SlideShare a Scribd company logo
1 of 27
© Axiomatics 2019 - All Rights Reserved 1© Axiomatics 2019 - All Rights Reserved 1
Easy Authorization with REST, JSON, and ALFA
Updates from the OASIS XACML Technical Committee
September 10th, University of Oxford
David Brossard, OASIS XACML TC Member, IDPro Founding Member, @davidjbrossard
© Axiomatics 2019 - All Rights Reserved 2
What is XACML?
⁃ Founded in 2001 – https://www.oasis-open.org/committees/xacml/
⁃ eXtensible Access Control Markup Language
⁃ Members include
⁃ Oracle, US Government, Axiomatics, IBM, Thales and others
⁃ Statement of purpose (from the first email on the ML)
⁃ To define a core schema and corresponding namespace for the
expression of authorization policies in XML against objects that are
themselves identified in XML.
⁃ The schema will be capable of representing the functionality of most
policy representation mechanisms available at the time of adoption.
⁃ It is also intended that the schema be extensible in order to address
that functionality not included, custom application requirements, or
features not yet envisioned.
© Axiomatics 2019 - All Rights Reserved 3
The challenge?
⁃ You’ve been tasked with developing a new application
⁃ Micro-service, API, SPA... You name it
⁃ There are many non-functional requirements
⁃ Authentication
⁃ Logging
⁃ Authorization
⁃ Authorization ties together business logic and security
⁃ How can you achieve scalable, future-proof authorization?
⁃ Something you don’t have to rewrite all the time?
© Axiomatics 2019 - All Rights Reserved 4
You could…
⁃ Think really hard and design your own model
⁃ Use RBAC
⁃ Hard-code the authorization logic within your app
© Axiomatics 2019 - All Rights Reserved 5
© Axiomatics 2019 - All Rights Reserved 6
Or you could…
⁃ Decouple your app code from your authorization logic
⁃ Focus on your app
⁃ Make it spiffy!
⁃ Implement your authorization requirements as
⁃ policies & attributes
⁃ Integrate your app(s) with an externalized authorization service
Aloha
XACML
© Axiomatics 2019 - All Rights Reserved 7
XACML is the de-facto standard for ABAC
⁃ Attribute-Based Access Control
⁃ Also known as Policy-Based Access Control
⁃ Context-aware, dynamic, externalized
Who? What? When? Where? Why? How?
© Axiomatics 2019 - All Rights Reserved 8
XACML with respect to other standards
⁃ XACML is not
⁃ SAML
⁃ Identity federation
⁃ OAuth
⁃ Access delegation
⁃ OpenID
⁃ This handles authentication
⁃ UMA
⁃ User-managed access & consent management
⁃ XACML can collaborate with any of these standards to deliver
better authorization
© Axiomatics 2019 - All Rights Reserved 9
What does XACML define?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Scheme
© Axiomatics 2019 - All Rights Reserved 10
The XACML Reference Architecture
Enforce
DecideManage
© Axiomatics 2019 - All Rights Reserved 11
The XACML Reference Architecture Flow
1.View record #123 6.View record #123
2. Can Alice view
record #123?
5. Permit, Alice can
view record #123
3. Evaluate policies
4. Retrieve
additional attributes
© Axiomatics 2019 - All Rights Reserved 12
XACML Uses Attributes
⁃ Key-value pairs
⁃ Key: Department
⁃ Value: Engineering
⁃ Multi-valued
⁃ Grouped into different categories
⁃ Different data types
⁃ Unique identifier
⁃ Name and namespace
© Axiomatics 2019 - All Rights Reserved 13
Did someone
say XML?
© Axiomatics 2019 - All Rights Reserved 14
Don’t get me wrong, I <love>XML</love>
© Axiomatics 2019 - All Rights Reserved 15© Axiomatics 2019 - All Rights Reserved 15
(abbreviated language for authorization)
ALFA
JSON
(JavaScript Object Notation)
REST
(we all know what that means)
© Axiomatics 2019 - All Rights Reserved 16
Bringing XACML to Developers
REST
A standard means to POST
authorization requests to
the PDP
Faster (than SOAP)
Easier to integrate with
JSON
Lightweight representation
of a XACML request &
response
80% smaller than XML
Easier to integrate with
ALFA
Abbreviated Language For
Authorization
Developer-friendly
Easier to read and write
(than XML)
© Axiomatics 2019 - All Rights Reserved 17
The REST Profile of XACML
⁃ Provide easy means to send authorization request
⁃ Just POST an authorization request
⁃ Provide standard transport protocol in XACML
⁃ Current implementations use proprietary bindings e.g. SOAP
⁃ SOAP in itself is losing has lost popularity
⁃ Integrate with more environments, languages, and SaaS
© Axiomatics 2019 - All Rights Reserved 18
POSTing a Request in Javascript
var xmlHttp = null;
function authorize() {
var xacmlRequest = document.getElementById( "xacmlrequest" ).value;
var Url = "https://localhost:5443/axio/authorize";
xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = ProcessRequest;
xmlHttp.withCredentials = true;
xmlHttp.open( "POST", Url, false );
