The Holy Grail of IAM: Getting to Grips with Authorization

David Brossard

Sr. Director, Prod. Mgmt, Identity,

Salesforce

JUNE 2021

England Somewhere Online

20²1 A.D.

JUNE 2021

HTTP 401 Unauthorized

Not quite...

HTTP 401 is a misnomer...

What you meant is 403

Authorization is when you get authentication wrong!

JUNE 2021

OAuth

Open Authorization

Not quite...

OAuth is about access delegation: I grant an entity X access to some of my data / processes in another entity Y.

So, surely, OAuth is the de facto standard for authorization, right?

JUNE 2021

Authorization...

is about granting or denying an entity access to another entity

JUNE 2021

Definition & Requirements

Background

JUNE 2021

What is Authorization?

TL; DR Authentication confirms that users are who they say they are. Authorization gives those users permission to access a resource.

​

More broadly…

​

Authentication is about proving a claim about someone or something. Usually it’s a person’s identity. But it could also be an attribute of that person e.g. their date of birth.

Authorization is the process of granting (or denying) someone or something access to something else. Authorization needs to consider what we know about the requestor and the requested item before granting access.

​

​

​

JUNE 2021

Why the Holy Grail?

Unlike authentication, authorization is not just about who you are.

JUNE 2021

Grant or deny users access to entities

Use a framework that can adapt to future needs

What could happen? What did happen?

1. Configurable & Decoupled

2. Future-Proof

5. Auditable

Five Authorization Requirements

JUNE 2021

Authorization Venn

Identity

Entity

Context

JUNE 2021

Can a user view accounts (as a whole)?

Can Alice view account #123?

Which accounts can Alice view?

Functional

Transactional

Data-centric

What are the different kinds?

JUNE 2021

The enterprise defines a set of policies that determine what should happen.

Users define who can access their data & processes

Enterprise-driven

User-driven

Who defines authorization?

JUNE 2021

Access rights are evaluated just-in-time

Access rights are granted when the user is created

Runtime

Design-time

When do we authorize?

JUNE 2021

Rule of thumb: if you want to report on it and audit it, then it belongs to the authorization realm.

Authorization

Business Logic

Drawing the line between...

JUNE 2021

Why even bother?

Roles are enough

I can do all of that in code!

I said policies!

JUNE 2021

Models, Standards, & Frameworks

Existing Approaches

JUNE 2021

A few definitions

• Model: abstract approach to implementing authorization e.g. ACL, RBAC, and ABAC
• Standard: a formally approved set of specifications that define how to address authorization e.g. SAML, XACML, OAuth…
• Framework: a technical implementation that handles authorization without being a standard itself e.g. Ruby cancancan, OPA

Celestial globe with stand, British Museum

JUNE 2021

Ye Olde Authorization Graph

Authorization

Standards

Frameworks

OASIS

IETF

NIST

Kantara

SAML

XACML

CNCF

OAuth

JWT AT

RAR

GNAP

JSON Profile

ALFA

NGAC

Models

RBAC

ABAC

OPA

UMA

NIST

Language-specific

Vendor-specific

AWS ABAC

SDDL

Spring Security

Ruby Cancancan

...

Polar (Oso)

HL7

FHIR

Industry Standards

ACL

JUNE 2021

Standards, Frameworks & Models Timeline

XACML

(also SAML)

(still not dead)

1992

2001

NGAC

INCITS 499

​

2013

UMA v.1

2015

2014

ALFA �Profile of XACML

2012

2017

RBAC

ABAC

Open Policy Agent

(Rego)

2016

OAuth 2.0

JSON Profile of XACML

2020

GNAP*

OAuth 2.0

(WIP)

JWT AT

OAuth 2.0

(WIP)

2021

OAuth RAR

OAuth 2.0

(WIP)

Zanzibar

(Google)

2019

UMA v.2

2018

ACL

*I wasn’t born then so I cannot remember but I think Gerry Gebel was around

Years ago*

JUNE 2021

• RBAC
• 1992: concept formalized (Ferraiolo et al)
• 2000: original proposal
• 2004: ANSI/INCITS 359-2004 Role Based Access Control.
• rev 2012
• Identity-based
• Roles, groups, and hierarchies
• ABAC
• Introducing policies,
• attributes, and
• a decoupled architecture
• NGAC
• Introduces relations
• functions, and
• a graph-based approach

The Knights who say NIST

NIst

JUNE 2021

Identity-derived AuthZ

Behold your humble servant, Sir Lancelot of Camelot.

