Updates from the OASIS XACML Technical Committee - Making Authorization Developer-Friendly using ALFA, REST, and JSON

© Axiomatics 2019 - All Rights Reserved 1© Axiomatics 2019 - All Rights Reserved 1
Easy Authorization with REST, JSON, and ALFA
Updates from the OASIS XACML Technical Committee
September 10th, University of Oxford
David Brossard, OASIS XACML TC Member, IDPro Founding Member, @davidjbrossard

© Axiomatics 2019 - All Rights Reserved 2
What is XACML?
⁃ Founded in 2001 – https://www.oasis-open.org/committees/xacml/
⁃ eXtensible Access Control Markup Language
⁃ Members include
⁃ Oracle, US Government, Axiomatics, IBM, Thales and others
⁃ Statement of purpose (from the first email on the ML)
⁃ To define a core schema and corresponding namespace for the
expression of authorization policies in XML against objects that are
themselves identified in XML.
⁃ The schema will be capable of representing the functionality of most
policy representation mechanisms available at the time of adoption.
⁃ It is also intended that the schema be extensible in order to address
that functionality not included, custom application requirements, or
features not yet envisioned.

The challenge?
⁃ You’ve been tasked with developing a new application
⁃ Micro-service, API, SPA... You name it
⁃ There are many non-functional requirements
⁃ Authentication
⁃ Logging
⁃ Authorization
⁃ Authorization ties together business logic and security
⁃ How can you achieve scalable, future-proof authorization?
⁃ Something you don’t have to rewrite all the time?

You could…
⁃ Think really hard and design your own model
⁃ Use RBAC
⁃ Hard-code the authorization logic within your app

Or you could…
⁃ Decouple your app code from your authorization logic
⁃ Focus on your app
⁃ Make it spiffy!
⁃ Implement your authorization requirements as
⁃ policies & attributes
⁃ Integrate your app(s) with an externalized authorization service
Aloha
XACML

XACML is the de-facto standard for ABAC
⁃ Attribute-Based Access Control
⁃ Also known as Policy-Based Access Control
⁃ Context-aware, dynamic, externalized
Who? What? When? Where? Why? How?

XACML with respect to other standards
⁃ XACML is not
⁃ SAML
⁃ Identity federation
⁃ OAuth
⁃ Access delegation
⁃ OpenID
⁃ This handles authentication
⁃ UMA
⁃ User-managed access & consent management
⁃ XACML can collaborate with any of these standards to deliver
better authorization

What does XACML define?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Scheme

The XACML Reference Architecture
Enforce
DecideManage

The XACML Reference Architecture Flow
1.View record #123 6.View record #123
2. Can Alice view
record #123?
5. Permit, Alice can
view record #123
3. Evaluate policies
4. Retrieve
additional attributes

XACML Uses Attributes
⁃ Key-value pairs
⁃ Key: Department
⁃ Value: Engineering
⁃ Multi-valued
⁃ Grouped into different categories
⁃ Different data types
⁃ Unique identifier
⁃ Name and namespace

Did someone
say XML?

Don’t get me wrong, I <love>XML</love>

(abbreviated language for authorization)
ALFA
JSON
(JavaScript Object Notation)
REST
(we all know what that means)

Bringing XACML to Developers
REST
A standard means to POST
authorization requests to
the PDP
Faster (than SOAP)
Easier to integrate with
JSON
Lightweight representation
of a XACML request &
response
80% smaller than XML
Easier to integrate with
ALFA
Abbreviated Language For
Authorization
Developer-friendly
Easier to read and write
(than XML)

The REST Profile of XACML
⁃ Provide easy means to send authorization request
⁃ Just POST an authorization request
⁃ Provide standard transport protocol in XACML
⁃ Current implementations use proprietary bindings e.g. SOAP
⁃ SOAP in itself is losing has lost popularity
⁃ Integrate with more environments, languages, and SaaS

POSTing a Request in Javascript
var xmlHttp = null;
function authorize() {
var xacmlRequest = document.getElementById( "xacmlrequest" ).value;
var Url = "https://localhost:5443/axio/authorize";
xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = ProcessRequest;
xmlHttp.withCredentials = true;
xmlHttp.open( "POST", Url, false );
xmlHttp.setRequestHeader("Accept","application/xacml+json");
xmlHttp.setRequestHeader("Content-Type","application/xacml+json");
xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk");
xmlHttp.send(xacmlRequest);
}
Create an HTTP
request to the PDP
Choose to
authenticate the call
and use POST
Set the content type
and the
username/password

The JSON Profile of XACML – Building a JSON
request in Javascript
Create a new Request object
Create a new AccessSubject attribute category
Add an attribute and its value
function createAttribute(identifier,
value){
var attr = new Object();
attr.AttributeId=identifier;
attr.Value=value;
return attr;
function generateXACMLRequest(){
// 1. Create empty request
var jsonRequest = new Object();
jsonRequest.Request = new Object();
jsonRequest.Request.AccessSubject = new Object();
jsonRequest.Request.AccessSubject.Attribute = [];
// 2. Add attributes
jsonRequest.Request.AccessSubject.Attribute.push(createAttribute("com.acme.user.employeeId", "Alice"));
// 3. Return request
return jsonRequest;
}

Sample JSON/XACML Request & Response
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": {
"Attribute": [
{
"AttributeId": "axiomatics.demo.user.userId",
"Value": "Alice"
}
]
},
"Resource": {
"Attribute": [
{
"AttributeId": "axiomatics.demo.record.recordId",
"Value": "123"
},
{
"AttributeId": "axiomatics.demo.resourceType",
"Value": "record"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "axiomatics.demo.actionId",
"Value": "view"
}
]
},
}
}
{
"Response" : [{
"Decision" : "Deny"
}]
}

The ALFA Profile of XACML
⁃ Simplified C#-like language
⁃ Easy on the developer
⁃ Uses namespaces to organize policies
⁃ Easy to scale up to hundreds of policies
⁃ Easy to add comments
⁃ All the main keywords of XACML are in ALFA
⁃ PolicySet, Policy, Rule, Combing Algorithms
⁃ Target, Condition
⁃ Obligation, Advice
⁃ More on Wikipedia and StackOverflow

An example ALFA policy
/* Medical Record policies */
policyset medicalRecords{
target clause objectType=="medical record”
apply firstApplicable
/* Physician access */
policy physiciansAccessMedicalRecords{
target clause user.role=="physician”
apply denyUnlessPermit
/* A primary physician can read a patients medical record */
rule readMedicalRecord{
target clause action=="read”
condition primaryPhysician==requestorId
permit
}
}
}
Same structural elements as XACML:
• PolicySet
• Policy
• Rule

permit
}
}
}
Combining algorithms help resolve
conflicts between policies and rules.
Choose from:
• firstApplicable
• denyOverrides
• permitOverrides
• denyUnlessPermit
• …

permit
}
}
}
Use targets to define the scope of
the policy set / policy / rule

permit
}
}
}
Use conditions for advanced
matching and relationship
checks

permit
}
}
}
Lastly, we have the effect. Choose
from:
• Permit
• Deny

Live Demo

Updates from the OASIS XACML Technical Committee - Making Authorization Developer-Friendly using ALFA, REST, and JSON

More Related Content

What's hot

Similar to Updates from the OASIS XACML Technical Committee - Making Authorization Developer-Friendly using ALFA, REST, and JSON

More from David Brossard

Recently uploaded

Updates from the OASIS XACML Technical Committee - Making Authorization Developer-Friendly using ALFA, REST, and JSON

Editor's Notes