xmlHttp.setRequestHeader("Accept","application/xacml+json");
xmlHttp.setRequestHeader("Content-Type","application/xacml+json");
xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk");
xmlHttp.send(xacmlRequest);
}
Create an HTTP
request to the PDP
Choose to
authenticate the call
and use POST
Set the content type
and the
username/password
© Axiomatics 2019 - All Rights Reserved 19
The JSON Profile of XACML – Building a JSON
request in Javascript
Create a new Request object
Create a new AccessSubject attribute category
Add an attribute and its value
function createAttribute(identifier,
value){
var attr = new Object();
attr.AttributeId=identifier;
attr.Value=value;
return attr;
function generateXACMLRequest(){
// 1. Create empty request
var jsonRequest = new Object();
jsonRequest.Request = new Object();
jsonRequest.Request.AccessSubject = new Object();
jsonRequest.Request.AccessSubject.Attribute = [];
// 2. Add attributes
jsonRequest.Request.AccessSubject.Attribute.push(createAttribute("com.acme.user.employeeId", "Alice"));
// 3. Return request
return jsonRequest;
}
© Axiomatics 2019 - All Rights Reserved 20
Sample JSON/XACML Request & Response
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": {
"Attribute": [
{
"AttributeId": "axiomatics.demo.user.userId",
"Value": "Alice"
}
]
},
"Resource": {
"Attribute": [
{
"AttributeId": "axiomatics.demo.record.recordId",
"Value": "123"
},
{
"AttributeId": "axiomatics.demo.resourceType",
"Value": "record"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "axiomatics.demo.actionId",
"Value": "view"
}
]
},
}
}
{
"Response" : [{
"Decision" : "Deny"
}]
}
© Axiomatics 2019 - All Rights Reserved 21
The ALFA Profile of XACML
⁃ Simplified C#-like language
⁃ Easy on the developer
⁃ Uses namespaces to organize policies
⁃ Easy to scale up to hundreds of policies
⁃ Easy to add comments
⁃ All the main keywords of XACML are in ALFA
⁃ PolicySet, Policy, Rule, Combing Algorithms
⁃ Target, Condition
⁃ Obligation, Advice
⁃ More on Wikipedia and StackOverflow
© Axiomatics 2019 - All Rights Reserved 22
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
target clause objectType=="medical record”
apply firstApplicable
/* Physician access */
policy physiciansAccessMedicalRecords{
target clause user.role=="physician”
apply denyUnlessPermit
/* A primary physician can read a patients medical record */
rule readMedicalRecord{
target clause action=="read”
condition primaryPhysician==requestorId
permit
}
}
}
Same structural elements as XACML:
• PolicySet
• Policy
• Rule
© Axiomatics 2019 - All Rights Reserved 23
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
target clause objectType=="medical record”
apply firstApplicable
/* Physician access */
policy physiciansAccessMedicalRecords{
target clause user.role=="physician”
apply denyUnlessPermit
/* A primary physician can read a patients medical record */
rule readMedicalRecord{
target clause action=="read”
condition primaryPhysician==requestorId
permit
}
}
}
Combining algorithms help resolve
conflicts between policies and rules.
Choose from:
• firstApplicable
• denyOverrides
• permitOverrides
• denyUnlessPermit
• …
© Axiomatics 2019 - All Rights Reserved 24
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
target clause objectType=="medical record”
apply firstApplicable
/* Physician access */
policy physiciansAccessMedicalRecords{
target clause user.role=="physician”
apply denyUnlessPermit
/* A primary physician can read a patients medical record */
rule readMedicalRecord{
target clause action=="read”
condition primaryPhysician==requestorId
permit
}
}
}
Use targets to define the scope of
the policy set / policy / rule
© Axiomatics 2019 - All Rights Reserved 25
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
target clause objectType=="medical record”
apply firstApplicable
/* Physician access */
policy physiciansAccessMedicalRecords{
target clause user.role=="physician”
apply denyUnlessPermit
/* A primary physician can read a patients medical record */
rule readMedicalRecord{
target clause action=="read”
condition primaryPhysician==requestorId
permit
}
}
}
Use conditions for advanced
matching and relationship
checks
© Axiomatics 2019 - All Rights Reserved 26
An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
target clause objectType=="medical record”
apply firstApplicable
/* Physician access */
policy physiciansAccessMedicalRecords{
target clause user.role=="physician”
apply denyUnlessPermit
/* A primary physician can read a patients medical record */
rule readMedicalRecord{
target clause action=="read”
condition primaryPhysician==requestorId
permit
}
}
}
Lastly, we have the effect. Choose
from:
• Permit
• Deny
© Axiomatics 2019 - All Rights Reserved 27© Axiomatics 2019 - All Rights Reserved 27
Live Demo

