{"id":39025,"url":"https://github.com/warrant-dev/awesome-authorization","name":"awesome-authorization","description":"A curated list of information and resources about authorization.","projects_count":54,"last_synced_at":"2026-06-06T13:00:18.059Z","repository":{"id":43044819,"uuid":"440678758","full_name":"warrant-dev/awesome-authorization","owner":"warrant-dev","description":"A curated list of information and resources about authorization.","archived":false,"fork":false,"pushed_at":"2024-12-16T22:35:52.000Z","size":76,"stargazers_count":430,"open_issues_count":2,"forks_count":17,"subscribers_count":9,"default_branch":"main","last_synced_at":"2026-05-04T09:07:36.486Z","etag":null,"topics":["abac","access-control","acl","authorisation","authorization","authz","awesome","awesome-list","fine-grained-access-control","fine-grained-authorization","lists","rbac","resources","role-based-access-control","security"],"latest_commit_sha":null,"homepage":"https://awesome-authorization.warrant.dev/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/warrant-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-12-21T23:38:28.000Z","updated_at":"2026-04-21T09:29:47.000Z","dependencies_parsed_at":"2025-04-22T05:18:09.089Z","dependency_job_id":null,"html_url":"https://github.com/warrant-dev/awesome-authorization","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/warrant-dev/awesome-authorization","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warrant-dev%2Fawesome-authorization","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warrant-dev%2Fawesome-authorization/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warrant-dev%2Fawesome-authorization/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warrant-dev%2Fawesome-authorization/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/warrant-dev","download_url":"https://codeload.github.com/warrant-dev/awesome-authorization/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warrant-dev%2Fawesome-authorization/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33983046,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-06T02:00:07.033Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"created_at":"2024-01-13T14:00:02.362Z","updated_at":"2026-06-06T13:00:18.059Z","primary_language":null,"list_of_lists":false,"displayable":true,"categories":["Security Concerns","Authz In Practice","Useful Articles \u0026 Tutorials","Access Control Models","Overview","Authentication vs. Authorization","Best Practices","Videos \u0026 Talks"],"sub_categories":[],"readme":"\u003cdiv align=\"center\" alt=\"Warrant\"\u003e\n    \u003ca href=\"https://warrant.dev/?utm_source=awesome-authz\" target=\"_blank\"\u003e\n        \u003cimg src=\"https://warrant.dev/images/logo-primary-wide.png\" width=\"300\"\u003e\n    \u003c/a\u003e\n    \u003cbr /\u003e\n    \u003cbr /\u003e\n\u003c/div\u003e\n\n# Awesome Authorization [![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re) [![GitHub Repo stars](https://img.shields.io/github/stars/warrant-dev/awesome-authorization?style=social)](https://github.com/warrant-dev/awesome-authorization)\n\n\u003e A curated list of information and best practices for authorization and access control.\n\n## Contents\n- [Overview](#overview)\n- [Authentication vs. Authorization](#authentication-vs-authorization)\n- [Access Control Models](#access-control-models)\n- [Security Concerns](#security-concerns)\n- [Best Practices](#best-practices)\n- [Useful Articles \u0026 Tutorials](#useful-articles--tutorials)\n- [Authz In Practice](#authz-in-practice)\n- [Videos \u0026 Talks](#videos--talks)\n\n---\n\n## Overview\n- [NIST Authorization Definition](https://csrc.nist.gov/glossary/term/authorization) - \"The process of verifying that a requested action or service is approved for a specific entity\".\n\n## Authentication vs. Authorization\n- [Authentication](https://en.wikipedia.org/wiki/Authentication) - Determines *who* someone or something is (identity).\n- [Authorization](https://en.wikipedia.org/wiki/Authorization) - Determines *what* someone or something can do in a system (privileges and permissions).\n- [Understanding Authentication, Authorization, and Encryption](https://www.bu.edu/tech/about/security-resources/bestpractice/auth/) - Quick comparison of authn, authz and encryption.\n\n## Access Control Models\n- [ABAC](https://en.wikipedia.org/wiki/Attribute-based_access_control) - Attribute based access control.\n- [DAC](https://en.wikipedia.org/wiki/Discretionary_access_control) - Discretionary access control.