Episode 004: 04‐09‐2024 Authz Renaissance: Why now - GluuFederation/identerati-office-hours GitHub Wiki

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: David Brossard, CTO Axiomatics
• Co-Host: Gerry Gebel, VP Product & Standards at Strata Identity

Linkedin Event

Short Title < 50 Char

Authz: Authz Renaissance: Why now?

Long Title

Identerati Office Hours, Episode 004: Authz: Authz Renaissance: Why now?

Description

By and large, authentication has been solved. You’re authenticated, now what?

Up to now, authorization has been dealt with in silos: inside a given app, database, framework.

There have been attempts over the past 15 years to externalize authorization, e.g. XACML. In the past 5 years, there has been a kind of authz renaissance, with a plethora of new authorization standards (and architectures) arising such as ALFA, graph-based authorization, Zanzibar, and more. NIST published their seminal paper on ABAC and released NGAC. So, what’s happening with authorization and what can we expect in the next few years?

And what is the range of solutions that might finally enable enterprises to control access to data, services and applications.

Join Mike and David as they delve into the world of AuthZ.

Homework

• A Taxonomy of Modern Authorization Models - IDPro
• Q&A: Authorization in 20 years - what will change? - Axiomatics
• David's talk at Nordic API's March 2023; ABAC, ReBAC, Zanzibar, ALFA… How and Why Should I Implement Authorization in My APIs?

Livestream Archive

Here

Take aways

• Authz should be: Declarative, Dynamic and Decoupled:

  • Declarative: aligns with configuation as code cloud native principle and improves auditability
  • Dynamic: authz needs to consider the current context, especially with regard to new ML capabilities
  • Decoupled: authz policies shouldn't be burried in the code

• OPA's success contributed to the Authz renaissance, but we were moving in that direction anyway with innovations like Zanzibar, continuous authentication, and zero trust.

• Authz can save money on compliance and increase developer productivity. But authz vendors should perhaps focus on solving more specific business challenges if they want to emulate the success of OPA. Although, adoption of the open source and commercial success are not always related (listen to Mike's Open Source Underdogs podcast with Docker Founder Solomon Hykes).

• The OpenID AuthZEN working group is seeking to standardize the interface to PDPs in an authorization model neutral way. Perhaps if this existed, more API gateway vendors would call a PDP instead of using OAuth tokens directly for authorization.

• The PDP-PEP-PIP-PAP model still works, but the deployment architectures have evolved. Any application that calls the PDP with a few lines of Javascript may be a PEP. And the PDP may be distributed as a sidecar in a microservices architecture, instead of one server. And different strategies are needed to get the PDP all the information it needs to make a decision.

• Lots of great conversations are possible at IIW 38--don't miss it. Get 20% off by here