More Related Content

What's hot

The impact of SaaS on cloud integration
The impact of SaaS on cloud integrationThe impact of SaaS on cloud integration
The impact of SaaS on cloud integrationCodit
 
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...apidays
 
A Capability Blueprint for Microservices
A Capability Blueprint for MicroservicesA Capability Blueprint for Microservices
A Capability Blueprint for MicroservicesMatt McLarty
 
Integration of Things (Sam Vanhoutte @Iglooconf 2017)
Integration of Things (Sam Vanhoutte @Iglooconf 2017) Integration of Things (Sam Vanhoutte @Iglooconf 2017)
Integration of Things (Sam Vanhoutte @Iglooconf 2017) Codit
 
GEL Architecture
GEL ArchitectureGEL Architecture
GEL Architectureukdpe
 
Enterprise Architecture in Practice: from Datastore to APIs and Apps
Enterprise Architecture in Practice: from Datastore to APIs and AppsEnterprise Architecture in Practice: from Datastore to APIs and Apps
Enterprise Architecture in Practice: from Datastore to APIs and AppsWSO2
 
Introduction to Apache cloudstack - Linuxcon
Introduction to Apache cloudstack - LinuxconIntroduction to Apache cloudstack - Linuxcon
Introduction to Apache cloudstack - LinuxconShapeBlue
 
Unlocking the Cloud Operating Model: The Provisioning Strategy
Unlocking the Cloud Operating Model: The Provisioning StrategyUnlocking the Cloud Operating Model: The Provisioning Strategy
Unlocking the Cloud Operating Model: The Provisioning StrategyMitchell Pronschinske
 
A Tour of Different API Management Architectures
A Tour of Different API Management ArchitecturesA Tour of Different API Management Architectures
A Tour of Different API Management ArchitecturesNordic APIs
 
Introduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityIntroduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityAlibaba Cloud
 
Cloudstack collaboration - customer focus
Cloudstack collaboration - customer focusCloudstack collaboration - customer focus
Cloudstack collaboration - customer focusShapeBlue
 
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2
 
Introduction to Hybrid Connections
Introduction to Hybrid ConnectionsIntroduction to Hybrid Connections
Introduction to Hybrid ConnectionsDaniel Toomey
 
Dinoct Capabilities
Dinoct Capabilities Dinoct Capabilities
Dinoct Capabilities layamurali
 
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...apidays
 
Event-Driven Architecture (EDA)
Event-Driven Architecture (EDA)Event-Driven Architecture (EDA)
Event-Driven Architecture (EDA)WSO2
 
Pattern Driven Enterprise Architecture
Pattern Driven Enterprise ArchitecturePattern Driven Enterprise Architecture
Pattern Driven Enterprise ArchitectureWSO2
 
Building Cloud Apps Faster with PaaS
Building Cloud Apps Faster with PaaSBuilding Cloud Apps Faster with PaaS
Building Cloud Apps Faster with PaaSCloud Elements
 
Aws cloud migration_realestatedesign
Aws cloud migration_realestatedesignAws cloud migration_realestatedesign
Aws cloud migration_realestatedesignAnita Luthra
 
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...apidays
 

What's hot (20)

The impact of SaaS on cloud integration
The impact of SaaS on cloud integrationThe impact of SaaS on cloud integration
The impact of SaaS on cloud integration
 
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
 
A Capability Blueprint for Microservices
A Capability Blueprint for MicroservicesA Capability Blueprint for Microservices
A Capability Blueprint for Microservices
 
Integration of Things (Sam Vanhoutte @Iglooconf 2017)
Integration of Things (Sam Vanhoutte @Iglooconf 2017) Integration of Things (Sam Vanhoutte @Iglooconf 2017)
Integration of Things (Sam Vanhoutte @Iglooconf 2017)
 
