Awesome Authorization

A curated list of information and best practices for authorization and access control.

Contents

• Overview
• Authentication vs. Authorization
• Access Control Models
• Security Concerns
• Best Practices
• Useful Articles & Tutorials
• Authz In Practice
• Videos & Talks

Overview

• NIST Authorization Definition - "The process of verifying that a requested action or service is approved for a specific entity".

Authentication vs. Authorization

• Authentication - Determines who someone or something is (identity).
• Authorization - Determines what someone or something can do in a system (privileges and permissions).
• Understanding Authentication, Authorization, and Encryption - Quick comparison of authn, authz and encryption.

Access Control Models

• ABAC - Attribute based access control.
• DAC - Discretionary access control.
• GBAC - Graph based access control.
• MAC - Mandatory access control.
• OrBAC - Organization based access control.
• ReBAC - Relationship based access control.
• RBAC - Role based access control.

Security Concerns

• OWASP API Security Top 10 2019 - List of the top 10 security risks for APIs.
• OWASP Top 10 for 2021 - List of the top 10 web application security risks. Broken access control is #1 on the list.
• Insecure Direct Object Reference
  • IDOR & How to Protect Against It
  • The Rise of IDOR
  • What is IDOR?
  • Broken Object Level Authorization
  • Identity Thieves Bypassed Experian Security to View Credit Reports
• Broken Function Level Authorization - API incorrectly relies on the client to use the correct access level making it susceptible to hackers.
• Building a Modern Zero Trust Strategy - Overview of 'zero trust' security by Newstack. (Need to enter email to download e-book)
• Retrospective on Coinbase Trading IDOR Vuln - Retrospective by the Coinbase team detailing remediation of an IDOR/validation bug found via bug bounty.
• Why Broken Access Control is the Most Severe Vulnerability - Overview of broken access control exploits including IDOR as well as best practices.
• Millions of people's data stolen because web devs forget to check access perms - CISA, NSA and the Australian Cyber Security Centre alert on the prevalence and danger of IDOR attacks.

Best Practices

• OWASP Authorization Cheat Sheet & Recommendations - Authz overview and recommendations for best practices.
  • Enforce least privileges and deny by default - Ensure that users and systems only have access to what they need and nothing else.
  • As fine-grained as possible - Authorization checks should be as specific as possible. Ideally, this means the system has the ability to check access based on specific records and resources.
  • Implement once and reuse - Keep authz logic in one place to ensure consistent checks and to prevent missed cases and potential security holes.
  • Maintain an audit log - Keep an authorization log (allow/deny) to track access and conduct audits where necessary.

Useful Articles & Tutorials

• API Tokens: A Tedious Survey - An overview of different approaches to API security.
• Ask HN: Best Practices for Web Authorization? (2016) - HN discussion about application authorization best practices.
• Authorization in a Microservices World - Covers approaches to authorization in microservices.
• AWS - Authz & Access Control for SaaS Multi-tenant Apps - How-to/implementation guide for authz in multi-tenant apps using AWS.
• Best Practices for Building Secure API Keys - Covers hashing, storage and key retrieval.
• How To Structure Permissions In A SaaS App - Talks about approaches to RBAC, ACLs etc in SaaS apps.
• Implementing Role Based Access Control - How-to/implementation guide for basic RBAC in an application.
• Permissions Systems: Category Notes - An overview of the permissions systems landscape.
• Web App Access Control Design - A presentation highlighting best practices for implementing access control in web apps.
• What Do Authentication and Authorization Mean in Zero Trust? - How to think about Authn and Authz within a Zero Trust Architecture.
• Feature Flags and Authorization Abstract the Same Concept - A blog post comparing the many similarities and subtle differences between feature flagging and authorization.

Authz In Practice

• What's the Best Authorization Framework? None At All - Opinionated blog post detailing Betterment's approach to authz.
• GitHub Secret Scanning - How GitHub scans repos to search for exposed secrets.
• Open Policy Agent - A policy-based framework for authorization and access control.
• Stripe API Docs - Stripe's approach to issuing and managing API keys securely.
• XACML - Standard that defines the "Extensible Access Control Markup Language," a declarative fine-grained, attribute-based access control policy language.
  • Intuit AuthZ - Post detailing Intuit's implementation of an XACML-based authz service.
• Google Zanzibar - Google's consistent, global authorization system.
  • Why Google Zanzibar Shines at Building Authorization - A blog post detailing why Google Zanzibar is especially well suited to solving application authorization.
  • Airbnb Himeji - Based on Zanzibar.
  • Carta AuthZ - Also based on Zanzibar.
• Securing Apache Airflow UI With DAG Level Access - How Lyft set up fine-grained (DAG-level) access control on top of Apache Airflow.
• Authorization Solutions for Microservices Architecture - How AppsFlyer approaches authz in their microservices architecture.
• Reddit - Evolving Authorization for Our Advertising Platform - Summary of Reddit's internal fine-grained authz system built for the advertising platform.
• Authorization at LinkedIn’s Scale - Summary of LinkedIn's high-performance authz system used within its microservices architecture.
• Attribute-Based Access Control at Uber - Summary of Uber's internal, centralized ABAC system used within its microservices architecture.
• Learnings from Building a Simple Authorization System (ABAC) - Ubicloud's learnings from building a simple ABAC authz system.
• How We Built a Custom Permissions DSL at Figma - Summary of how Figma built a custom permissions DSL for their product.

Videos & Talks

• Hashicorp - Microservice Authentication and Authorization (2019)
• How Netflix Is Solving Authorization Across Their Cloud (2017)
• Deloitte - How Zero Trust Architecture Can Be Strengthened with ABAC (2022)
• @Scale 2019 - Zanzibar: Google’s Consistent, Global Authorization System