Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/warrant-dev/awesome-authorization
A curated list of information and resources about authorization.
https://github.com/warrant-dev/awesome-authorization
List: awesome-authorization
abac access-control acl authorisation authorization authz awesome awesome-list fine-grained-access-control fine-grained-authorization lists rbac resources role-based-access-control security
Last synced: about 1 month ago
JSON representation
A curated list of information and resources about authorization.
- Host: GitHub
- URL: https://github.com/warrant-dev/awesome-authorization
- Owner: warrant-dev
- License: cc0-1.0
- Created: 2021-12-21T23:38:28.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2024-04-01T17:34:07.000Z (9 months ago)
- Last Synced: 2024-05-22T10:15:03.009Z (7 months ago)
- Topics: abac, access-control, acl, authorisation, authorization, authz, awesome, awesome-list, fine-grained-access-control, fine-grained-authorization, lists, rbac, resources, role-based-access-control, security
- Homepage: https://awesome-authorization.warrant.dev/
- Size: 68.4 KB
- Stars: 378
- Watchers: 11
- Forks: 13
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
- ultimate-awesome - awesome-authorization - A curated list of information and resources about authorization. (Other Lists / Monkey C Lists)
README
# Awesome Authorization [![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re) [![GitHub Repo stars](https://img.shields.io/github/stars/warrant-dev/awesome-authorization?style=social)](https://github.com/warrant-dev/awesome-authorization)
> A curated list of information and best practices for authorization and access control.
## Contents
- [Overview](#overview)
- [Authentication vs. Authorization](#authentication-vs-authorization)
- [Access Control Models](#access-control-models)
- [Security Concerns](#security-concerns)
- [Best Practices](#best-practices)
- [Useful Articles & Tutorials](#useful-articles--tutorials)
- [Authz In Practice](#authz-in-practice)
- [Videos & Talks](#videos--talks)---
## Overview
- [NIST Authorization Definition](https://csrc.nist.gov/glossary/term/authorization) - "The process of verifying that a requested action or service is approved for a specific entity".## Authentication vs. Authorization
- [Authentication](https://en.wikipedia.org/wiki/Authentication) - Determines *who* someone or something is (identity).
- [Authorization](https://en.wikipedia.org/wiki/Authorization) - Determines *what* someone or something can do in a system (privileges and permissions).
- [Understanding Authentication, Authorization, and Encryption](https://www.bu.edu/tech/about/security-resources/bestpractice/auth/) - Quick comparison of authn, authz and encryption.## Access Control Models
- [ABAC](https://en.wikipedia.org/wiki/Attribute-based_access_control) - Attribute based access control.
- [DAC](https://en.wikipedia.org/wiki/Discretionary_access_control) - Discretionary access control.
- [GBAC](https://en.wikipedia.org/wiki/Graph-based_access_control) - Graph based access control.
- [MAC](https://en.wikipedia.org/wiki/Mandatory_access_control) - Mandatory access control.
- [OrBAC](https://en.wikipedia.org/wiki/Organisation-based_access_control) - Organization based access control.
- [ReBAC](https://www.scaledaccess.com/whitepapers/the-developers-guide-to-relationship-based-access-control) - Relationship based access control.
- [RBAC](https://en.wikipedia.org/wiki/Role-based_access_control) - Role based access control.## Security Concerns
- [OWASP API Security Top 10 2019](https://owasp.org/www-project-api-security/) - List of the top 10 security risks for APIs.
- [OWASP Top 10 for 2021](https://owasp.org/Top10/) - List of the top 10 web application security risks. Broken access control is [#1](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) on the list.
- Insecure Direct Object Reference
- [IDOR & How to Protect Against It](https://blog.warrant.dev/insecure-direct-object-reference)
- [The Rise of IDOR](https://www.hackerone.com/resources/hackerone/the-rise-of-idor)
- [What is IDOR?](https://portswigger.net/web-security/access-control/idor)
- [Broken Object Level Authorization](https://apisecurity.io/encyclopedia/content/owasp/api1-broken-object-level-authorization)
- [Identity Thieves Bypassed Experian Security to View Credit Reports](https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/)
- [Broken Function Level Authorization](https://apisecurity.io/encyclopedia/content/owasp/api5-broken-function-level-authorization) - API incorrectly relies on the client to use the correct access level making it susceptible to hackers.
- [Building a Modern Zero Trust Strategy](https://thenewstack.io/ebooks/security/trust-no-one-and-automate-almost-everything-building-a-modern-zero-trust-strategy) - Overview of 'zero trust' security by [Newstack](https://thenewstack.io/). (Need to enter email to download e-book)
- [Retrospective on Coinbase Trading IDOR Vuln](https://blog.coinbase.com/retrospective-recent-coinbase-bug-bounty-award-9f127e04f060) - Retrospective by the Coinbase team detailing remediation of an IDOR/validation bug found via bug bounty.
- [Why Broken Access Control is the Most Severe Vulnerability](https://infosecwriteups.com/why-broken-access-control-is-the-most-severe-vulnerability-2223baf9bb48) - Overview of broken access control exploits including IDOR as well as best practices.
- [Millions of people's data stolen because web devs forget to check access perms](https://www.theregister.com/2023/07/29/cisa_nsa_idor_australia/) - CISA, NSA and the Australian Cyber Security Centre alert on the prevalence and danger of IDOR attacks.## Best Practices
- [OWASP Authorization Cheat Sheet & Recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html) - Authz overview and recommendations for best practices.
- Enforce least privileges and deny by default - Ensure that users and systems only have access to what they need and nothing else.
- As fine-grained as possible - Authorization checks should be as specific as possible. Ideally, this means the system has the ability to check access based on specific records and resources.
- Implement once and reuse - Keep authz logic in one place to ensure consistent checks and to prevent missed cases and potential security holes.
