Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authorization is on the rise. What if there was an API for it?

Damian Schenkelman
October 27, 2021
Technology
0
94

Authorization is on the rise. What if there was an API for it?

APIs are eating the world. Over the past 10 years, we've seen the rise APIs for dev and infra teams that have revolutionized how we solve problems like payments (Stripe), communications (Twilio), authentication (Auth0).

In a world where users are starting to care more about their privacy, expect collaboration capabilities from their software, and where adhering to compliance standards is table stakes, Authorization is starting to become one of those concerns to be addressed.

In this talk, we'll go over what Authorization is, some of its core concepts, the context that is making it a rising topic, and explain how developers can use APIs their authorization use cases.

Damian Schenkelman

October 27, 2021
Tweet

More Decks by Damian Schenkelman

See All by Damian Schenkelman
Identidad en Web3
dschenkelman
0
200
Demo Identidad en Web3
dschenkelman
1
89
Deep Dive Into Google Zanzibar and its Concepts for Authorization Scenarios
dschenkelman
1
890
All About AuthZ
dschenkelman
1
340
Evolving Auth0's architecture: From 0 to 2.5+ billion logins per month in 5 years
dschenkelman
1
670
Remote work at Auth0
dschenkelman
0
110
El camino a SRE
dschenkelman
0
140
IDaaS at Scale - From 0 to 2.5B+ logins/month (Auth0 Webinar)
dschenkelman
0
50
IDaaS at Scale - Nardoz BA
dschenkelman
0
130

Other Decks in Technology

See All in Technology
How to test GraphQL API using Postman
yokawasa
0
310
フロントエンドの開発生産性とは
yosuke_furukawa
PRO
5
2.5k
テスト文化の成熟:自動テストが浸透した組織が次に目指すべきステップ
igsr5
4
620
Setting up Monitoring for Kubernetes
prathamesh
0
150
ChatGPT in SlackでAI Slackbotを楽しく運用する
iwamot
1
120
【初心者向け】まだ間に合う! Hugging Face入門 -TransformersでAI推論&学習
tkhresk
1
470
Droidknights 2023 - 이상훈 - 기존 앱을 Jetpack Compose로 마이그레이션 하기
dsa28s
3
280
品質観点でみたインセプションデッキとその改善
nagworld
1
120
War for talent 時代の、古くて新しい仲間集めの形_~weak ties と strong tiesの力~
sadonosake
0
210
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
3
26k
dojo230914
mitsuakitohei
1
190
全世界1,800万人が利用する「家族アルバム みてね」におけるNew Relic活用法 / FutureStack Tokyo 2023
isaoshimizu
1
170

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.9k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
VelocityConf: Rendering Performance Case Studies
addyosmani
318
23k
Embracing the Ebb and Flow
colly
77
3.8k
Infographics Made Easy
chrislema
236
17k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.2k
What's in a price? How to price your products and services
michaelherold
236
10k
Building an army of robots
kneath
300
41k
Building Your Own Lightsaber
phodgson
97
5.1k
The Mythical Team-Month
searls
212
41k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.5k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k

Transcript

  1. Authorization is on the rise.


    What if there was an API for it?
    @dschenkelman

    View Slide

  2. Building software in 2021…

    View Slide

  3. Security

    View Slide

  4. Privacy

    View Slide

  5. Compliance

    View Slide

  6. Table Stakes
    https://medium.com/pm-insights/how-to-pick-winning-product-
    features-7b03abcf7d12

    View Slide

  7. Collaboration

    View Slide

  8. Sharing

    View Slide

  9. Partnerships

    View Slide

  10. Differentiator
    https://medium.com/pm-insights/how-to-pick-winning-product-
    features-7b03abcf7d12

    View Slide

  11. Authorization

    View Slide

  12. NOT Authentication

    View Slide

  13. Authorization

    View Slide

  14. OWASP TOP 1
    https://owasp.org/Top10/
    Broken Access Control

    View Slide

  15. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  16. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  17. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  18. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  19. In the beginning…
    RBAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    if (user.role === "admin")) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select role from users


    where userId == {uid};

    View Slide

  20. Finer Grained Authorization

    View Slide

  21. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  22. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  23. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  24. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  25. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  26. I want to use attributes from subject and object…
    ABAC
    DELETE /customers/{id}


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && !customer.subscribed)) {


    // delete customer


    // return 204


    } else {


    // return 403


    }
    select department from users


    where id == {uid};


    select subscribed from customers


    where id == {cid};