GEL Architecture
GEL ArchitectureGEL Architecture
GEL Architecture
 
Enterprise Architecture in Practice: from Datastore to APIs and Apps
Enterprise Architecture in Practice: from Datastore to APIs and AppsEnterprise Architecture in Practice: from Datastore to APIs and Apps
Enterprise Architecture in Practice: from Datastore to APIs and Apps
 
Introduction to Apache cloudstack - Linuxcon
Introduction to Apache cloudstack - LinuxconIntroduction to Apache cloudstack - Linuxcon
Introduction to Apache cloudstack - Linuxcon
 
Unlocking the Cloud Operating Model: The Provisioning Strategy
Unlocking the Cloud Operating Model: The Provisioning StrategyUnlocking the Cloud Operating Model: The Provisioning Strategy
Unlocking the Cloud Operating Model: The Provisioning Strategy
 
A Tour of Different API Management Architectures
A Tour of Different API Management ArchitecturesA Tour of Different API Management Architectures
A Tour of Different API Management Architectures
 
Introduction to WAF and Network Application Security
Introduction to WAF and Network Application SecurityIntroduction to WAF and Network Application Security
Introduction to WAF and Network Application Security
 
Cloudstack collaboration - customer focus
Cloudstack collaboration - customer focusCloudstack collaboration - customer focus
Cloudstack collaboration - customer focus
 
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
 
Introduction to Hybrid Connections
Introduction to Hybrid ConnectionsIntroduction to Hybrid Connections
Introduction to Hybrid Connections
 
Dinoct Capabilities
Dinoct Capabilities Dinoct Capabilities
Dinoct Capabilities
 
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
 
Event-Driven Architecture (EDA)
Event-Driven Architecture (EDA)Event-Driven Architecture (EDA)
Event-Driven Architecture (EDA)
 
Pattern Driven Enterprise Architecture
Pattern Driven Enterprise ArchitecturePattern Driven Enterprise Architecture
Pattern Driven Enterprise Architecture
 
Building Cloud Apps Faster with PaaS
Building Cloud Apps Faster with PaaSBuilding Cloud Apps Faster with PaaS
Building Cloud Apps Faster with PaaS
 
Aws cloud migration_realestatedesign
Aws cloud migration_realestatedesignAws cloud migration_realestatedesign
Aws cloud migration_realestatedesign
 
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
 

Similar to Easy Authorization with ALFA, JSON, and REST

Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013   sharedAxiomatics webinar 13 june 2013   shared
Axiomatics webinar 13 june 2013 sharedFinn Frisch
 
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...ggebel
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas WSO2
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014   Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014   Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Amazon Web Services
 
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...CloudIDSummit
 
AWS DDoS防範: Shield Advanced & WAF
AWS DDoS防範: Shield Advanced & WAFAWS DDoS防範: Shield Advanced & WAF
AWS DDoS防範: Shield Advanced & WAFAmazon Web Services
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
 WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!42Crunch
 
ApI first Microservices meetup
ApI first Microservices meetup ApI first Microservices meetup
ApI first Microservices meetup Oracle Developers
 
MySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPIMySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPIRui Quelhas
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!Dayalan Punniyamoorthy
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
RESTful Services for your Oracle Autonomous Database
RESTful Services for your Oracle Autonomous DatabaseRESTful Services for your Oracle Autonomous Database
RESTful Services for your Oracle Autonomous DatabaseJeff Smith
 

Similar to Easy Authorization with ALFA, JSON, and REST (20)

Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013   sharedAxiomatics webinar 13 june 2013   shared
Axiomatics webinar 13 june 2013 shared
 
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014   Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014   Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
 
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...
CIS14: Baking Fine-Grained Authorization Into Your Apps and APIs using ALFA, ...
 
AWS DDoS防範: Shield Advanced & WAF
AWS DDoS防範: Shield Advanced & WAFAWS DDoS防範: Shield Advanced & WAF
AWS DDoS防範: Shield Advanced & WAF
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
 WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
ApI first Microservices meetup
ApI first Microservices meetup ApI first Microservices meetup
ApI first Microservices meetup
 
Mule meetup 25thjan
Mule meetup 25thjanMule meetup 25thjan
Mule meetup 25thjan
 
MySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPIMySQL Connector/Node.js and the X DevAPI
MySQL Connector/Node.js and the X DevAPI
 
Presentation AuthZForce
Presentation AuthZForcePresentation AuthZForce
Presentation AuthZForce
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - final
 