I am a Knight of King Arthur, sir.

Standards

OASIS

IETF

Kantara

SAML

OAuth

JWT AT

RAR

GNAP

UMA

JUNE 2021

GNAP in a in a nut 🥥 shell

• Grant Negotiation and Authorization Protocol
• Protocol for negotiating access
• Methods for interacting with humans
• Validating and verifying the client software
• Methods for binding keys to message requests
• Data model of what’s being requested
• Dedicated protocol that addresses additional flows to OAuth
• Token-based (just like OAuth)
• Does not address access control per se
• Still focuses on access delegation
• Strong focus on access delegation
• “[...] protocol allows a piece of software, the client instance, to request delegated authorization to resource servers and to request direct information.”

JUNE 2021

JWT AT in a nut 🥥 shell

• JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (IETF Draft)
• Defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.
• JWT claims to convey the information needed to support a common set of use cases:
• token validation
• transporting authorization information in forms of scopes and entitlements
• carrying identity information about the subject…
• Interoperability could be easily achieved by standardizing on a common set of claims and validation rules.

The coconut

It is I, Arthur...

son of Uther Pendragon

… from the castle of Camelot

King of the Britons

… defeator of the Saxons

sovereign of all England!

JUNE 2021

OAuth 2.0 Rich Authorization Requests (RAR)

• RAR specifies a new parameter authorization_details that is used to carry fine grained authorization data in the OAuth authorization request.
• Why?
• OAuth 2.0 defines the parameter "scope" that allows clients to specify the requested scope, i.e., the permission, of an access token.
• This mechanism is sufficient to implement static scenarios and coarse-grained authorization requests e.g. "give me read access to the resource owner's profile"
• it is not sufficient to specify fine-grained authorization requirements, such as "please let me make a payment with the amount of 45 Euros" or "please give me read access to folder A and write access to file X".
• A RAR is very similar to a XACML JSON authorization request and an OPA request
• RAR defines authorization data elements types: type, locations, actions, datatypes, identifier
• RAR can be combined with scopes and OpenID Connect claims
• The details of how the AS combines these parameters are specific to the APIs being protected and outside the scope of this specification.

JUNE 2021

Example

[

{

"type": "account_information",

"actions": [

"list_accounts",

"read_balances",

"read_transactions"

],

"locations": [

"https://example.com/accounts"

]

},

{

"type": "payment_initiation",

"actions": [

"initiate",

"status",

"cancel"

],

"locations": [

"https://example.com/payments"

],

"instructedAmount": {

"currency": "EUR",

"amount": "123.50"

},

"creditorName": "Merchant123",

"creditorAccount": {

"iban": "DE02100100109307118603"

},

"remittanceInformationUnstructured": "Ref Number Merchant"

}

]

JUNE 2021

User-Managed Access

• OAuth enables constrained delegation of access to apps on request​
• Alice can agree to app connections and also revoke them​
• UMA adds control of cross-party sharing, letting Alice be absent when Bob uses a client to attempt access​
• Alice controls trust between resource hosts and authorization services – enabling a wide ecosystem of resource hosts, so Alice can manage sharing across them​
• UMA can be combined with�XACML and OPA

A different kind of knight

JUNE 2021

Relationship-based sharing use case

King Arthur uses Scroll Online^TM to share data on the Grail

Lancelot is a freelance knight mercenary

King A. hires Lancelot

Lancelot tries to access Grail data

Arthur shares a subset of data with Lancelot

A & L fight over Guinevere

Arthur unshares all data from Lancelot in one step

Scroll Online sharing ends and Arthur can prove it to Merlin

Lancelot gets access to sensitive Grail data

JUNE 2021

Identity-centric AuthZ Limitations

• OAuth and all its derivatives attempt to address authorization by starting from a user’s identity
• This is in line with RBAC’s philosophy...
• In these cases
• The authorization cannot use relationships
• The authorization is easier to manage and audit
• The authorization is generally static
• The authorization is generally defined at birth time (when the user is created)
• You rely on the application code to address the shortcomings of the authorization framework
• OAuth 2.0’s Rich Authorization Requests aims to tackle fine-grained authorization but…
• It focuses on the request / response only
• It does not address the implementation / definition aspect of the authorization

JUNE 2021

Role explosion

Scope explosion

Token bloat

JUNE 2021

JUNE 2021

Knights of the Authorization Round Table

Identify your requirements:

I want to build an app to browse bank accounts and make transfers

Identify your authZ requirements:

A user can view their own accounts. A user can transfer up to $500.

