A presentation given by David Brossard, CTO at Axiomatics, at our 2024 Austin API Summit, March 12-13.
Session Description: So you've just built your cool new API and figured out the authentication part. You're even using OAuth for access delegation, scopes, and claims. So, you're good, right? Well what about fine-grained authorization? What about OWASP's #1 security threat, broken access control? How do you handle that? Maybe you need an authorization framework to help with that. But which one? Is ABAC the way to go? Policies? Graphs? In this presentation, we'll give you the tools to understand what authorization for APIs entails, what options you have, and how to successfully implement a secure authorization strategy for your APIs. We will cover approaches such as ALFA, ReBAC, and Zanzibar and illustrate with a live demo.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by David Brossard, Axiomatics
1. Confidential
1
axiomatics.com
ABAC, ReBAC, Zanzibar, ALFA…
How Should I Implement AuthZ in My APIs?
Nordic APIs 2024, Austin.
David Brossard, CTO, Axiomatics
AuthZEN Co-Chair, Curator AuthZ Substack
IDPro Founding Member
Fmr Editor OASIS XACML and ALFA
6. Confidential
6
axiomatics.com
axiomatics.com
OAuth solves
1. Password anti-pattern
a. I want to use Mint, the financial service, to keep track of my banking and credit cards
b. I want Mint to connect on my behalf to chase.com and other services
c. I do not want to share my passwords
2. Access delegation
a. I want to control which specific information I own in service A with service B
b. Example: I want Dropbox to view Google Sheets in folder XYZ only
3. OAuth Constructs that try to address Authorization
a. Tokens: convenient way to transport the attribute data needed to perform authorization
b. Claims: assertions allowing an application or API to trust the attributes. Generally about the user
c. Scopes: string values consumed by APIs to grant access to requested operations on requested resources
i. e.g. View accounts.
10. Confidential
10
axiomatics.com
axiomatics.com
The challenge with home-grown
Bill Doerrfeld’s keynote on APIs also applies to authorization
• Authorization sprawl
• Lack of governance
• Lack of standards
• Companies tend to have as many AuthZ models as they do apps
12. Confidential
12
axiomatics.com
axiomatics.com
Why should I even care? OWASP Top Ten 2021 & Top 10 API Security Risks
2023
● A01:2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control.
The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other
category.
● API1:2023 - Broken Object Level Authorization - APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of
Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using
an ID from the user.
● API3:2023 - Broken Object Property Level Authorization - This category combines API3:2019 Excessive Data Exposure and API6:2019 - Mass
Assignment, focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information
exposure or manipulation by unauthorized parties.
● API5:2023 - Broken Function Level Authorization - Complex access control policies with different hierarchies, groups, and roles, and an unclear
separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers can gain
access to other users’ resources and/or administrative functions.
● API6:2023 - Unrestricted Access to Sensitive Business Flows - APIs vulnerable to this risk expose a business flow - such as buying a ticket, or
posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This
doesn't necessarily come from implementation bugs.
15. Confidential
15
axiomatics.com
axiomatics.com
Externalize your API Authorization with these Implementation Options
1. ABAC & Policy-driven solutions ⇒ map out to business requirements
a. XACML (Axiomatics)
b. ALFA (Axiomatics)
c. Cedar (AWS)
d. Open Policy Agent’s Rego (Styra and Permit.io)
2. ReBAC & Graph-based solutions ⇒ relationship first
a. OpenFGA (Auth0/Okta)
b. 3Edges
c. Topaz (Aserto)
3. ACLs ⇒ scale & consistency first
a. Zanzibar: Google’s Consistent, Global Authorization System
b. SGNL (see Aldo’s presentation before mine)
i. API Authorization Using an Identity Server and Gateway
16. Confidential
16
axiomatics.com
axiomatics.com
Authorization Use Cases
Most frameworks for externalized authorization support
• Binary authorization request
o Can Alice view account #123?
o Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️
• Batch authorization requests
o Can Alice, Bob, and Carol view, edit, or close accounts #1, 2, 3?
o 3x3x3 decisions are returned
o Batch requests are specified in another profile called the Multiple Decision Profile Version 1.0
In the case of ALFA, you can express any kind of AuthZ policies: ACLs, RBAC, ABAC, and ReBAC. You can
leverage risk, geolocation, time, and LOA…
17. Confidential
17
axiomatics.com
axiomatics.com
Let’s take an ABAC example
• Managers can view their customers’ bank accounts
• A customer can view their own bank account
• A customer can close their bank account
• A customer can view the account for a dependent (minor, senior citizen)
API
App Code GET /accounts/123
18. Confidential
18
axiomatics.com
axiomatics.com
policyset accounts{
target clause attributes.objectType == "account"
apply firstApplicable
policyset viewAccounts{
target clause Attributes.actionId == "view"
apply firstApplicable
managers
customers
}
policy closeAccounts{
target clause user.role=="customer" and Attributes.actionId ==
"close"
apply firstApplicable
// A customer can close their bank account
viewAccounts.customers.ownAccount
}
Let’s take an ABAC example converted to ALFA
19. Confidential
19
axiomatics.com
axiomatics.com
The managers policy
policy managers{
target clause user.role == "manager"
apply firstApplicable
// Managers can view their customers’ bank accounts
rule allowAssignedCustomer{
permit
condition stringIsIn(stringOneAndOnly(user.username),
account.customer.assignedRep)
}}
20. Confidential
20
axiomatics.com
axiomatics.com
The customers policy
policy customers{
target clause user.role == "customer"
apply firstApplicable
// ... their own bank account
rule ownAccount{
permit
condition account.owner == user.username
}
// for a dependent (minor, senior citizen)
rule dependents{
permit
condition stringAtLeastOneMemberOf(account.owner, user.dependents)
}}
21. Confidential
21
axiomatics.com
axiomatics.com
The JSON/REST Policy Decision Point Interface
• Send a Yes/No AuthZ Request
o Can Alice view bank account #123?
• Get a decision back
o Permit/Deny
o Optionally additional statements e.g. “run MFA”
• OpenAPI Spec: GitHub - axiomatics/xacml-3.0-authz-service-openapi-spec
24. Confidential
24
axiomatics.com
01 02
03 04
06
05
Enhanced Security
Access is determined by policy and context
at runtime, NOT simply by identity
Increased Speed
Faster response times, faster time
to market for new apps, and easier
integration
Adaptive Collaboration
Enable safe and compliant
collaboration between employees,
customers, partners and suppliers
Cost Savings
100 fold ROI in development
costs and 20% reduction in
maintenance costs
User Experience
End-users get a frictionless
experience that adapts dynamically
to their conditions
Prove Compliance
Decisions are based on policy and
are monitored and logged
Benefits to Externalized Authorization for APIs
25. Confidential
25
axiomatics.com
axiomatics.com
New Community Effort: OpenID AuthZEN
• Increase interoperability between existing
standards and approaches to authorization
o Policy-based e.g. ALFA, OPA (Rego), and IDQL,
o Graph-based e.g. 3Edges and SGNL,
o Zanzibar-inspired systems e.g. OpenFGA & Topaz
• Standardize interoperable communication
patterns between major authZ components
o PAP, PDP, PEP, and PIP
o See NIST ABAC’s architecture
• Establish and promote the use of externalized
authZ as the preferred pattern
27. Confidential
27
axiomatics.com
axiomatics.com
Further reading
• Authorize Clipping Service
• The Holy Grail of IAM: Getting to Grips with Authorization | Identiverse 2021
• Policy enabling your services - using elastic dynamic authorization to control access to your ap is,
microservices, and data
• ALFA - the Abbreviated Language for Authorization
• Cedar Language
• topaz.sh
• OWASP Top Ten
• OIDF AuthZEN WG - HackMD