\n- [GBAC](https://en.wikipedia.org/wiki/Graph-based_access_control) - Graph based access control.\n- [MAC](https://en.wikipedia.org/wiki/Mandatory_access_control) - Mandatory access control.\n- [OrBAC](https://en.wikipedia.org/wiki/Organisation-based_access_control) - Organization based access control.\n- [ReBAC](https://www.scaledaccess.com/whitepapers/the-developers-guide-to-relationship-based-access-control) - Relationship based access control.\n- [RBAC](https://en.wikipedia.org/wiki/Role-based_access_control) - Role based access control.\n\n## Security Concerns\n- [OWASP API Security Top 10 2019](https://owasp.org/www-project-api-security/) - List of the top 10 security risks for APIs.\n- [OWASP Top 10 for 2021](https://owasp.org/Top10/) - List of the top 10 web application security risks. Broken access control is [#1](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) on the list.\n- Insecure Direct Object Reference\n  - [The Rise of IDOR](https://www.hackerone.com/resources/hackerone/the-rise-of-idor)\n  - [What is IDOR?](https://portswigger.net/web-security/access-control/idor)\n  - [Broken Object Level Authorization](https://apisecurity.io/encyclopedia/content/owasp/api1-broken-object-level-authorization)\n  - [Identity Thieves Bypassed Experian Security to View Credit Reports](https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/)\n- [Broken Function Level Authorization](https://apisecurity.io/encyclopedia/content/owasp/api5-broken-function-level-authorization) - API incorrectly relies on the client to use the correct access level making it susceptible to hackers.\n- [Building a Modern Zero Trust Strategy](https://thenewstack.io/ebooks/security/trust-no-one-and-automate-almost-everything-building-a-modern-zero-trust-strategy) - Overview of 'zero trust' security by [Newstack](https://thenewstack.io/). (Need to enter email to download e-book)\n- [Retrospective on Coinbase Trading IDOR Vuln](https://blog.coinbase.com/retrospective-recent-coinbase-bug-bounty-award-9f127e04f060) - Retrospective by the Coinbase team detailing remediation of an IDOR/validation bug found via bug bounty.\n- [Why Broken Access Control is the Most Severe Vulnerability](https://infosecwriteups.com/why-broken-access-control-is-the-most-severe-vulnerability-2223baf9bb48) - Overview of broken access control exploits including IDOR as well as best practices.\n- [Millions of people's data stolen because web devs forget to check access perms](https://www.theregister.com/2023/07/29/cisa_nsa_idor_australia/) - CISA, NSA and the Australian Cyber Security Centre alert on the prevalence and danger of IDOR attacks.\n\n## Best Practices\n- [OWASP Authorization Cheat Sheet \u0026 Recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html) - Authz overview and recommendations for best practices.\n  - Enforce least privileges and deny by default - Ensure that users and systems only have access to what they need and nothing else.\n  - As fine-grained as possible - Authorization checks should be as specific as possible. Ideally, this means the system has the ability to check access based on specific records and resources.\n  - Implement once and reuse - Keep authz logic in one place to ensure consistent checks and to prevent missed cases and potential security holes.\n  - Maintain an audit log - Keep an authorization log (allow/deny) to track access and conduct audits where necessary.\n\n## Useful Articles \u0026 Tutorials\n- [API Tokens: A Tedious Survey](https://fly.io/blog/api-tokens-a-tedious-survey/) - An overview of different approaches to API security.\n- [Ask HN: Best Practices for Web Authorization? (2016)](https://news.ycombinator.com/item?id=11151790) - HN discussion about application authorization best practices.\n- [Authorization in a Microservices World](https://www.alexanderlolis.com/authorization-in-a-microservices-world) - Covers approaches to authorization in microservices.\n- [AWS - Authz \u0026 Access Control for SaaS Multi-tenant Apps](https://docs.aws.amazon.com/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/welcome.html) - How-to/implementation guide for authz in multi-tenant apps using AWS.\n- [Best Practices for Building Secure API Keys](https://www.freecodecamp.org/news/best-practices-for-building-api-keys-97c26eabfea9/) - Covers hashing, storage and key retrieval.\n- [How To Structure Permissions In A SaaS App](https://heap.io/blog/structure-permissions-saas-app) - Talks about approaches to RBAC, ACLs etc in SaaS apps.