Identify the attributes:

account owner, balance...

Implement your policies:

In ALFA, XACML, OPA...

​

Design & deploy your architecture:

Decide what enforcement you will use and where

Audit:

What did happen? What could happen?

JUNE 2021

ABAC

ABAC defines:

• A policy-based model (e.g. XACML, ,ALFA OPA)
• Attributes (essentially key-value pairs that can describe who, what, where, when, why, and how)
• An architecture for decision-making and enforcement
• A request-response pattern
• A pattern to fetch additional attributes (XACML & ALFA only)

ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.

JUNE 2021

Architecture

• PEP: Policy Enforcement Point�This is how applications are integrated into the ABAC architecture. Example PEPs include API gateways, annotations, and proxies
• PDP: Policy Decision Point (the “engine”)�The PDP evaluates policies and generates decisions
• PIP: Policy Information Point�PIPs allow the PDP to query data sources for attribute values
• PAP: Policy Administration Point

JUNE 2021

XACML

• Established in 2001 alongside SAML, current version ratified in 2013
• Part of the OASIS WS-* group of standards
• Delivers attribute-based access control
• Follows the same architecture
• Many open-source and commercial implementations
• General purpose authorization
• API authorization
• Application
• Data stores
• Flexible policy structure
• PolicySet, Policy, Rule
• Enforcement ecosystem
• Open-source SDKs for Java, .NET, Javascript…
• Commercial integrations for APIs, SQL databases, COTS...

JUNE 2021

I'm not dead!

I'm getting better

Bring out yer dead

Here’s one!

The Internet

XACML

The Analyst

JUNE 2021

ALFA (the better XACML)

• Same architecture and principles
• A much simpler syntax
• Sayonara XML
• Developer-friendly
• IDE plugin for Eclipse → translates on-the-fly to XACML

namespace example{

policy article{

target clause itemType=="article"

apply firstApplicable

rule editArticle{

target clause actionId == "edit" and userRole == "editor"

permit

condition userId == owner

}

}

}

JUNE 2021

NGAC

• ANSI/INCITS standard
• Includes a model, architecture and interface
• NGAC follows the same architecture as ABAC and XACML
• NGAC is graph-based rather than policy-based
• Define relations between objects
• A “user” has a relation to an “item”
• Relations can have conditions on them
• Types of objects:
• resource objects, and data elements and relations used to express access control policies.
• Types of operations:
• resource operations (e.g., read, write), and administrative operations for configuring data elements and relations.
• Functions for:
• trapping and enforcing policy on access requests, computing decisions to accommodate or reject those requests based on the current state of the data elements and relations, and automatically altering access state when specified events occur.
• ​

JUNE 2021

Open Policy Agent (OPA)

• Developer-first
• Graduated from CNCF incubator in February 2021
• OPA is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack
• Use cases
• configuration authorization (such as Kubernetes admission control)
• API authorization
• Integrates with
• Kubernetes,
• Envoy,
• CoreDNS…
• Use Rego (based on Datalog) as its policy language
• OPA generalized the sidecar pattern for the “PDP”

JUNE 2021

Key Differences between XACML / ALFA and OPA

• Attribute value retrieval
• The XACML architecture includes a PIP to retrieve attribute values
• OPA expects all values to come into the request (though newer versions do include a REST callout)
• Policy Structure
• XACML is tree-structured and can be any-depth
• OPA is generally a flat structure
• Request / Response
• XACML’s request / response has a schema that needs to be followed (either XML or JSON) → a set of key-value pairs grouped into categories
• OPA’s format is a simple list of key-value pairs (JSON)
• Room for an OPA profile of XACML?

JUNE 2021

Mix & Match

Infrastructure (Kubernetes…)

App

API

OPA

PDP

ALFA

REGO

Governance Layer?

