Authorization at IIW37

Announcing AuthZEN

AuthZEN is the OpenID Foundation’s latest working group and its purpose is to provide standard mechanisms, protocols, and formats to communicate authorization-related information between components within one organization or across organizations.

Several individuals got together at Identiverse to discuss what standardizing authorization could look like and how to achieve what we dubbed the ‘OAuth moment’, a time when adoption was inevitable and led to massive growth for OAuth. The AuthZEN WG, of which I’m a co-chair along with Allan Foster, Gerry Gebel, and Andrew Hughes, has three main goals:

Increase interoperability between existing standards and approaches to authorization

Standardize interoperable communication patterns between major authZ components

Establish design patterns to promote the use of externalized authorization.

Our peers, Atul Tulshibagwale (SGNL) and Omri Gazitt (Aserto) gave an excellent presentation on the goals of the AuthZEN WG prior to IIW, during the OpenID Foundation session. Check out the slides here.

Launching “403Con”

Am I even allowed to talk about this initiative? On day 1 of the conference, we all piled into “Space F” to discuss what it would look like to run a conference solely dedicated to authorization. In the vein of “Authenticate” but for everything access control. Truth be told, there are so many new ways to address authorization from NIST’s attribute-based access control (ABAC) to 3Edges’ Graph-based approach, access control lists (Zanzibar-style), and more. We want everyone to come and chime in (no pun intended) so if you can spare a few cycles, join us here or reach out in the #authorization channel on IDPro’s Slack.

Authorization-related Talks

Out of the 163 or so sessions, there were several dedicated to authorization.

Darin McAdams of AWS gave an introduction to the Cedar Policy Language, a new open-source approach to attribute-based access control. It sits between Open Policy Agent’s Rego and Axiomatics’ ALFA in terms of expressibility. You can learn more about the language in their playground.

Eve Maler (my XML superhero) gave a 101 talk on User Managed Access (UMA) called ‘Get to know this unique “application of OAuth.”’ This is truly fundamental as oftentimes, authorization is seen as enterprise or compliance-driven when in fact it can be user and consent-driven. UMA helps enable consent collection on top of existing OAuth flows. The purpose of the protocol specifications is to “enable a resource owner to control the authorization of data sharing and other protected-resource access made between online services on the owner’s behalf or with the owner’s authorization by an autonomous requesting party.”

Omri Gazitt of Aserto gave a 101 introduction to Externalized Authorization, its building blocks, and its evolution over the years.

Justin Richer (the notorious author behind Cards Against Identity) gave an introduction to GNAP 101: GNAP (Grant Negotiation and Authorization Protocol) is an in-progress effort to develop a next-generation authorization protocol. It is an identity-centric approach to authorization

Eve Maler hosted an epic battle between Camp “PDP & PEP” vs. Camp “AS/RS” leading to a hilarious smackdown. It’s true that ABAC, XACML, and Externalized Authorization have systematically referred to PEP/PAP/PDP. The session explored how these concepts map back to OAuth’s more familiar AS/RS terminology. Conclusion? There’s definitely room for interoperability and integration.

Gerry Gebel and Phil Hunt spoke about the state of Identity Management Policy Interoperability and in particular IDQL (Identity Query Language), a declarative access policy and set of APIs that enables the mapping of a centrally managed policy into the native format of multiple clouds and application platforms.

Mark Berg, my colleague at Axiomatics, presented the latest on the Abbreviated Language for Authorization (ALFA), OASIS’s standard for fine-grained authorization. You can read more on ALFA’s Wikipedia page.

The Graph Extraordinaire Alex Babeanu spoke about Identity being a… 🥁… Graph Problem.

Lastly, Omri Gazitt gave a demo of TOPAZ, an open-source authorization framework that takes the best of Open Policy Agent with features of Zanzibar/ACLs to deliver a new approach to authorization.

There were a couple of other sessions that tie back to authorization such as:

Pam Dingle’s Minimum Interoperability Profile for ACR (authentication context). If we can all agree on ACR values, they can become attributes in a dynamic authorization decision-making process.

George Fletcher’s Transaction Tokens Authorization for Multi-workload Environments. Can externalized authorization help solve the over-provisioned token use case?

I’m ever so happy to see the evolution of the IAM landscape and the growing importance of authorization. As a standards advocate, I’m keen to develop more bridges between standards to address our industry-wide challenges. Feel free to join the conversation in the #authorization channel on IDPro’s Slack.

Author

Chief Technology Officer, Axiomatics

In his role as CTO, David drives the technology vision and strategy for Axiomatics based on both identity and access management (IAM) market trends as well as customer feedback. He also leads the company’s strategy for standards and technology integrations in both the IAM and broader cybersecurity industries. David is a founding member of IDPro, a co-author of the OASIS XACML standard, and an expert on standards-based authorization as part of an overall IAM implementation. Most recently, David led the design and development of Salesforce’s identity offering, including customer identity and access management (CIAM) solutions.