How to use Amazon Verified Permissions to support OpenID AuthZEN requests.
A new specification (version 1.0, draft 03 at the time of publication) and related standard mechanisms, protocols, and formats are being developed by the OpenID Foundation’s AuthZEN Working Group to facilitate the exchange of authorization-related data between the various components involved in access control and authorization.
AuthZEN-compliant PEP policy enforcement point and Amazon Verified Permissions, a fully managed AWS service for storing authorization policies (written in Cedar policy language) and assessing authorization requests at runtime, can be seamlessly integrated, as demonstrated by the open-source reference implementation AWS is publishing today.
Policy enforcement point definition
A security framework element that upholds access control policies is called a PEP Policy Enforcement Point. It serves as a gatekeeper, guaranteeing that resource requests are assessed in accordance with established guidelines and that only authorized people or processes are permitted access to resources or data that are protected.
What is OpenID AuthZEN specification?
Historically, in order to assess resource access, application developers constructed their own authorization mechanism inside the application code. The application code must be reviewed in order to review the authorization rules, and a new version of the application must be changed and deployed in order to modify the authorization rules. Customers who use this design frequently find it difficult to monitor changes to their authorization rules, update rules as their application develops, and consistently enforce their policies.
Modern application designs have separated their authorization capabilities from the application code in order to address these issues. This approach speeds up the creation of applications and provides developers with more dynamic and repeatable fine-grained rights within applications that they may use regularly. Usually, fine-grained permissions are created using the following criteria:
- Assignment of subject roles in accordance with role-based access control (RBAC)
- Attributes of the requested resources or the subject in accordance with attribute-based access control (ABAC)
- Subject-resource relationships after relationship-based access control (ReBAC)
- A hybrid model that combines the previously mentioned techniques
The policy-based access control (PBAC) approach is a result of policies, which are expressions of these access control principles.
In order to facilitate these access control strategies, clients deploy solutions that adhere to NIST SP 800-162 guidelines. A guide to ABAC.
The architecture of an advanced access control system, which is made up of multiple essential parts that cooperate to administer and enforce authorization regulations, is depicted in Figure.
The policy decision point (PDP), also known as the policy engine or rules, is at the centre of this system. The PDP is in charge of assessing regulations and guidelines to decide whether to approve or reject a specific access request. The PEP policy enforcement point, which serves as the gatekeeper for resource access, has close interactions with this component.
Access requests for subjects (people or systems) are received by the PEP policy enforcement point, which is usually integrated into your application. The PEP policy enforcement point also enforces the PDP’s decisions. Depending on what the PDP determines, it either grants or prohibits access to the requested resource.
The PDP may need to retrieve more metadata or attributes in order to make well-informed decisions. Subject attribute and resource attribute stores are examples of external data sources that can be accessed using a policy information point (PIP). These could include databases that offer vital contextual information to help with decision-making, like your HR system.
Other significant components are also displayed in the diagram:
- The authorization policies are kept in the policy store.
- The policy store’s policies are managed and updated using the policy administration point (PAP).
- Environmental considerations, such as time, location, or system status, might affect access decisions.
Together, these elements form the authorization services framework, which offers a complete and adaptable access control system. A standardized method for transmitting authorization requests from the PEP policy enforcement point to the PDP and authorization decisions from the PDP to the PEP is offered by the AuthZEN specification.
Interoperability with Verified Permissions
Verified Permissions is a fully managed solution that combines the functions of a policy store with a PAP and a PDP engine. The underlying infrastructure is managed by AWS, which maintains consistent performance across distributed systems and scales automatically with application demands.
An open-source policy language called Cedar, which offers access control that can be mathematically proven, is used by Verified Permissions. Verified Permissions acts as the primary decision-making mechanism for authorization requests made via its Is Authorized() API when it is incorporated into an application’s architecture.
Verified Permissions considers information including principal qualities, resource properties, action type, and environmental factors when evaluating requests against established policies. Additionally, when used as principal information, the service allows users to validate OAuth 2.0 JSON Web Tokens with the OpenID Connect provider that issued them and to combine typical authorization requests into a single API call.
Verified Permissions and OpenID’s AuthZEN protocol can work together and integrate seamlessly due to this reference implementation. It can assist you in standardizing authorization patterns among various AWS services.
AuthZEN Architecture overview
Figure 2 shows the architecture of the suggested AuthZEN interface for Verified Permissions.
The following is the workflow for this architecture:
- For access requests in AuthZEN-compliant format, the application, acting as PEP policy enforcement point, calls an authenticated authorization API.
- To assess the selected PEP policy enforcement point authentication method, Amazon API Gateway calls an AWS Lambda authorizer.
Note: In this solution, an AWS Secrets Manager-generated secret will be used to control access to the API. Examine your threat model and implement extra authentication methods that suit your workload, such as client certificate authentication, OAuth 2.0 bearer tokens, or temporary credentials for AWS Identity and Access Management (IAM).
- The request is forwarded to a Lambda function integration by the API Gateway upon a successful authentication.
- To obtain more metadata and attributes about the entities in the authorization request, the Lambda function makes a query to the entity store, which is a PIP. The resources and the principals are represented by the entities.
- The authorization requests in AuthZEN format are converted into a Verified Permissions Is Authorized() structured request by the Lambda function integration.
- A Lambda function converts the authorization decision into an AuthZEN formatted decision and sends it back to the application once Verified Permissions has evaluated the authorization request and returned the authorization decision.
Deploy the solution
The authzen-interface-verified-permissions solution can be implemented through the use of the AWS Cloud Development Kit (AWS CDK). The aws-samples/sample-authzen-interface-verified-permissions repository contains solution artefacts.
Deploy the policy store
To store your authorization policies, create a Verified Permissions policy store. The AWS Management Console for Verified Permissions can be used to build a new policy store, or the AWS CDK can be used to deploy the sample policy store.
Deploy AuthZEN interface for Verified Permissions
Next, you connect the Verified Permissions policy store to a sample AuthZEN PDP interface. The Lambda authorizer, the Lambda function integration, and the API Gateway REST API are all included in the PDP.
Test the deployment
The PEP policy enforcement point consists of a series of interoperability scenarios established by the OpenID AuthZEN working group using an example Todo application. Each API authorization request has a payload specification that you can examine and verify using AuthZEN’s API Gateway test runner.
It’s your turn to build
Based on the guidelines developed by the OpenID Foundation’s AuthZEN working group, AWS presented an open-source AuthZEN interface for Amazon Verified Permissions in this post. With this solution, developers can easily apply industry-standard authorization procedures while still enjoying the security and scalability advantages of AWS’s managed authorization service.