- Maintain an audit log - Keep an authorization log (allow/deny) to track access and conduct audits where necessary.## Useful Articles & Tutorials
- [API Tokens: A Tedious Survey](https://fly.io/blog/api-tokens-a-tedious-survey/) - An overview of different approaches to API security.
- [Ask HN: Best Practices for Web Authorization? (2016)](https://news.ycombinator.com/item?id=11151790) - HN discussion about application authorization best practices.
- [Authorization in a Microservices World](https://www.alexanderlolis.com/authorization-in-a-microservices-world) - Covers approaches to authorization in microservices.
- [AWS - Authz & Access Control for SaaS Multi-tenant Apps](https://docs.aws.amazon.com/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/welcome.html) - How-to/implementation guide for authz in multi-tenant apps using AWS.
- [Best Practices for Building Secure API Keys](https://www.freecodecamp.org/news/best-practices-for-building-api-keys-97c26eabfea9/) - Covers hashing, storage and key retrieval.
- [How To Structure Permissions In A SaaS App](https://heap.io/blog/structure-permissions-saas-app) - Talks about approaches to RBAC, ACLs etc in SaaS apps.
- [Implementing Role Based Access Control](https://blog.warrant.dev/implementing-role-based-access-control) - How-to/implementation guide for basic RBAC in an application.
- [Permissions Systems: Category Notes](https://kojo.blog/permissions-sytems/) - An overview of the permissions systems landscape.
- [Web App Access Control Design](https://owasp.org/www-pdf-archive/ASDC12-Access_Control_Designs_and_Pitfalls.pdf) - A presentation highlighting best practices for implementing access control in web apps.
- [What Do Authentication and Authorization Mean in Zero Trust?](https://thenewstack.io/what-do-authentication-and-authorization-mean-in-zero-trust/) - How to think about Authn and Authz within a Zero Trust Architecture.
- [Feature Flags and Authorization Abstract the Same Concept](https://ntietz.com/blog/feature-flags-and-authorization/) - A blog post comparing the many similarities and subtle differences between feature flagging and authorization.## Authz In Practice
- [What's the Best Authorization Framework? None At All](https://www.betterment.com/engineering/security-framework) - Opinionated blog post detailing Betterment's approach to authz.
- [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) - How GitHub scans repos to search for exposed secrets.
- [Open Policy Agent](https://www.openpolicyagent.org/) - A policy-based framework for authorization and access control.
- [Stripe API Docs](https://stripe.com/docs/keys) - Stripe's approach to issuing and managing API keys securely.
- [XACML](https://en.wikipedia.org/wiki/XACML) - Standard that defines the "Extensible Access Control Markup Language," a declarative fine-grained, attribute-based access control policy language.
- [Intuit AuthZ](https://medium.com/intuit-engineering/authz-intuits-unified-dynamic-authorization-system-bea554d18f91) - Post detailing Intuit's implementation of an XACML-based authz service.
- [Google Zanzibar](https://research.google/pubs/pub48190/) - Google's consistent, global authorization system.
- [Why Google Zanzibar Shines at Building Authorization](https://blog.warrant.dev/why-zanzibar-shines-at-building-authorization/) - A blog post detailing why Google Zanzibar is especially well suited to solving application authorization.
- [Airbnb Himeji](https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574) - Based on Zanzibar.
- [Carta AuthZ](https://medium.com/building-carta/authz-cartas-highly-scalable-permissions-system-782a7f2c840f) - Also based on Zanzibar.
- [Securing Apache Airflow UI With DAG Level Access](https://eng.lyft.com/securing-apache-airflow-ui-with-dag-level-access-a7bc649a2821) - How Lyft set up fine-grained (DAG-level) access control on top of Apache Airflow.
- [Authorization Solutions for Microservices Architecture](https://medium.com/appsflyerengineering/authorization-solution-for-microservices-architecture-a2ac0c3c510b) - How AppsFlyer approaches authz in their microservices architecture.
- [Reddit - Evolving Authorization for Our Advertising Platform](https://www.reddit.com/r/RedditEng/comments/13vttm8/evolving_authorization_for_our_advertising/) - Summary of Reddit's internal fine-grained authz system built for the advertising platform.
- [Authorization at LinkedIn’s Scale](https://engineering.linkedin.com/blog/2019/03/authorization-at-linkedins-scale) - Summary of LinkedIn's high-performance authz system used within its microservices architecture.
- [Attribute-Based Access Control at Uber](https://www.uber.com/blog/attribute-based-access-control-at-uber/) - Summary of Uber's internal, centralized ABAC system used within its microservices architecture.
- [Learnings from Building a Simple Authorization System (ABAC)](https://www.ubicloud.com/blog/learnings-from-building-a-simple-authorization-system-abac) - Ubicloud's learnings from building a simple ABAC authz system.
- [How We Built a Custom Permissions DSL at Figma](https://www.figma.com/blog/how-we-rolled-out-our-own-permissions-dsl-at-figma/) - Summary of how Figma built a custom permissions DSL for their product.## Videos & Talks
- [Hashicorp - Microservice Authentication and Authorization (2019)](https://www.youtube.com/watch?v=ZjPF8yZ83Wo)
- [How Netflix Is Solving Authorization Across Their Cloud (2017)](https://www.youtube.com/watch?v=R6tUNpRpdnY)
- [Deloitte - How Zero Trust Architecture Can Be Strengthened with ABAC (2022)](https://www.youtube.com/watch?v=-XFn85HtVDA)
- [@Scale 2019 - Zanzibar: Google’s Consistent, Global Authorization System](https://www.facebook.com/atscaleevents/videos/scale-2019-zanzibar-googles-consistent-global-authorization-system/524366141717632/)