ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by David Brossard, Axiomatics
Download as PPTX, PDF0 likes148 views
The document discusses the implementation of authorization in APIs, highlighting the importance of differentiating between authentication and authorization. It details various authorization models such as ABAC, REBAC, and OAuth, as well as the challenges and risks associated with API security, specifically broken access control. Additionally, it suggests best practices for externalizing API authorization and presents various frameworks and tools for effective implementation.
![Confidential
22
axiomatics.com
axiomatics.com
Sample JSON
{"Request":
{
"AccessSubject":
{"Attribute":
[{"AttributeId":"userId","Value":"Alice"}]},
"Action":
{"Attribute":
[{"AttributeId":"actionId","Value":"view"}]}
},
"Resource":
{"Attribute":
[
{"AttributeId":"resourceType","Value":"account"},
{"AttributeId":"accountID","Value":"123"}]}
}
{
"Response": [{
"Decision": "Permit"
}]
}](https://image.slidesharecdn.com/nordicapis2024-abacrebaczanzibaralfahowshouldiimplementauthzinmyapis-240404140647-b3271a7c/85/ABAC-ReBAC-Zanzibar-ALFA-How-Should-I-Implement-AuthZ-in-My-APIs-by-David-Brossard-Axiomatics-22-320.jpg)
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by David Brossard, Axiomatics
- 1. Confidential 1 axiomatics.com ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? Nordic APIs 2024, Austin. David Brossard, CTO, Axiomatics AuthZEN Co-Chair, Curator AuthZ Substack IDPro Founding Member Fmr Editor OASIS XACML and ALFA
- 3. Confidential 3 axiomatics.com axiomatics.com API Authentication API App Code out there… AuthN ➡️3 Common Methods of API Authentication Explained
- 4. The client? The end-user? Who/What we are authenticating?
- 5. Confidential 5 axiomatics.com axiomatics.com API Access Delegation with OAuth Scopes & Claims API App Code out there… OAuth ➡️What Is OAuth? A Breakdown for Beginners AuthN
- 6. Confidential 6 axiomatics.com axiomatics.com OAuth solves 1. Password anti-pattern a. I want to use Mint, the financial service, to keep track of my banking and credit cards b. I want Mint to connect on my behalf to chase.com and other services c. I do not want to share my passwords 2. Access delegation a. I want to control which specific information I own in service A with service B b. Example: I want Dropbox to view Google Sheets in folder XYZ only 3. OAuth Constructs that try to address Authorization a. Tokens: convenient way to transport the attribute data needed to perform authorization b. Claims: assertions allowing an application or API to trust the attributes. Generally about the user c. Scopes: string values consumed by APIs to grant access to requested operations on requested resources i. e.g. View accounts.
- 7. Confidential 7 axiomatics.com axiomatics.com The problem with OAuth (one of many)
- 8. Confidential 8 axiomatics.com Misconceptions Authentication ≠ Authorization OAuth ≠ Authorization App Code ≠ Authorization
- 9. Confidential 9 axiomatics.com axiomatics.com API Authorization… Home-grown & Deliciously Baked…in API App Code out there… OAuth AuthN AuthZ AuthZ
- 10. Confidential 10 axiomatics.com axiomatics.com The challenge with home-grown Bill Doerrfeld’s keynote on APIs also applies to authorization • Authorization sprawl • Lack of governance • Lack of standards • Companies tend to have as many AuthZ models as they do apps
- 11. Confidential 11 axiomatics.com axiomatics.com API Authorization… Decoupled & Externalized API App Code out there… OAuth AuthN AuthZ AuthZ AuthZ
- 12. Confidential 12 axiomatics.com axiomatics.com Why should I even care? OWASP Top Ten 2021 & Top 10 API Security Risks 2023 ● A01:2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category. ● API1:2023 - Broken Object Level Authorization - APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user. ● API3:2023 - Broken Object Property Level Authorization - This category combines API3:2019 Excessive Data Exposure and API6:2019 - Mass Assignment, focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties. ● API5:2023 - Broken Function Level Authorization - Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers can gain access to other users’ resources and/or administrative functions. ● API6:2023 - Unrestricted Access to Sensitive Business Flows - APIs vulnerable to this risk expose a business flow - such as buying a ticket, or posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn't necessarily come from implementation bugs.