RESTful Services for your Oracle Autonomous Database
RESTful Services for your Oracle Autonomous DatabaseRESTful Services for your Oracle Autonomous Database
RESTful Services for your Oracle Autonomous Database
 

More from David Brossard

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...David Brossard
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA…  How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA…  How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...David Brossard
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationDavid Brossard
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtDavid Brossard
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your LoveDavid Brossard
 

More from David Brossard (10)

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA…  How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA…  How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with Authorization
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior Art
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
 

Recently uploaded

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Recently uploaded (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Easy Authorization with ALFA, JSON, and REST

  • 1. © Axiomatics 2019 - All Rights Reserved 1© Axiomatics 2019 - All Rights Reserved 1 Easy Authorization with REST, JSON, and ALFA Updates from the OASIS XACML Technical Committee September 10th, University of Oxford David Brossard, OASIS XACML TC Member, IDPro Founding Member, @davidjbrossard
  • 2. © Axiomatics 2019 - All Rights Reserved 2 What is XACML? ⁃ Founded in 2001 – https://www.oasis-open.org/committees/xacml/ ⁃ eXtensible Access Control Markup Language ⁃ Members include ⁃ Oracle, US Government, Axiomatics, IBM, Thales and others ⁃ Statement of purpose (from the first email on the ML) ⁃ To define a core schema and corresponding namespace for the expression of authorization policies in XML against objects that are themselves identified in XML. ⁃ The schema will be capable of representing the functionality of most policy representation mechanisms available at the time of adoption. ⁃ It is also intended that the schema be extensible in order to address that functionality not included, custom application requirements, or features not yet envisioned.
  • 3. © Axiomatics 2019 - All Rights Reserved 3 The challenge? ⁃ You’ve been tasked with developing a new application ⁃ Micro-service, API, SPA... You name it ⁃ There are many non-functional requirements ⁃ Authentication ⁃ Logging ⁃ Authorization ⁃ Authorization ties together business logic and security ⁃ How can you achieve scalable, future-proof authorization? ⁃ Something you don’t have to rewrite all the time?
  • 4. © Axiomatics 2019 - All Rights Reserved 4 You could… ⁃ Think really hard and design your own model ⁃ Use RBAC ⁃ Hard-code the authorization logic within your app
  • 5. © Axiomatics 2019 - All Rights Reserved 5
  • 6. © Axiomatics 2019 - All Rights Reserved 6 Or you could… ⁃ Decouple your app code from your authorization logic ⁃ Focus on your app ⁃ Make it spiffy! ⁃ Implement your authorization requirements as ⁃ policies & attributes ⁃ Integrate your app(s) with an externalized authorization service Aloha XACML
  • 7. © Axiomatics 2019 - All Rights Reserved 7 XACML is the de-facto standard for ABAC ⁃ Attribute-Based Access Control ⁃ Also known as Policy-Based Access Control ⁃ Context-aware, dynamic, externalized Who? What? When? Where? Why? How?
  • 8. © Axiomatics 2019 - All Rights Reserved 8 XACML with respect to other standards ⁃ XACML is not ⁃ SAML ⁃ Identity federation ⁃ OAuth ⁃ Access delegation ⁃ OpenID ⁃ This handles authentication ⁃ UMA ⁃ User-managed access & consent management ⁃ XACML can collaborate with any of these standards to deliver better authorization
  • 9. © Axiomatics 2019 - All Rights Reserved 9 What does XACML define? XACML Reference Architecture Policy Language Request / Response Scheme
  • 10. © Axiomatics 2019 - All Rights Reserved 10 The XACML Reference Architecture Enforce DecideManage
  • 11. © Axiomatics 2019 - All Rights Reserved 11 The XACML Reference Architecture Flow 1.View record #123 6.View record #123 2. Can Alice view record #123? 5. Permit, Alice can view record #123 3. Evaluate policies 4. Retrieve additional attributes
  • 12. © Axiomatics 2019 - All Rights Reserved 12 XACML Uses Attributes ⁃ Key-value pairs ⁃ Key: Department ⁃ Value: Engineering ⁃ Multi-valued ⁃ Grouped into different categories ⁃ Different data types ⁃ Unique identifier ⁃ Name and namespace
  • 13. © Axiomatics 2019 - All Rights Reserved 13 Did someone say XML?
  • 14. © Axiomatics 2019 - All Rights Reserved 14 Don’t get me wrong, I <love>XML</love>