PIP: UMA Consent

OAuth AS

OAuth RAR

JUNE 2021

The challenge with ABAC

• Where and how do you enforce?
• OPA solves this by providing an entire ecosystem to choose from and contribute to
• Where do you get the information from?
• What about performance?
• Is everything really centralized?
• Choose a PDP deployment that makes sense (centralized, decentralized, sidecar…)
• How do you audit?
• What happened?
• What can happen?
• How do you ask open-ended questions?
• Axiomatics’ Reverse Query for XACML
• Open Policy Agent’s Partial Evaluation
• Bottom line:
• Standards are a great first step. However, there are gaps in the authorization lifecycle that vendors aim to address in their own proprietary ways.

JUNE 2021

Tying OAuth with ABAC^{pick your flavor}

Application (Client)

User�(Resource Owner)

Authorization Server (AS)

Resource Server (RS)

Policy Enforcement (PEP) Point

Policy Enforcement (PEP) Point

Policy Decision Point (PDP)

Can it be used to provision dynamically generated claims?

Use the traditional ABAC architecture to enforce at runtime

1. Authorization request

3. Authorization grant

2. Authorization grant

4. Access token

5. Access token

JUNE 2021

OAuth, RAR, and ABAC

Application (Client)

Authorization Server (AS)

Resource Server (RS)

Policy Enforcement (PEP) Point

Policy Decision Point (PDP)

Relay the RAR to the PDP

3. Authorization grant

4. Access token

5. Access token

JUNE 2021

A European Swallow or an African Swallow?

Zanzibar

JUNE 2021

In comes Google’s Zanzibar

• Zanzibar stores access control lists (ACLs) & runs authorization checks based on them
• Zanzibar uses
• Namespaces e.g. “videos”,
• relations e.g. “viewer”, that link objects to usersets
• usersets e.g. “Alice” or “group 1”, and
• Relation tuples
• ACLs: collections of object-user or objectobject relations represented as relation tuples.
• Simple ACL: “user U has relation R to object O”.
• Complex ACL: “set of users S has relation R to object O”,
• where S is itself specified in terms of another object-relation pair.
• ACLs can thus refer to other ACLs
• Zanzibar is mostly about user-driven and user-defined authorization
• This is different from the approach ABAC as a whole (OPA, XACML) takes
• Strong focus on privacy, distribution, and consistency
• Companies like Authzed are adapting Zanzibar to address ABAC-like requirements.
• Usenix ATC 2019 presentation: Slides | Video | Paper

JUNE 2021

Catching up with my neighbor (the graficionado)

• Can GraphQL be used to express authorization?
• 2 nodes and a link
• An actor
• A resource
• The link is qualified with an action
• The link can have conditions
• Can the native tools GraphQL has be used to compute authorization decisions?
• Is IRM a thing?

JUNE 2021

My favorite color is red… no blue

(aka I’m still confused)

• The authorization world is growing: the # of new startups is a homage to its vibrance
• XACML’s XML syntax is dead, XACML isn’t
• XACML, ALFA, and OPA are essentially variations of the same model, ABAC
• Graph-based approaches such as Nulli’s or Authzed (based on Zanzibar) are worth keeping an eye on
• Application and infrastructure vendors (Azure, AWS, SaaS, app frameworks) will keep offering their own approach
• AWS’s IAM is a great example of ABAC using tags and policies (attached to users, objects)
• What matters is the ability to easily author, manage, and audit your policies

JUNE 2021

The AuthZ Grail

• Developer-minded
• Relevant
• Business-oriented
• Audit-enabled
• Lifecycle & Governance

JUNE 2021

Thanks to these helpful knights

Justin Richer

Independent consultant

Gal Helemski Co-founder PlainID

Amit Kanfer

Co-Founder & CEO - build.security

Jacob Moshenko

Co-Founder - Authzed

Srijith Nair

Chief Strategy Officer - Axiomatics

Prabath Siriwardena - Deputy CTO WSO2

Sulay Shah

Product Mgmt, IAM - AWS

Ward Duchamps, CEO Scaled Access

JUNE 2021

Additional reading

• Authorization, What Are My Options?
• Open Policy Agent - A comparison
• Authorization Made Simple: Using ALFA, REST, and JSON to Secure Applications
• UMA 101 - Understanding User-Managed Access
• Monty Python and the Holy Grail on Netflix
• Zanzibar: Google’s Consistent, Global Authorization System
• Tutorial: A Beginner’s Guide to XACML (Part 2) Getting Started with ALFA

JUNE 2021

What... is your favorite authorization standard?

JUNE 2021