Authorization What’s Next?

2

User-Managed Access

FORGEROCK.COM

Allan Foster VP Technology & Standards guruallan

Eve Maler VP Innovation & Emerging Technology xmlgrrl

Defining authorization and the authorization V.next landscape

4

5

XACML

OAUTH

OpenID Connect

ABAC

RBAC

SAML

6

What is Authorization?

7

Policy

ACIs and ACLs

RBAC

ABAC

ACIs and ACLs

RBAC

ABAC

Doesn’t scale, becomes unmanageable as users and resources grow

ACIs and ACLs

RBAC

ABAC

Doesn’t scale, becomes unmanageable as users and resources grow

Doesn’t scale, leads to role proliferation and multiplexing

11

12

Attributes

13

OAuth2

14

Token

15

UMA 101

17

The vicissitudes of personal data sharing

■  Back-channel

■  Typing

■  Connecting

■  Private URLs

18

What is, and isn’t, UMA? ■  It’s a draft standard for authorization V.next

■  It’s a profile and application of OAuth

■  It’s not a new, disconnected technology

■  It’s a set of privacy-by-design and consent APIs

■  It’s not an “XACML killer”

19

resource  owner  

reques+ng  party  

authoriza+on  server  

resource  server  

manage consent

control

negotiate protect

authorize

access

manage

client  

*Thanks to UMAnitarian Domenico Catalano for the “marvelous spiral”

20

The AS exposes an UMA-standardized protection API to the RS

20

Protection A

PI P

rote

ctio

n cl

ient

PAT

protection API token

includes resource registration API and token

introspection API

21

The AS exposes an UMA-standardized authorization API to the client

21

Authorization API

Authorization client

AAT authorization API token

supports OpenID Connect-based claims-

gathering for authz

22

The RS exposes whatever value-add API it wants, protected by an AS

22

App-specific API

UM

A-enabled

client

RPT requesting party token

23

Collecting claims from the requesting party to assess policy

23

manage

control

protect

authorize

access

negotiate

consentmanage

resourceowner

resourceserver

authorizationserver

Authenticate OIDCServer

client

requestingparty

Client acting as claims conveyor

Client redirects the Requesting Party to AS

Real-life UMA use cases

25

Patient-centric health data sharing ■  UMA uniquely solves for

Consent Directives

■  Special requirements: –  Impeccable security –  “Context, control, choice, and

respect” –  Wide ecosystem –  Accounting of Disclosures –  Meaningful Use –  (Relationship Locator Service)

26

pa+ent  

AS  fron+ng  a  consent  direc+ve  server  

FHIR  EHR  API/  lab  

results/FitBit…  

manage consent

control

negotiate protect

authorize

access

manage

web  or  na+ve  app  

care  provider/  family/Alice  

herself  

27

Delegated authorization from SaaS to enterprise ■  Allow Enterprise business logic as policy

■  Easy to define Resources and actions

■  Allow Enterprise freedom in evaluation

■  Each Enterprise provides its own AS

■  Attributes stay in the enterprise

28

enterprise  

enterprise  AS  

third-­‐party  SaaS  APIs  

manage consent

control

negotiate protect

authorize

access

manage

web  or  na+ve  app  

enterprise  employees  

Let us sum up

30

Resource Server ■  Concerned with protecting Resources

■  Concerned with Clients

■  Supplies resource and scope Attributes to AS

■  Uses OAuth token for access to protection API

■  Redirects Client if its UMA token is insufficient

■  Could have multiple AS relationships

31

Client ■  Accesses resources on RS

■  Uses OAuth token for access to authorization API

■  Receives UMA token from AS

■  Asks to add authorization to UMA token for access

■  Provides Subject Attributes via Claims or redirects Subject to AS for further claims-gathering

32

Resource Owner ■  Provides Resource Owner attributes to AS

■  Can provide Authorization policy to AS

■  Manages access settings of protected resources

33

Authorization Server ■  Consumes attributes from all parties

■  Evaluates Policy in context of attributes

■  Associates entitlements with UMA token so client can access RS

■  Leaves RS to judge entitlements against access attempt

34

Summing up ■  OAuth-based framework

■  Facilitates Constrained Delegated Authorization

■  Policy evaluation agnostic

■  Enables humans to control their digital footprint

35 FORGEROCK.COM

Allan Foster allan.foster@forgerock.com guruallan

Eve Maler eve.maler@forgerock.com xmlgrrl

Thanks! Questions?