    View Slide

  27. I want to know who did what…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View Slide

  28. I want to know who did what…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View Slide

  29. I want to know who did what…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View Slide

  30. I want it to be reliable and fast…
    DELETE /customers/{id}


    // log: cookie.userId requesting authz to delete customer


    const user = await db.users.get(cookie.userId);


    const customer = await db.customers.get(req.path.id);


    if (user.department === "IT" && customer.unsubscribed)) {


    // log: cookie.userId authorized to delete customer


    // delete customer


    // return 204


    } else {


    // log: cookie.userId unauthorized to delete customer


    // return 403


    }
    select department from users


    where id == {uid};


    select unsubscribed from customers


    where id == {cid};

    View Slide

  31. Access Review?
    Who can access what?

    View Slide

  32. Approval?
    Change Management

    View Slide

  33. Auditing?
    What happened?

    View Slide

  34. Reliability?

    View Slide

  35. Latency?

    View Slide

  36. Developer APIs

    View Slide

  37. Approach #1: Policies

    View Slide

  38. Mental Picture
    public enum Decision {


    Allow,


    Deny,





    }


    public Decision {policy_name} (subject, permission, object, context)
    {


    // rules…


    }

    View Slide

  39. Example Architecture
    3. get user and
    customer data


    2. can user
    delete customer?


    1. can user
    delete customer?


    Manage Policies


    PAP
    Policy
    Decision
    Point


    Policy
    Information
    Point
    6. delete customer


    5. user is
    authorized


    Policy Repository


    Customer
    Service


    4. evaluate policy


    View Slide

  40. Advantages
    • Easier to understand what authorization logic applies

    • Authorization change management is simpler than having it in code

    • Auditing is implemented outside of business logic

    View Slide

  41. Disadvantages
    • Requires operating more components

    View Slide

  42. Disadvantages
    • Requires operating more components

    • Does not handle storage of authz data

    • 👉 latency + reliability + scale

    • 👉 collaboration scenarios


    View Slide

  43. Approach #2: "Zanzibar"

    View Slide

  44. Zanzibar
    Not this one…

    View Slide

  45. Google Zanzibar
    https://research.google/pubs/pub48190/

    View Slide

  46. ReBAC

    View Slide

  47. Multi-region

    View Slide

  48. Sweet spot
    Policies
    (AuthZ needs)
    DBaaS
    (handles data)
    Zanzibar "as a Service”

    View Slide

  49. Internal Use

    View Slide

  50. For others to use
    (disclaimer: I work on Project "Sandcastle")
    Project "Sandcastle"

    View Slide

  51. DEMO

    View Slide

  52. Architecture
    Sandcastle in "PDP Mode"
    2. check(user, delete, customer)


    1. can user
    delete customer?


    Customer Service
    PDP


    Sandcastle
    4. delete customer


    3. user is authorized


    nginx

    View Slide

  53. Enforcement

    View Slide

  54. Advantages
    • Auditing is part of "aaS"

    • Authorization change management is simpler than having it in code

    • Easier to understand what authorization logic applies

    • Multi-region and operated by someone else

    View Slide

  55. Disadvantages
    • Many things are a relationship, but not everything (e.g. time of day)

    View Slide

  56. Approach #3: Combined

    View Slide

  57. Architecture
    Sandcastle in "PIP Mode"
    4. check(user,
    delete, customer)


    2. can user
    delete customer?


    1. can user
    delete customer?


    Manage Policies


    Distribute Policies
    PAP
    PDP


    PIP


    Sandcastle
    6. delete customer


    5. user is authorized


    Policy Repository


    3. evaluate policy


    View Slide

  58. Final Thoughts

    View Slide

  59. Resources

    View Slide

  60. Project “Sandcastle"


    Dev Community Preview Waitlist
    shorturl.at/hkouS

    View Slide

  61. AuthZ APIs Resources
    • Google Zanzibar: https://research.google/pubs/pub48190/

    • Zanzibar Academy: https://zanzibar.academy

    • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a-scalable-
    centralized-system-for-authorization-at-airbnb-341664924574

    • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly-
    scalable-permissions-system-782a7f2c840f

    • Facebook TAO: https://www.usenix.org/system/
    fi
    les/conference/atc13/atc13-bronson.pdf

    • Authzed: https://authzed.com/

    • Ory Keto: https://www.ory.sh/keto/docs/

    View Slide

  62. @auth0lab Resources
    • Sandcastle playground: https://learn.sandcastle.cloud/

    • Auth0 Lab discord: https://t.co/ybHn8hEOBl?amp=1

    • Authorization in Software Podcast: https://
    authorizationinsoftware.auth0.com/

    • @auth0lab: https://twitter.com/auth0lab

    View Slide

  63. Policy Resources
    • OPA: https://www.openpolicyagent.org/

    • Styra: https://www.styra.com/

    • OSOHQ: https://docs.osohq.com/

    • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

    • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf

    • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/
    role-based-access-controls/documents/ferraiolo-kuhn-92.pdf

    View Slide

  64. Thanks!
    @dschenkelman

    @auth0lab

    View Slide

  65. Questions?

    View Slide