What does this mean for authorization? – The new stack

0

James Konik

Unsure whether he is a coder who writes or a writer who codes, James tries to channel this existential tension as much as possible into his two passions, but finds it more beneficial for his writing than for his software. When he jumps from behind his keyboard, he can be found jogging and cycling in Japan.

Authentication and authorization often go hand in hand, but increasingly this is not the case in modern software architectures.

Authentication is where users prove their identity, while authorization defines what they can do inside the system – separating them gives you more control over the two.

The recent trend to separate these two components – dubbed Bring Your Own Identity (BYOI) by Gartner – is gaining traction and has a number of benefits.

In this article, you’ll learn about the opportunities created when authentication is managed for you and how to take advantage of them.

What is BYOI and why do you need it

BYOI is an authentication approach that allows users to verify their identity through third-party services. If you’ve signed into a website or app using your Google, Apple, or Facebook credentials, you already know it.

This approach to authentication is become more popular because of the benefits it provides to users and developers.

One less password

By adopting BYOI and supporting multiple vendors, users can log in with the credentials they already have rather than having to create a new username and password just for your service. With the proliferation of online services we all use, password fatigue is real, and letting users simply authenticate with an existing service removes one more password from the to-remember list.

Better security

One of the main benefits of BYOI is that it allows you to use a service with a higher level of security or user trust than you can currently offer. This can be a particular problem for new startups, where users may not want to share all of their data.

Using another service, like Google, Apple, or Facebook, can ease those anxieties and allow you to take advantage of all the security features they offer. There is also many government verified identity services in Europe that allow your users to prove who they are.

Enable decoupled authorization

If you’re stuck with an existing ecosystem, like Django, Ruby-on-RailsWhere Laravel, where authentication and authorization are coupled, it is difficult to go beyond what they offer. You can rewrite what’s there, but that takes a lot of time.

With BYOI, authentication is handled for you, so you can focus on the actual business logic of authorization, and most importantly, you can choose a solution that includes the exact features you want and meets your needs. in areas such as security and compliance.

This flexibility also means that you can swap or scale either domain independently, such as supporting a new identity provider or changing the way a role is defined, which is faster and has advantages for scaling.

What does BYOI mean for authorization

BYOI is a paradigm shift in the way authentication and authorization work together – it means identity is managed by a third party and authorization is now decoupled from the user’s identity source and can therefore go beyond the basic roles of typical user management systems.

The way authorization decisions are made doesn’t change much with BYOI – you still need to determine who has access to what resource and decide how that information can be changed and used – but the interaction between authentication and authorization exchange.

Multi-Vendor Modeling

Since the user’s identity comes from a number of providers, the system must be able to ingest the user’s profile from any of them. You then need to take the credentials you obtain in a token or callback and map the various profile attributes and account data from each source into a standardized model that can then be used to make authorization decisions.

Managing this disparity while giving users the ability to use any source of identity is part of the challenge. Still, it’s essential if you want to reap the full benefits of BYOI because there’s rich information and context in a user’s profile that can be useful in authorization logic.

The complexity of roles and permissions

It used to be easy to determine roles and permissions because they were probably stored in the same database entry as user credentials and covered a simple service. Credentials can be mapped to permissions on a simple individual basis.

The picture is now more complicated because the business logic around who can do what in a system must now be divorced from any particular source of identity.

Since user information varies by identity source, even when mapped in your standardized model, any authorization logic should handle the case with partial or missing attributes that may previously exist in your own user management system.

This means that role and permission are no longer a static set of values ​​for each user, but must be calculated on the fly based on the provided identity data, and more often these days also by the attributes of the resource that the user is trying to interact with.

Rather than hard-coding this logic all over again, since you’ll probably want to support more identity providers in the future, now is a good time to implement an architecture that allows you to encapsulate and separate authorization logic into its own service that can handle dynamic identity information.

You can build it yourself in-house, but an alternative is the open source project Cerbos, which can help you take advantage of the separation of concerns required by BYOI. Since authorization checks can accept an arbitrary set of attributes about the user (or director in cerbos), it’s a perfect match when the user’s identity can come from several different providers.

Inside of authorization policies, conditional logic can then be defined to check certain attributes of the user’s identity against the resource they are trying to access, as well as to handle cases where the particular identity source used may miss certain points of data. This is a much more scalable approach where the identity information is going to be dynamic and evolve over time as you onboard new vendors.

Conclusion

It used to be that authorization and authentication went together like bread and butter. Modern paradigms, like BYOI, have now changed the way user identities are managed in an application.

BYOI for users means one less set of credentials to remember and manage, and they can feel safe using their trusted identity provider to authenticate to your app.

For developers, BYOI forces a decoupling of authentication and authorization and opens the door to picking the best solutions for both components, including leveraging open source projects that ensure you don’t reinvent the wheel. and allow you to focus more on achieving your core value.

Characteristic picture Going through Unsplash.

Share.

About Author

Comments are closed.