Episode 019: 30‐05‐2024 Continuous Authorization - GluuFederation/identerati-office-hours GitHub Wiki
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Rohit Khare, Identerati
Description
Mike has been working on a new design for distributed authorization in the Janssen Project which could enable near real-time JWT token revocation. Revoking JWTs more quickly can limit the blast area of account takeover. Using Server Sent Events (SSE) and a new Token Status List OAuth draft, this solution greatly reduces the bandwith required to revoke tokens. It also introduces the "Cedarling" -- a WebAssembly component powered by the Rust Cedar engine that handles the messaging and JWT validation.
Homework
Takeaways
-
The Cedarling WebAssemby component offers integration with a wide array of applications. It enables the PDP to run in the browser or as a cloud function. To achieve fine grain authorization, we need to run the PDP with minimal latency. A webassembly will give application developers the ability to even present a UX that is based on authorization--i.e. grey out form options the user is not authorized to perform.
-
Policies are managed in Github, and an application can potentially use a specific policy store. For example, a Wordpress application doesn't need policies related to the API gateway--it's another way we can minimize the memory footprint of the Cedarling.
-
The Cedarling enables app developers to ask : Can I do this given my current tokens (access, id_token, Userinfo, transaction). The Cedarling can verify which token issuers are trusted, whether the token has been revoked, and if the policies are authorized. The JWT is the new PIP!
-
Without the ability to revoke tokens, CAEP is not that useful! CAEP events are just data. You need to process that data into information, and then take an action--like revoking tokens. For JWT revocation, old solutions like Certificate Revocation Lists and OCSP don't scale. OAuth Status Lists enables token revocation for a given token to be communicated in as little as one bit. SSE is used to push notifications in real time, or batched periodically (perhaps every 10 seconds).