Architecting Application Authorisation

-

In the modern digital landscape, application authorisation has evolved from a simple gatekeeper to a complex, nuanced system crucial for security, user experience, and compliance. Gone are the days of basic "yes/no" access controls; today's applications demand granular permissions, delegated authority, and seamless integration across diverse platforms. Architecting application authorisation effectively requires a deep understanding of authentication flows, permission models like RBAC and ABAC, and technologies like OAuth 2.0 and OpenID Connect. This guide dives into the critical considerations and best practices for building robust, scalable, and user-friendly authorisation architectures, empowering you to secure your applications without compromising usability or innovation.

OPA


Microservices

UI


Within browser

What is ABAC


Examples:


Comments

Post a Comment

Popular posts from this blog

Setting up a global .gitignore on a Mac

-
I work with multiple OSes, programming languages and frameworks so here is a tip on keeping your git repos clean. I create a global .gitignore file to exclude platform related files (OS and IDE) and then when I create a new project I create a project specific .gitignore for the project related files which is specific to the languages and frameworks I am using in the project. Creating a global gitignore on a Mac You may name the file and place it where you want. I typically just name it .gitignore and store at '~/.gitignore'. Set it by running the following in a terminal: git config --global core.excludesfile '~/.gitignore' Example global gitignore Here is my global which I place at '~/.gitignore' Project specific gitignore GitHub have created a repo as a guide for what to include in your .gitignore for specific languages and frameworks: https://github.com/github/gitignore .
Read more

API Security Best Practices

-
Good kick off point https://owasp.org/www-project-api-security/ https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html https://github.com/OWASP/wstg https://stackoverflow.blog/2021/10/06/best-practices-for-authentication-and-authorization-for-rest-apis/ Around the industry https://www.f5.com/labs/learning-center/securing-apis-10-best-practices-for-keeping-your-data-and-infrastructure-safe https://blog.axway.com/learning-center/digital-security/keys-oauth/api-security-best-practices https://curity.io/resources/learn/api-security-best-practices/ https://medium.com/apis-and-digital-transformation/best-practices-for-building-secure-apis-2b4eb8071d41 https://learn.microsoft.com/en-us/azure/api-management/mitigate-owasp-api-threats https://learn.microsoft.com/en-us/dotnet/architecture/microservices/secure-net-microservices-web-applications/ State of API Security https://content.salt.security/gartner-2022-predicts https://content.salt.security/state-api-report.html Serv...
Read more

Step-up authentication

-
Standards based approach Step-up authentication with OAuth and OpenID Connect OAuth 2.0 Step Up Authentication Challenge Protocol How does Okta do it? Step-up authentication using ACR values Configure Direct Authentication grant types Developer Documentation How does Authlete do it? OAuth 2.0 Step-up Authentication Challenge Protocol OAuth OAuth 2.1 OAuth 2.0 Security Best Current Practice FAPI 2.0
Read more