Download as PDF, PPTX
Uploaded byapidays
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelman, Auth0
The document discusses the increasing importance of authorization in software development and proposes the need for an API to manage it effectively. It outlines various approaches to authorization, including Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), while also highlighting the advantages and disadvantages of each method. Additionally, it references several resources and tools related to authorization systems and mentions upcoming conferences related to the topic.
More Related Content
![[Kong summit 2019] Egress Gateway Pattern - Zhuojie Zhou](https://cdn.slidesharecdn.com/ss_thumbnails/kongsummitegressgatewaypattern-zhuojiezhou-191017214032-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelman, Auth0
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelman, Auth0
- 1. Authorization is onthe rise. What if there was an API for it? @dschenkelman
- 2. Building software in2021…
- 3.
- 4.
- 5. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki &North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15. OWASP TOP 1 https://owasp.org/Top10/ BrokenAccess Control
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22. I want touse attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
- 23. I want touse attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
- 24. I want touse attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
- 25. I want touse attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
- 26. I want touse attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
- 27. I want touse attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
- 28. I want toknow who did what… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
- 29. I want toknow who did what… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
- 30. I want toknow who did what… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
- 31. I want itto be reliable and fast… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
- 32. Access Review? Who canaccess what?
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41. Advantages • Easier tounderstand what authorization logic applies • Authorization change management is simpler than having it in code • Auditing is implemented outside of business logic
- 42. Disadvantages • Requires operatingmore components
- 43. Disadvantages • Requires operatingmore components • Does not handle storage of authz data • 👉 latency + reliability + scale • 👉 collaboration scenarios •
- 44.
- 45.
- 46.
- 47.
- 48.
- 49. Sweet spot Policies (AuthZ needs) DBaaS (handlesdata) Zanzibar "as a Service”
- 50.
- 51. Alternatives (disclaimer: I workon Project "Sandcastle") Project "Sandcastle"
- 52.
- 53. Architecture Sandcastle in "PDPMode" 2. check(user, delete, customer) 1. can user delete customer? Customer Service PDP Sandcastle 4. delete customer 3. user is authorized nginx
- 54.
- 55. Advantages • Auditing ispart of "aaS" • Authorization change management is simpler than having it in code • Easier to understand what authorization logic applies • Multi-region and operated by someone else
- 56. Disadvantages • Many thingsare a relationship, but not everything (e.g. time of day)
- 57.
- 58. Architecture Sandcastle in "PIPMode" 4. check(user, delete, customer) 2. can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PDP PIP Sandcastle 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy
- 59.
- 60. AuthZ APIs Resources •Google Zanzibar: https://research.google/pubs/pub48190/ • Zanzibar Academy: https://zanzibar.academy • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a-scalable- centralized-system-for-authorization-at-airbnb-341664924574 • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly- scalable-permissions-system-782a7f2c840f • Facebook TAO: https://www.usenix.org/system/ fi les/conference/atc13/atc13-bronson.pdf • Authzed: https://authzed.com/ • Ory Keto: https://www.ory.sh/keto/docs/
- 61. @auth0lab Resources • Sandcastleplayground: https://learn.sandcastle.cloud/ • Auth0 Lab discord: https://t.co/ybHn8hEOBl?amp=1 • Authorization in Software Podcast: https:// authorizationinsoftware.auth0.com/ • @auth0lab: https://twitter.com/auth0lab
- 62. Policy Resources • OPA:https://www.openpolicyagent.org/ • Styra: https://www.styra.com/ • OSOHQ: https://docs.osohq.com/ • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/ role-based-access-controls/documents/ferraiolo-kuhn-92.pdf
- 63.
- 64.
- 65. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki &North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here