check(user, delete, customer) 2.

    can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PDP PIP Sandcastle 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy
  23. AuthZ APIs Resources • Google Zanzibar: https://research.google/pubs/pub48190/ • Zanzibar Academy:

    https://zanzibar.academy • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a-scalable- centralized-system-for-authorization-at-airbnb-341664924574 • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly- scalable-permissions-system-782a7f2c840f • Facebook TAO: https://www.usenix.org/system/ fi les/conference/atc13/atc13-bronson.pdf • Authzed: https://authzed.com/ • Ory Keto: https://www.ory.sh/keto/docs/
  24. @auth0lab Resources • Sandcastle playground: https://learn.sandcastle.cloud/ • Auth0 Lab discord:

    https://t.co/ybHn8hEOBl?amp=1 • Authorization in Software Podcast: https:// authorizationinsoftware.auth0.com/ • @auth0lab: https://twitter.com/auth0lab
  25. Policy Resources • OPA: https://www.openpolicyagent.org/ • Styra: https://www.styra.com/ • OSOHQ:

    https://docs.osohq.com/ • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/ role-based-access-controls/documents/ferraiolo-kuhn-92.pdf