\n- [Permissions Systems: Category Notes](https://kojo.blog/permissions-sytems/) - An overview of the permissions systems landscape.\n- [Web App Access Control Design](https://owasp.org/www-pdf-archive/ASDC12-Access_Control_Designs_and_Pitfalls.pdf) - A presentation highlighting best practices for implementing access control in web apps.\n- [What Do Authentication and Authorization Mean in Zero Trust?](https://thenewstack.io/what-do-authentication-and-authorization-mean-in-zero-trust/) - How to think about Authn and Authz within a Zero Trust Architecture.\n- [Feature Flags and Authorization Abstract the Same Concept](https://ntietz.com/blog/feature-flags-and-authorization/) - A blog post comparing the many similarities and subtle differences between feature flagging and authorization.\n\n## Authz In Practice\n- [What's the Best Authorization Framework? None At All](https://www.betterment.com/engineering/security-framework) - Opinionated blog post detailing Betterment's approach to authz.\n- [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) - How GitHub scans repos to search for exposed secrets.\n- [Open Policy Agent](https://www.openpolicyagent.org/) - A policy-based framework for authorization and access control.\n- [Stripe API Docs](https://stripe.com/docs/keys) - Stripe's approach to issuing and managing API keys securely.\n- [XACML](https://en.wikipedia.org/wiki/XACML) - Standard that defines the \"Extensible Access Control Markup Language,\" a declarative fine-grained, attribute-based access control policy language.\n  - [Intuit AuthZ](https://medium.com/intuit-engineering/authz-intuits-unified-dynamic-authorization-system-bea554d18f91) - Post detailing Intuit's implementation of an XACML-based authz service.\n- [Google Zanzibar](https://research.google/pubs/pub48190/) - Google's consistent, global authorization system.\n  - [Why Google Zanzibar Shines at Building Authorization](https://workos.com/blog/google-zanzibar-authorization) - A blog post detailing why Google Zanzibar is especially well suited to solving application authorization.\n  - [Airbnb Himeji](https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574) - Based on Zanzibar.\n  - [Carta AuthZ](https://medium.com/building-carta/authz-cartas-highly-scalable-permissions-system-782a7f2c840f) - Also based on Zanzibar.\n- [Securing Apache Airflow UI With DAG Level Access](https://eng.lyft.com/securing-apache-airflow-ui-with-dag-level-access-a7bc649a2821) - How Lyft set up fine-grained (DAG-level) access control on top of Apache Airflow.\n- [Authorization Solutions for Microservices Architecture](https://medium.com/appsflyerengineering/authorization-solution-for-microservices-architecture-a2ac0c3c510b) - How AppsFlyer approaches authz in their microservices architecture.\n- [Reddit - Evolving Authorization for Our Advertising Platform](https://www.reddit.com/r/RedditEng/comments/13vttm8/evolving_authorization_for_our_advertising/) - Summary of Reddit's internal fine-grained authz system built for the advertising platform.\n- [Authorization at LinkedIn’s Scale](https://engineering.linkedin.com/blog/2019/03/authorization-at-linkedins-scale) - Summary of LinkedIn's high-performance authz system used within its microservices architecture.\n- [Attribute-Based Access Control at Uber](https://www.uber.com/blog/attribute-based-access-control-at-uber/) - Summary of Uber's internal, centralized ABAC system used within its microservices architecture.\n- [Learnings from Building a Simple Authorization System (ABAC)](https://www.ubicloud.com/blog/learnings-from-building-a-simple-authorization-system-abac) - Ubicloud's learnings from building a simple ABAC authz system.\n- [How We Built a Custom Permissions DSL at Figma](https://www.figma.com/blog/how-we-rolled-out-our-own-permissions-dsl-at-figma/) - Summary of how Figma built a custom permissions DSL for their product.\n\n## Videos \u0026 Talks\n- [Hashicorp - Microservice Authentication and Authorization (2019)](https://www.youtube.com/watch?v=ZjPF8yZ83Wo)\n- [How Netflix Is Solving Authorization Across Their Cloud (2017)](https://www.youtube.com/watch?v=R6tUNpRpdnY)\n- [Deloitte - How Zero Trust Architecture Can Be Strengthened with ABAC (2022)](https://www.youtube.com/watch?v=-XFn85HtVDA)\n- [@Scale 2019 - Zanzibar: Google’s Consistent, Global Authorization System](https://www.facebook.com/atscaleevents/videos/scale-2019-zanzibar-googles-consistent-global-authorization-system/524366141717632/)\n","projects_url":"https://awesome.ecosyste.ms/api/v1/lists/warrant-dev%2Fawesome-authorization/projects"}