  • 15. © Axiomatics 2019 - All Rights Reserved 15© Axiomatics 2019 - All Rights Reserved 15 (abbreviated language for authorization) ALFA JSON (JavaScript Object Notation) REST (we all know what that means)
  • 16. © Axiomatics 2019 - All Rights Reserved 16 Bringing XACML to Developers REST A standard means to POST authorization requests to the PDP Faster (than SOAP) Easier to integrate with JSON Lightweight representation of a XACML request & response 80% smaller than XML Easier to integrate with ALFA Abbreviated Language For Authorization Developer-friendly Easier to read and write (than XML)
  • 17. © Axiomatics 2019 - All Rights Reserved 17 The REST Profile of XACML ⁃ Provide easy means to send authorization request ⁃ Just POST an authorization request ⁃ Provide standard transport protocol in XACML ⁃ Current implementations use proprietary bindings e.g. SOAP ⁃ SOAP in itself is losing has lost popularity ⁃ Integrate with more environments, languages, and SaaS
  • 18. © Axiomatics 2019 - All Rights Reserved 18 POSTing a Request in Javascript var xmlHttp = null; function authorize() { var xacmlRequest = document.getElementById( "xacmlrequest" ).value; var Url = "https://localhost:5443/axio/authorize"; xmlHttp = new XMLHttpRequest(); xmlHttp.onreadystatechange = ProcessRequest; xmlHttp.withCredentials = true; xmlHttp.open( "POST", Url, false ); xmlHttp.setRequestHeader("Accept","application/xacml+json"); xmlHttp.setRequestHeader("Content-Type","application/xacml+json"); xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk"); xmlHttp.send(xacmlRequest); } Create an HTTP request to the PDP Choose to authenticate the call and use POST Set the content type and the username/password
  • 19. © Axiomatics 2019 - All Rights Reserved 19 The JSON Profile of XACML – Building a JSON request in Javascript Create a new Request object Create a new AccessSubject attribute category Add an attribute and its value function createAttribute(identifier, value){ var attr = new Object(); attr.AttributeId=identifier; attr.Value=value; return attr; function generateXACMLRequest(){ // 1. Create empty request var jsonRequest = new Object(); jsonRequest.Request = new Object(); jsonRequest.Request.AccessSubject = new Object(); jsonRequest.Request.AccessSubject.Attribute = []; // 2. Add attributes jsonRequest.Request.AccessSubject.Attribute.push(createAttribute("com.acme.user.employeeId", "Alice")); // 3. Return request return jsonRequest; }
  • 20. © Axiomatics 2019 - All Rights Reserved 20 Sample JSON/XACML Request & Response { "Request": { "ReturnPolicyIdList": true, "AccessSubject": { "Attribute": [ { "AttributeId": "axiomatics.demo.user.userId", "Value": "Alice" } ] }, "Resource": { "Attribute": [ { "AttributeId": "axiomatics.demo.record.recordId", "Value": "123" }, { "AttributeId": "axiomatics.demo.resourceType", "Value": "record" } ] }, "Action": { "Attribute": [ { "AttributeId": "axiomatics.demo.actionId", "Value": "view" } ] }, } } { "Response" : [{ "Decision" : "Deny" }] }
  • 21. © Axiomatics 2019 - All Rights Reserved 21 The ALFA Profile of XACML ⁃ Simplified C#-like language ⁃ Easy on the developer ⁃ Uses namespaces to organize policies ⁃ Easy to scale up to hundreds of policies ⁃ Easy to add comments ⁃ All the main keywords of XACML are in ALFA ⁃ PolicySet, Policy, Rule, Combing Algorithms ⁃ Target, Condition ⁃ Obligation, Advice ⁃ More on Wikipedia and StackOverflow
  • 22. © Axiomatics 2019 - All Rights Reserved 22 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Same structural elements as XACML: • PolicySet • Policy • Rule
  • 23. © Axiomatics 2019 - All Rights Reserved 23 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Combining algorithms help resolve conflicts between policies and rules. Choose from: • firstApplicable • denyOverrides • permitOverrides • denyUnlessPermit • …
  • 24. © Axiomatics 2019 - All Rights Reserved 24 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Use targets to define the scope of the policy set / policy / rule
  • 25. © Axiomatics 2019 - All Rights Reserved 25 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Use conditions for advanced matching and relationship checks
  • 26. © Axiomatics 2019 - All Rights Reserved 26 An example ALFA policy /* Medical Record policies */ policyset medicalRecords{ target clause objectType=="medical record” apply firstApplicable /* Physician access */ policy physiciansAccessMedicalRecords{ target clause user.role=="physician” apply denyUnlessPermit /* A primary physician can read a patients medical record */ rule readMedicalRecord{ target clause action=="read” condition primaryPhysician==requestorId permit } } } Lastly, we have the effect. Choose from: • Permit • Deny
  • 27. © Axiomatics 2019 - All Rights Reserved 27© Axiomatics 2019 - All Rights Reserved 27 Live Demo

