Authorization is on the rise. What if there was an API for it?

Slide 1

Slide 1 text

Authorization is on the rise. What if there was an API for it? @dschenkelman

Slide 2

Slide 2 text

Building software in 2021…

Slide 3

Slide 3 text

Security

Slide 4

Slide 4 text

Privacy

Slide 5

Slide 5 text

Compliance

Slide 6

Slide 6 text

Table Stakes https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

Slide 7

Slide 7 text

Collaboration

Slide 8

Slide 8 text

Sharing

Slide 9

Slide 9 text

Partnerships

Slide 10

Slide 10 text

Differentiator https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

Slide 11

Slide 11 text

Authorization

Slide 12

Slide 12 text

NOT Authentication

Slide 13

Slide 13 text

Authorization

Slide 14

Slide 14 text

OWASP TOP 1 https://owasp.org/Top10/ Broken Access Control

Slide 15

Slide 15 text

In the beginning… RBAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Finer Grained Authorization

Slide 21

Slide 21 text

I want to use attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text

I want to know who did what… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

I want it to be reliable and fast… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

Slide 31

Slide 31 text

Access Review? Who can access what?

Slide 32

Slide 32 text

Approval? Change Management

Slide 33

Slide 33 text

Auditing? What happened?

Slide 34

Slide 34 text

Reliability?

Slide 35

Slide 35 text

Latency?

Slide 36

Slide 36 text

Developer APIs

Slide 37

Slide 37 text

Approach #1: Policies

Slide 38

Slide 38 text

Mental Picture public enum Decision { Allow, Deny, … } public Decision {policy_name} (subject, permission, object, context) { // rules… }

Slide 39

Slide 39 text

Example Architecture 3. get user and customer data 2. can user delete customer? 1. can user delete customer? Manage Policies PAP Policy Decision Point Policy Information Point 6. delete customer 5. user is authorized Policy Repository Customer Service 4. evaluate policy

Slide 40

Slide 40 text

Advantages • Easier to understand what authorization logic applies • Authorization change management is simpler than having it in code • Auditing is implemented outside of business logic

Slide 41

Slide 41 text

Disadvantages • Requires operating more components

Slide 42

Slide 42 text

Disadvantages • Requires operating more components • Does not handle storage of authz data • 👉 latency + reliability + scale • 👉 collaboration scenarios •

Slide 43

Slide 43 text

Approach #2: "Zanzibar"

Slide 44

Slide 44 text

Zanzibar Not this one…

Slide 45

Slide 45 text

Google Zanzibar https://research.google/pubs/pub48190/

Slide 46

Slide 46 text

ReBAC

Slide 47

Slide 47 text

Multi-region

Slide 48

Slide 48 text

Sweet spot Policies (AuthZ needs) DBaaS (handles data) Zanzibar "as a Service”

Slide 49

Slide 49 text

Internal Use

Slide 50

Slide 50 text

For others to use (disclaimer: I work on Project "Sandcastle") Project "Sandcastle"

Slide 51

Slide 51 text

DEMO

Slide 52

Slide 52 text

Architecture Sandcastle in "PDP Mode" 2. check(user, delete, customer) 1. can user delete customer? Customer Service PDP Sandcastle 4. delete customer 3. user is authorized nginx

Slide 53

Slide 53 text

Enforcement

Slide 54

Slide 54 text

Advantages • Auditing is part of "aaS" • Authorization change management is simpler than having it in code • Easier to understand what authorization logic applies • Multi-region and operated by someone else

Slide 55

Slide 55 text

Disadvantages • Many things are a relationship, but not everything (e.g. time of day)

Slide 56

Slide 56 text

Approach #3: Combined

Slide 57

Slide 57 text

Architecture Sandcastle in "PIP Mode" 4. check(user, delete, customer) 2. can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PDP PIP Sandcastle 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy

Slide 58

Slide 58 text

Final Thoughts

Slide 59

Slide 59 text

Resources

Slide 60

Slide 60 text

Project “Sandcastle" Dev Community Preview Waitlist shorturl.at/hkouS

Slide 61

Slide 61 text

AuthZ APIs Resources • Google Zanzibar: https://research.google/pubs/pub48190/ • Zanzibar Academy: https://zanzibar.academy • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a-scalable- centralized-system-for-authorization-at-airbnb-341664924574 • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly- scalable-permissions-system-782a7f2c840f • Facebook TAO: https://www.usenix.org/system/ fi les/conference/atc13/atc13-bronson.pdf • Authzed: https://authzed.com/ • Ory Keto: https://www.ory.sh/keto/docs/

Slide 62

Slide 62 text

@auth0lab Resources • Sandcastle playground: https://learn.sandcastle.cloud/ • Auth0 Lab discord: https://t.co/ybHn8hEOBl?amp=1 • Authorization in Software Podcast: https:// authorizationinsoftware.auth0.com/ • @auth0lab: https://twitter.com/auth0lab

Slide 63

Slide 63 text

Policy Resources • OPA: https://www.openpolicyagent.org/ • Styra: https://www.styra.com/ • OSOHQ: https://docs.osohq.com/ • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/ role-based-access-controls/documents/ferraiolo-kuhn-92.pdf