- 13. Confidential 13 axiomatics.com axiomatics.com The Ten Commandments of Authorization Authorization shall be… Declarative (policy-based) Dynamic (runtime decision) ABAC (attributes) Decoupled (from the app) ReBAC (relationships) Feature-driven (business rules) Transparent (audit & review) Scalable (protect 1…∞) Agnostic (APIs, data…) Future-proof (APIs, data…)
- 15. Confidential 15 axiomatics.com axiomatics.com Externalize your API Authorization with these Implementation Options 1. ABAC & Policy-driven solutions ⇒ map out to business requirements a. XACML (Axiomatics) b. ALFA (Axiomatics) c. Cedar (AWS) d. Open Policy Agent’s Rego (Styra and Permit.io) 2. ReBAC & Graph-based solutions ⇒ relationship first a. OpenFGA (Auth0/Okta) b. 3Edges c. Topaz (Aserto) 3. ACLs ⇒ scale & consistency first a. Zanzibar: Google’s Consistent, Global Authorization System b. SGNL (see Aldo’s presentation before mine) i. API Authorization Using an Identity Server and Gateway
- 16. Confidential 16 axiomatics.com axiomatics.com Authorization Use Cases Most frameworks for externalized authorization support • Binary authorization request o Can Alice view account #123? o Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️ • Batch authorization requests o Can Alice, Bob, and Carol view, edit, or close accounts #1, 2, 3? o 3x3x3 decisions are returned o Batch requests are specified in another profile called the Multiple Decision Profile Version 1.0 In the case of ALFA, you can express any kind of AuthZ policies: ACLs, RBAC, ABAC, and ReBAC. You can leverage risk, geolocation, time, and LOA…
- 17. Confidential 17 axiomatics.com axiomatics.com Let’s take an ABAC example • Managers can view their customers’ bank accounts • A customer can view their own bank account • A customer can close their bank account • A customer can view the account for a dependent (minor, senior citizen) API App Code GET /accounts/123
- 18. Confidential 18 axiomatics.com axiomatics.com policyset accounts{ target clause attributes.objectType == "account" apply firstApplicable policyset viewAccounts{ target clause Attributes.actionId == "view" apply firstApplicable managers customers } policy closeAccounts{ target clause user.role=="customer" and Attributes.actionId == "close" apply firstApplicable // A customer can close their bank account viewAccounts.customers.ownAccount } Let’s take an ABAC example converted to ALFA
- 19. Confidential 19 axiomatics.com axiomatics.com The managers policy policy managers{ target clause user.role == "manager" apply firstApplicable // Managers can view their customers’ bank accounts rule allowAssignedCustomer{ permit condition stringIsIn(stringOneAndOnly(user.username), account.customer.assignedRep) }}
- 20. Confidential 20 axiomatics.com axiomatics.com The customers policy policy customers{ target clause user.role == "customer" apply firstApplicable // ... their own bank account rule ownAccount{ permit condition account.owner == user.username } // for a dependent (minor, senior citizen) rule dependents{ permit condition stringAtLeastOneMemberOf(account.owner, user.dependents) }}
- 21. Confidential 21 axiomatics.com axiomatics.com The JSON/REST Policy Decision Point Interface • Send a Yes/No AuthZ Request o Can Alice view bank account #123? • Get a decision back o Permit/Deny o Optionally additional statements e.g. “run MFA” • OpenAPI Spec: GitHub - axiomatics/xacml-3.0-authz-service-openapi-spec
- 23. Confidential 23 axiomatics.com axiomatics.com API Protection with an API Gateway API App Code API App Code API App Code API Gateway (e.g. Zuplo) AuthZ AuthN out there…
- 24. Confidential 24 axiomatics.com 01 02 03 04 06 05 Enhanced Security Access is determined by policy and context at runtime, NOT simply by identity Increased Speed Faster response times, faster time to market for new apps, and easier integration Adaptive Collaboration Enable safe and compliant collaboration between employees, customers, partners and suppliers Cost Savings 100 fold ROI in development costs and 20% reduction in maintenance costs User Experience End-users get a frictionless experience that adapts dynamically to their conditions Prove Compliance Decisions are based on policy and are monitored and logged Benefits to Externalized Authorization for APIs
- 25. Confidential 25 axiomatics.com axiomatics.com New Community Effort: OpenID AuthZEN • Increase interoperability between existing standards and approaches to authorization o Policy-based e.g. ALFA, OPA (Rego), and IDQL, o Graph-based e.g. 3Edges and SGNL, o Zanzibar-inspired systems e.g. OpenFGA & Topaz • Standardize interoperable communication patterns between major authZ components o PAP, PDP, PEP, and PIP o See NIST ABAC’s architecture • Establish and promote the use of externalized authZ as the preferred pattern
- 26. Confidential 26 axiomatics.com axiomatics.com Other Efforts • GNAP - Grant Negotiation and Authorization Protocol • RFC 9396 - OAuth 2.0 Rich Authorization Requests • ALFA - the Abbreviated Language for Authorization
- 27. Confidential 27 axiomatics.com axiomatics.com Further reading • Authorize Clipping Service • The Holy Grail of IAM: Getting to Grips with Authorization | Identiverse 2021 • Policy enabling your services - using elastic dynamic authorization to control access to your ap is, microservices, and data • ALFA - the Abbreviated Language for Authorization • Cedar Language • topaz.sh • OWASP Top Ten • OIDF AuthZEN WG - HackMD