Editor's Notes

  1. With the growth of users, apps, and data as well as the advent of cloud and DevOps, we see a sharp increase in the need to tackle contextual, fine-grained authorization. To address this, the members of the OASIS XACML Technical Committee have been working on the latest generation of their policy-based language to make it adapted to developers. When developers can implement policies without having to compile source code, then the application is policy-enabled. Policy-driven authorization has several benefits including lessening the burden on developers who will no longer have to write authorization code. Policies are also easier to maintain and audit and can tie straight into an enterprise’s existing IAM environment. Policy-driven authorization makes it easier to implement complex scenarios such as GDPR compliance, export control, and many more use cases. This talk will navigate the universe of policy-driven authorization to introduce attendees to the different alternatives before diving into a live example using ALFA, Java, and JSON. the Abbreviated Language for Authorization. Attendees are encouraged to bring a laptop, follow along, and implement their own examples.
  2. A new OASIS technical committee is being formed. The eXtensible Access Control Markup Language (XACML) Committee has been proposed by Simon Blackwell, PSoom; Ken Yagen, CrossLogix; Gilbert Pilz, Jamcracker; Michiharu Kudoh, IBM; Krishna Sankar, Cisco; Ernesto Damiani, individual member; Bill Parducci, individual member; Frank Chum, PSoom; Joe Pato, HP; Fred Moses, EntitleNet; and Meg Kistin Anzalone, EntitleNet. The request for a new TC meets the requirements of the OASIS TC process, and is appended to this email. To become a member of this new TC you must 1) be an employee of an OASIS member organization or an Individual member of OASIS, 2) notify the committee chair, Simon Blackwell (sblackwell@psoom.com), of your intent to participate at least 15 days prior to the first meeting, and 3) participate in the first meeting on 21 May, 2001. You should also subscribe to the TC's discussion list. (For the procedure for joining after the first meeting see the TC process at http://www.oasis-open.org/committees/process.shtml.) The mail list xacml@lists.oasis-open.org is for committee discussions. TC members as well as any other interested OASIS members should subscribe to the list. Do this by sending a message to xacml-request@lists.oasis-open.org with the word "subscribe" as the body of the message. (Note that subscribing to the mail list does not make you a member of the TC; to become a member you must contact the TC chair as described in the preceeding paragraph.) </karl> ================================================================= Karl F. Best OASIS - Director, Technical Operations 978.667.5115 x206 karl.best@oasis-open.org http://www.oasis-open.org Name of TC: eXtensible Access Control Markup Language - XACML Statement of purpose: The purpose of the XACML TC is to define a core schema and corresponding namespace for the expression of authorization policies in XML against objects that are themselves identified in XML. The schema will be capable of representing the functionality of most policy representation mechanisms available at the time of adoption. It is also intended that the schema be extensible in order to address that functionality not included, custom application requirements, or features not yet envisioned. Issues to be addressed include, but are not limited to: fine grained control, the nature of the requestor, the protocol over which the request is made, content introspection, the types of activities authorized. List of deliverables (timing is given as days from first meeting): - statement of scope (45 days), - glossary (v1.0 45 days), - bibliography (v1.0 45 days), - use cases (v1.0 90 days), - detailed requirements (v1.0 120 days) - proposed standard (v1.0 180 days) - model examples for "native" and non-native XML targets of control (v1.0 180 days) - reference implementations (v1.0 270 days) Related Work: To ensure work is not duplicated and standards adoption is as simple as possible, XACML shall adopt as baseline documents the work products of the Security Services TC including but not limited to a Domain Model and Glossary. Furthermore, Use Cases and Requirements documents will share content that is common through normative references. The XACML TC shall keep its work consistent with the work of the Security Services TC by requesting enhancements to, modifications of, and cross-references from Security Services TC documents through a formal liaison with the Security Services TC. This liaison will include the regular sharing of deliverables and status reports during teleconferences or at face-to-face meetings. Language in which the TC will conduct business: English Date, time and place of first meeting: Via teleconference at 8AM PST May 21st. Proposed meeting schedule for first year: Teleconference calls will be held