apidays LIVE London 2021 - Reaching Maximum Potential in Banking & Insurance with API Mindset
October 27 & 28, 2021
API Security
Authorization is on the rise. What if there was an API for it?
Damian Schenkelman, Principal Engineer at Auth0
5. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here
22. I want to use attributes from subject and object…
ABAC
DELETE /customers/{id}
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && !customer.subscribed)) {
// delete customer
// return 204
} else {
// return 403
}
select department from users
where id == {uid};
select subscribed from customers
where id == {cid};
23. I want to use attributes from subject and object…
ABAC
DELETE /customers/{id}
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && !customer.subscribed)) {
// delete customer
// return 204
} else {
// return 403
}
select department from users
where id == {uid};
select subscribed from customers
where id == {cid};
24. I want to use attributes from subject and object…
ABAC
DELETE /customers/{id}
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && !customer.subscribed)) {
// delete customer
// return 204
} else {
// return 403
}
select department from users
where id == {uid};
select subscribed from customers
where id == {cid};
25. I want to use attributes from subject and object…
ABAC
DELETE /customers/{id}
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && !customer.subscribed)) {
// delete customer
// return 204
} else {
// return 403
}
select department from users
where id == {uid};
select subscribed from customers
where id == {cid};
26. I want to use attributes from subject and object…
ABAC
DELETE /customers/{id}
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && !customer.subscribed)) {
// delete customer
// return 204
} else {
// return 403
}
select department from users
where id == {uid};
select subscribed from customers
where id == {cid};
27. I want to use attributes from subject and object…
ABAC
DELETE /customers/{id}
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && !customer.subscribed)) {
// delete customer
// return 204
} else {
// return 403
}
select department from users
where id == {uid};
select subscribed from customers
where id == {cid};
28. I want to know who did what…
DELETE /customers/{id}
// log: cookie.userId requesting authz to delete customer
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && customer.unsubscribed)) {
// log: cookie.userId authorized to delete customer
// delete customer
// return 204
} else {
// log: cookie.userId unauthorized to delete customer
// return 403
}
select department from users
where id == {uid};
select unsubscribed from customers
where id == {cid};
29. I want to know who did what…
DELETE /customers/{id}
// log: cookie.userId requesting authz to delete customer
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && customer.unsubscribed)) {
// log: cookie.userId authorized to delete customer
// delete customer
// return 204
} else {
// log: cookie.userId unauthorized to delete customer
// return 403
}
select department from users
where id == {uid};
select unsubscribed from customers
where id == {cid};
30. I want to know who did what…
DELETE /customers/{id}
// log: cookie.userId requesting authz to delete customer
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && customer.unsubscribed)) {
// log: cookie.userId authorized to delete customer
// delete customer
// return 204
} else {
// log: cookie.userId unauthorized to delete customer
// return 403
}
select department from users
where id == {uid};
select unsubscribed from customers
where id == {cid};
31. I want it to be reliable and fast…
DELETE /customers/{id}
// log: cookie.userId requesting authz to delete customer
const user = await db.users.get(cookie.userId);
const customer = await db.customers.get(req.path.id);
if (user.department === "IT" && customer.unsubscribed)) {
// log: cookie.userId authorized to delete customer
// delete customer
// return 204
} else {
// log: cookie.userId unauthorized to delete customer
// return 403
}
select department from users
where id == {uid};
select unsubscribed from customers
where id == {cid};
41. Advantages
• Easier to understand what authorization logic applies
• Authorization change management is simpler than having it in code
• Auditing is implemented outside of business logic
53. Architecture
Sandcastle in "PDP Mode"
2. check(user, delete, customer)
1. can user
delete customer?
Customer Service
PDP
Sandcastle
4. delete customer
3. user is authorized
nginx
55. Advantages
• Auditing is part of "aaS"
• Authorization change management is simpler than having it in code
• Easier to understand what authorization logic applies
• Multi-region and operated by someone else
58. Architecture
Sandcastle in "PIP Mode"
4. check(user,
delete, customer)
2. can user
delete customer?
1. can user
delete customer?
Manage Policies
Distribute Policies
PAP
PDP
PIP
Sandcastle
6. delete customer
5. user is authorized
Policy Repository
3. evaluate policy
65. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here