Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authorization is on the rise. What if there was an API for it?

Authorization is on the rise. What if there was an API for it?

APIs are eating the world. Over the past 10 years, we've seen the rise APIs for dev and infra teams that have revolutionized how we solve problems like payments (Stripe), communications (Twilio), authentication (Auth0).

In a world where users are starting to care more about their privacy, expect collaboration capabilities from their software, and where adhering to compliance standards is table stakes, Authorization is starting to become one of those concerns to be addressed.

In this talk, we'll go over what Authorization is, some of its core concepts, the context that is making it a rising topic, and explain how developers can use APIs their authorization use cases.

Damian Schenkelman

October 27, 2021
Tweet

More Decks by Damian Schenkelman

Other Decks in Technology

Transcript

  1. Authorization is on the rise.


    What if there was an API for it?
    @dschenkelman

    View full-size slide

  2. Building software in 2021…

    View full-size slide

  3. Table Stakes
    https://medium.com/pm-insights/how-to-pick-winning-product-
    features-7b03abcf7d12

    View full-size slide

  4. Collaboration

    View full-size slide

  5. Partnerships

    View full-size slide

  6. Differentiator
    https://medium.com/pm-insights/how-to-pick-winning-product-
    features-7b03abcf7d12

    View full-size slide

  7. Authorization

    View full-size slide

  8. NOT Authentication

    View full-size slide

  9. Authorization

    View full-size slide

  10. OWASP TOP 1
    https://owasp.org/Top10/
    Broken Access Control

    View full-size slide

  11. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View full-size slide

  12. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View full-size slide

  13. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View full-size slide

  14. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View full-size slide

  15. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View full-size slide

  16. Finer Grained Authorization

    View full-size slide

  17. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View full-size slide

  18. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View full-size slide

  19. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View full-size slide

  20. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View full-size slide

  21. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View full-size slide

  22. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View full-size slide

  23. I want to know who did what…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View full-size slide

  24. I want to know who did what…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View full-size slide

  25. I want to know who did what…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View full-size slide

  26. I want it to be reliable and fast…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View full-size slide

  27. Access Review?
    Who can access what?

    View full-size slide

  28. Approval?
    Change Management

    View full-size slide

  29. Auditing?
    What happened?

    View full-size slide

  30. Reliability?

    View full-size slide

  31. Developer APIs

    View full-size slide

  32. Approach #1: Policies

    View full-size slide

  33. Mental Picture
    public enum Decision {


    Allow,


    Deny,





    }


    public Decision {policy_name} (subject, permission, object, context)
    {


    // rules…


    }

    View full-size slide

  34. Example Architecture
    3. get user and
    customer data


    2. can user
    delete customer?


    1. can user
    delete customer?


    Manage Policies


    PAP
    Policy
    Decision
    Point


    Policy
    Information
    Point
    6. delete customer


    5. user is
    authorized


    Policy Repository


    Customer
    Service


    4. evaluate policy


    View full-size slide

  35. Advantages
    • Easier to understand what authorization logic applies

    • Authorization change management is simpler than having it in code

    • Auditing is implemented outside of business logic

    View full-size slide

  36. Disadvantages
    • Requires operating more components

    View full-size slide

  37. Disadvantages
    • Requires operating more components

    • Does not handle storage of authz data

    • 👉 latency + reliability + scale

    • 👉 collaboration scenarios


    View full-size slide

  38. Approach #2: "Zanzibar"

    View full-size slide

  39. Zanzibar
    Not this one…

    View full-size slide

  40. Google Zanzibar
    https://research.google/pubs/pub48190/

    View full-size slide

  41. Multi-region

    View full-size slide

  42. Sweet spot
    Policies
    (AuthZ needs)
    DBaaS
    (handles data)
    Zanzibar "as a Service”

    View full-size slide

  43. Internal Use

    View full-size slide

  44. For others to use
    (disclaimer: I work on Project "Sandcastle")
    Project "Sandcastle"

    View full-size slide

  45. Architecture
    Sandcastle in "PDP Mode"
    2. check(user, delete, customer)


    1. can user
    delete customer?


    Customer Service
    PDP


    Sandcastle
    4. delete customer


    3. user is authorized


    nginx

    View full-size slide

  46. Advantages
    • Auditing is part of "aaS"

    • Authorization change management is simpler than having it in code

    • Easier to understand what authorization logic applies

    • Multi-region and operated by someone else

    View full-size slide

  47. Disadvantages
    • Many things are a relationship, but not everything (e.g. time of day)

    View full-size slide

  48. Approach #3: Combined

    View full-size slide

  49. Architecture
    Sandcastle in "PIP Mode"
    4. check(user,
    delete, customer)


    2. can user
    delete customer?


    1. can user
    delete customer?


    Manage Policies


    Distribute Policies
    PAP
    PDP


    PIP


    Sandcastle
    6. delete customer


    5. user is authorized


    Policy Repository


    3. evaluate policy


    View full-size slide

  50. Final Thoughts

    View full-size slide

  51. Project “Sandcastle"


    Dev Community Preview Waitlist
    shorturl.at/hkouS

    View full-size slide

  52. AuthZ APIs Resources
    • Google Zanzibar: https://research.google/pubs/pub48190/

    • Zanzibar Academy: https://zanzibar.academy

    • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a-scalable-
    centralized-system-for-authorization-at-airbnb-341664924574

    • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly-
    scalable-permissions-system-782a7f2c840f

    • Facebook TAO: https://www.usenix.org/system/
    fi
    les/conference/atc13/atc13-bronson.pdf

    • Authzed: https://authzed.com/

    • Ory Keto: https://www.ory.sh/keto/docs/

    View full-size slide

  53. @auth0lab Resources
    • Sandcastle playground: https://learn.sandcastle.cloud/

    • Auth0 Lab discord: https://t.co/ybHn8hEOBl?amp=1

    • Authorization in Software Podcast: https://
    authorizationinsoftware.auth0.com/

    • @auth0lab: https://twitter.com/auth0lab

    View full-size slide

  54. Policy Resources
    • OPA: https://www.openpolicyagent.org/

    • Styra: https://www.styra.com/

    • OSOHQ: https://docs.osohq.com/

    • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

    • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf

    • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/
    role-based-access-controls/documents/ferraiolo-kuhn-92.pdf

    View full-size slide

  55. Thanks!
    @dschenkelman

    @auth0lab

    View full-size slide