CIS14: User-Managed Access
-
Upload
cloudidsummit -
Category
Technology
-
view
225 -
download
2
description
Transcript of CIS14: User-Managed Access
Authorization What’s Next?
2
User-Managed Access
FORGEROCK.COM
Allan Foster VP Technology & Standards guruallan
Eve Maler VP Innovation & Emerging Technology xmlgrrl
Defining authorization and the authorization V.next landscape
4
5
XACML
OAUTH
OpenID Connect
ABAC
RBAC
SAML
6
What is Authorization?
7
Policy
ACIs and ACLs
RBAC
ABAC
ACIs and ACLs
RBAC
ABAC
Doesn’t scale, becomes unmanageable as users and resources grow
ACIs and ACLs
RBAC
ABAC
Doesn’t scale, becomes unmanageable as users and resources grow
Doesn’t scale, leads to role proliferation and multiplexing
11
12
Attributes
13
OAuth2
14
Token
15
UMA 101
17
The vicissitudes of personal data sharing
■ Back-channel
■ Typing
■ Connecting
■ Private URLs
18
What is, and isn’t, UMA? ■ It’s a draft standard for authorization V.next
■ It’s a profile and application of OAuth
■ It’s not a new, disconnected technology
■ It’s a set of privacy-by-design and consent APIs
■ It’s not an “XACML killer”
19
resource owner
reques+ng party
authoriza+on server
resource server
manage consent
control
negotiate protect
authorize
access
manage
client
*Thanks to UMAnitarian Domenico Catalano for the “marvelous spiral”
20
The AS exposes an UMA-standardized protection API to the RS
20
Protection A
PI P
rote
ctio
n cl
ient
PAT
protection API token
includes resource registration API and token
introspection API
21
The AS exposes an UMA-standardized authorization API to the client
21
Authorization API
Authorization client
AAT authorization API token
supports OpenID Connect-based claims-
gathering for authz
22
The RS exposes whatever value-add API it wants, protected by an AS
22
App-specific API
UM
A-enabled
client
RPT requesting party token
23
Collecting claims from the requesting party to assess policy
23
manage
control
protect
authorize
access
negotiate
consentmanage
resourceowner
resourceserver
authorizationserver
Authenticate OIDCServer
client
requestingparty
Client acting as claims conveyor
Client redirects the Requesting Party to AS
Real-life UMA use cases
25
Patient-centric health data sharing ■ UMA uniquely solves for
Consent Directives
■ Special requirements: – Impeccable security – “Context, control, choice, and
respect” – Wide ecosystem – Accounting of Disclosures – Meaningful Use – (Relationship Locator Service)
26
pa+ent
AS fron+ng a consent direc+ve server
FHIR EHR API/ lab
results/FitBit…
manage consent
control
negotiate protect
authorize
access
manage
web or na+ve app
care provider/ family/Alice
herself
27
Delegated authorization from SaaS to enterprise ■ Allow Enterprise business logic as policy
■ Easy to define Resources and actions
■ Allow Enterprise freedom in evaluation
■ Each Enterprise provides its own AS
■ Attributes stay in the enterprise
28
enterprise
enterprise AS
third-‐party SaaS APIs
manage consent
control
negotiate protect
authorize
access
manage
web or na+ve app
enterprise employees
Let us sum up
30
Resource Server ■ Concerned with protecting Resources
■ Concerned with Clients
■ Supplies resource and scope Attributes to AS
■ Uses OAuth token for access to protection API
■ Redirects Client if its UMA token is insufficient
■ Could have multiple AS relationships
31
Client ■ Accesses resources on RS
■ Uses OAuth token for access to authorization API
■ Receives UMA token from AS
■ Asks to add authorization to UMA token for access
■ Provides Subject Attributes via Claims or redirects Subject to AS for further claims-gathering
32
Resource Owner ■ Provides Resource Owner attributes to AS
■ Can provide Authorization policy to AS
■ Manages access settings of protected resources
33
Authorization Server ■ Consumes attributes from all parties
■ Evaluates Policy in context of attributes
■ Associates entitlements with UMA token so client can access RS
■ Leaves RS to judge entitlements against access attempt
34
Summing up ■ OAuth-based framework
■ Facilitates Constrained Delegated Authorization
■ Policy evaluation agnostic
■ Enables humans to control their digital footprint
35 FORGEROCK.COM
Allan Foster [email protected] guruallan
Eve Maler [email protected] xmlgrrl
Thanks! Questions?