Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authorization is on the rise. What if there was an API for it?

Authorization is on the rise. What if there was an API for it?

APIs are eating the world. Over the past 10 years, we've seen the rise APIs for dev and infra teams that have revolutionized how we solve problems like payments (Stripe), communications (Twilio), authentication (Auth0).

In a world where users are starting to care more about their privacy, expect collaboration capabilities from their software, and where adhering to compliance standards is table stakes, Authorization is starting to become one of those concerns to be addressed.

In this talk, we'll go over what Authorization is, some of its core concepts, the context that is making it a rising topic, and explain how developers can use APIs their authorization use cases.

Damian Schenkelman

October 27, 2021
Tweet

More Decks by Damian Schenkelman

Other Decks in Technology

Transcript

  1. Authorization is on the rise. What if there was an

    API for it? @dschenkelman
  2. Building software in 2021…

  3. Security

  4. Privacy

  5. Compliance

  6. Table Stakes https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

  7. Collaboration

  8. Sharing

  9. Partnerships

  10. Differentiator https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

  11. Authorization

  12. NOT Authentication

  13. Authorization

  14. OWASP TOP 1 https://owasp.org/Top10/ Broken Access Control

  15. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  16. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  17. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  18. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  19. In the beginning… RBAC DELETE /customers/{id} const user = await

    db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};
  20. Finer Grained Authorization

  21. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  22. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  23. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  24. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  25. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  26. I want to use attributes from subject and object… ABAC

    DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};
  27. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  28. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  29. I want to know who did what… DELETE /customers/{id} //

    log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  30. I want it to be reliable and fast… DELETE /customers/{id}

    // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};
  31. Access Review? Who can access what?

  32. Approval? Change Management

  33. Auditing? What happened?

  34. Reliability?

  35. Latency?

  36. Developer APIs

  37. Approach #1: Policies

  38. Mental Picture public enum Decision { Allow, Deny, … }

    public Decision {policy_name} (subject, permission, object, context) { // rules… }
  39. Example Architecture 3. get user and customer data 2. can

    user delete customer? 1. can user delete customer? Manage Policies PAP Policy Decision Point Policy Information Point 6. delete customer 5. user is authorized Policy Repository Customer Service 4. evaluate policy
  40. Advantages • Easier to understand what authorization logic applies •

    Authorization change management is simpler than having it in code • Auditing is implemented outside of business logic
  41. Disadvantages • Requires operating more components

  42. Disadvantages • Requires operating more components • Does not handle

    storage of authz data • 👉 latency + reliability + scale • 👉 collaboration scenarios •
  43. Approach #2: "Zanzibar"

  44. Zanzibar Not this one…

  45. Google Zanzibar https://research.google/pubs/pub48190/

  46. ReBAC

  47. Multi-region

  48. Sweet spot Policies (AuthZ needs) DBaaS (handles data) Zanzibar "as

    a Service”
  49. Internal Use

  50. For others to use (disclaimer: I work on Project "Sandcastle")

    Project "Sandcastle"
  51. DEMO

  52. Architecture Sandcastle in "PDP Mode" 2. check(user, delete, customer) 1.

    can user delete customer? Customer Service PDP Sandcastle 4. delete customer 3. user is authorized nginx
  53. Enforcement

  54. Advantages • Auditing is part of "aaS" • Authorization change

    management is simpler than having it in code • Easier to understand what authorization logic applies • Multi-region and operated by someone else
  55. Disadvantages • Many things are a relationship, but not everything

    (e.g. time of day)
  56. Approach #3: Combined

  57. Architecture Sandcastle in "PIP Mode" 4. check(user, delete, customer) 2.

    can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PDP PIP Sandcastle 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy
  58. Final Thoughts

  59. Resources

  60. Project “Sandcastle" Dev Community Preview Waitlist shorturl.at/hkouS

  61. AuthZ APIs Resources • Google Zanzibar: https://research.google/pubs/pub48190/ • Zanzibar Academy:

    https://zanzibar.academy • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a-scalable- centralized-system-for-authorization-at-airbnb-341664924574 • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly- scalable-permissions-system-782a7f2c840f • Facebook TAO: https://www.usenix.org/system/ fi les/conference/atc13/atc13-bronson.pdf • Authzed: https://authzed.com/ • Ory Keto: https://www.ory.sh/keto/docs/
  62. @auth0lab Resources • Sandcastle playground: https://learn.sandcastle.cloud/ • Auth0 Lab discord:

    https://t.co/ybHn8hEOBl?amp=1 • Authorization in Software Podcast: https:// authorizationinsoftware.auth0.com/ • @auth0lab: https://twitter.com/auth0lab
  63. Policy Resources • OPA: https://www.openpolicyagent.org/ • Styra: https://www.styra.com/ • OSOHQ:

    https://docs.osohq.com/ • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/ role-based-access-controls/documents/ferraiolo-kuhn-92.pdf
  64. Thanks! @dschenkelman @auth0lab

  65. Questions?