by the full TC on the second Monday of each month at 8AM PST, except when a face-to-face meeting is scheduled during the same week. A tentative date for a face-to-face meeting is XML World Sep 30th-Oct 3rd, San Jose, CA. Names and e-mail addresses of members: Ken Yagen [kyagen@crosslogix.com], Gilbert Pilz [gpilz@jamcracker.com], Michiharu Kudoh [KUDO@jp.ibm.com], Krishna Sankar [ksankar@cisco.com], Ernesto Damiani [edamiani@crema.unimi.it], Bill Parducci [bill@parducci.net], Frank Chum [fchum@psoom.com], Joe Pato [joe_pato@hp.com], Fred Moses [fmoses@entitlenet.com], Meg Kistin Anzalone [meganzalone@entitlenet.com], Simon Blackwell [sblackwell@psoom.com] Name of chair: Simon Blackwell [sblackwell@psoom.com] Names of meeting sponsors: Simon Blackwell will sponsor the first teleconference and co-ordinate the first face-to-face.
  3. Here is some pointers to frame the conversation: #1  Light-weight/coarse-grained authorization.  Social logon.  How do OAuth and OIDC fit into Axiomatics model (or do they)?  Are those competing or complementing technologies?  Is Axiomatics playing  into this space at all?  #2  Microservices.  Controlling access to APIs.  #3   Subscription management.   Consent Management.  #4  Transparency to consumers while spanning Authorization services across multiple cloud providers.  #5  We already know you have a big data solution.  But please re-iterate. And tell us how your components (XACML-based or not) are interacting like a suite. 
  4. Here is some pointers to frame the conversation: #1  Light-weight/coarse-grained authorization.  Social logon.  How do OAuth and OIDC fit into Axiomatics model (or do they)?  Are those competing or complementing technologies?  Is Axiomatics playing  into this space at all?  #2  Microservices.  Controlling access to APIs.  #3   Subscription management.   Consent Management.  #4  Transparency to consumers while spanning Authorization services across multiple cloud providers.  #5  We already know you have a big data solution.  But please re-iterate. And tell us how your components (XACML-based or not) are interacting like a suite. 
  5. Here is some pointers to frame the conversation: #1  Light-weight/coarse-grained authorization.  Social logon.  How do OAuth and OIDC fit into Axiomatics model (or do they)?  Are those competing or complementing technologies?  Is Axiomatics playing  into this space at all?  #2  Microservices.  Controlling access to APIs.  #3   Subscription management.   Consent Management.  #4  Transparency to consumers while spanning Authorization services across multiple cloud providers.  #5  We already know you have a big data solution.  But please re-iterate. And tell us how your components (XACML-based or not) are interacting like a suite. 
  6. Policy Enforcement Point Protect the targeted application Policy Decision Point Evaluate incoming authorization requests against a set of policies Policy Information Point Provide the PDP with missing attributes Policy Administration Point Manage authorization policies
  7. Before we can write a policy we need attributes
  8. Here is some pointers to frame the conversation: #1  Light-weight/coarse-grained authorization.  Social logon.  How do OAuth and OIDC fit into Axiomatics model (or do they)?  Are those competing or complementing technologies?  Is Axiomatics playing  into this space at all?  #2  Microservices.  Controlling access to APIs.  #3   Subscription management.   Consent Management.  #4  Transparency to consumers while spanning Authorization services across multiple cloud providers.  #5  We already know you have a big data solution.  But please re-iterate. And tell us how your components (XACML-based or not) are interacting like a suite. 
  9. Here is some pointers to frame the conversation: #1  Light-weight/coarse-grained authorization.  Social logon.  How do OAuth and OIDC fit into Axiomatics model (or do they)?  Are those competing or complementing technologies?  Is Axiomatics playing  into this space at all?  #2  Microservices.  Controlling access to APIs.  #3   Subscription management.   Consent Management.  #4  Transparency to consumers while spanning Authorization services across multiple cloud providers.  #5  We already know you have a big data solution.  But please re-iterate. And tell us how your components (XACML-based or not) are interacting like a suite. 
  10. Here is some pointers to frame the conversation: #1  Light-weight/coarse-grained authorization.  Social logon.  How do OAuth and OIDC fit into Axiomatics model (or do they)?  Are those competing or complementing technologies?  Is Axiomatics playing  into this space at all?  #2  Microservices.  Controlling access to APIs.  #3   Subscription management.   Consent Management.  #4  Transparency to consumers while spanning Authorization services across multiple cloud providers.  #5  We already know you have a big data solution.  But please re-iterate. And tell us how your components (XACML-based or not) are interacting like a suite.