Awesome Authorization

A curated list of information and best practices for authorization and access control.

Overview

NIST Authorization Definition - "The process of verifying that a requested action or service is approved for a specific entity".

Authentication - Determines who someone or something is (identity).
Authorization - Determines what someone or something can do in a system (privileges and permissions).
Understanding Authentication, Authorization, and Encryption - Quick comparison of authn, authz and encryption.

OWASP API Security Top 10 2019 - List of the top 10 security risks for APIs.
OWASP Top 10 for 2021 - List of the top 10 web application security risks. Broken access control is #1 on the list.
Insecure Direct Object Reference
Broken Function Level Authorization - API incorrectly relies on the client to use the correct access level making it susceptible to hackers.
Building a Modern Zero Trust Strategy - Overview of 'zero trust' security by Newstack. (Need to enter email to download e-book)

OWASP Authorization Cheat Sheet & Recommendations - Authz overview and recommendations for best practices.
- Enforce least privileges and deny by default - Ensure that users and systems only have access to what they need and nothing else.
- As fine-grained as possible - Authorization checks should be as specific as possible. Ideally, this means the system has the ability to check access based on specific records and resources.
- Implement once and reuse - Keep authz logic in one place to ensure consistent checks and to prevent missed cases and potential security holes.
- Maintain an audit log - Keep an authorization log (allow/deny) to track access and conduct audits where necessary.

API Tokens: A Tedious Survey - An overview of different approaches to API security.
Ask HN: Best Practices for Web Authorization? (2016) - HN discussion about application authorization best practices.
Authorization in a Microservices World - Covers approaches to authorization in microservices.
AWS - Authz & Access Control for SaaS Multi-tenant Apps - How-to/implementation guide for authz in multi-tenant apps using AWS.
Best Practices for Building Secure API Keys - Covers hashing, storage and key retrieval.
How To Structure Permissions In A SaaS App - Talks about approaches to RBAC, ACLs etc in SaaS apps.
Implementing Role Based Access Control - How-to/implementation guide for basic RBAC in an application.
Permissions Systems: Category Notes - An overview of the permissions systems landscape.
Web App Access Control Design - A presentation highlighting best practices for implementing access control in web apps.

What's the Best Authorization Framework? None At All - Opinionated blog post detailing Betterment's approach to authz.
GitHub Secret Scanning - How GitHub scans repos to search for exposed secrets.
Open Policy Agent - A policy-based framework for authorization and access control.
Stripe API Docs - Stripe's approach to issuing and managing API keys securely.
XACML - Standard that defines the "Extensible Access Control Markup Language," a declarative fine-grained, attribute-based access control policy language.
- Intuit AuthZ - Post detailing Intuit's implementation of an XACML-based authz service.
Google Zanzibar - Google's consistent, global authorization system.
- Airbnb Himeji - Based on Zanzibar.
- Carta AuthZ - Also based on Zanzibar.