Five open-source projects to secure access to your applications
Aug 23rd, 2023
Glenn Block
Authorization
If you are like most devs, then securing your applications is one of those things that you do not want to (and should not) handle yourself.
Done right, the system is protected. Done wrong and you've compromised your users and left them vulnerable to one of the many attacks that are constantly in the news.
Both AuthN and AuthZ go hand in hand. Authentication without authorization means that you control who is accessing the app, but not what they can access. Without authorization, every user is an admin, or super-user - they can do anything.
It is very easy to implement both of these wrong. Fortunately there are solutions out there to help you, including a robust set of OSS tools.
Here are five open-source projects to help you get started with addressing your authentication and authorization needs:
Authentication
Authentication is your app’s first line of defense. The process focuses on securing access to your application by verifying that the user is who they claim to be prior to logging them in. Single sign-on (SSO), multi-factor authentication (MFA), passwordless, biometrics, and magic links are all ways to authenticate users and secure login to your application.
To use a real-world analogy, when you check-in to a hotel you authenticate yourself with a valid ID. Your ID alone isn’t enough to get you into your room (you also need a valid reservation at a minimum), but it ensures the hotel knows your true identity.
Here are two standards-based open-source authentication systems for the different phases of your application:
Keycloak
Keycloak is a Java-based open-source application authentication project developed and maintained by Red Hat. It provides SSO, user management, and user federation capabilities. It is similar to other authentication platforms and identity providers, such as Auth0, Okta, and Forgerock.
Keycloak is a great way to get started with implementing IAM for your applications, as it offers a set of powerful features that you won’t easily outgrow.
Learn more about Keycloak in their community Slack channel.
Dex
If you already use an identity provider, Dex is a Go-based open-source service that uses OpenID Connect to authenticate users for other applications. It is a CNCF sandbox project that works with any application that supports OIDC. It adds an array of protocols for querying the authentication platforms and identity providers it is connected to.
Dex is a great tool for organizations that use multiple identity providers, or directories, or have a combination of legacy and cloud-native systems.
Learn more about Dex in their community Slack channel.
Authorization
This is your application’s second line of defense. Authorization is the process of securing access to protected resources of the application. You can think of authentication as “stage zero” of the authorization process. Once a user has been authenticated, authorization focuses on verifying that the user should be able to access the resources they are trying to access, as they engage with the application.
In our hotel analogy, authorization would be the step when you are issued a keycard based on context (your reservation and personal information). The keycard will provide you with access to your room, but not others. It will also provide access to the relevant facilities (e.g. gym, pool, breakfast, meeting lounge) based on your reservation and hotel membership tier.
As you can see, authorization is downstream to authentication and is a far more complex and novel problem than authentication. Since authorization solutions are a relatively new phenomenon, applications were traditionally forced to build their own authorization system from scratch. Fortunately, there are some new projects that can help.
Here are three cloud-native, open-source authorization projects to help you build your application authorization system:
Open Policy Agent (OPA)
Open Policy Agent (OPA) provides a general purpose decision engine for enforcing authorization logic, along with a domain specific language for writing that logic as authorization policies (Rego). These policies are stored and versioned in their own repos and treated like any other code.
OPA is a mature project (a CNCF graduated project) that is mostly used for authorizing access to infrastructure, such as Kubernetes admission control. It is extremely flexible and tends to be used with attribute-based systems. But flexibility also means that you have no guardrails. OPA also lacks a data plane for getting authorization data to the decision engine, which means you need to solve this problem yourself.
Learn more about OPA in their community Slack channel.
Bonus: Open Policy Containers (OPCR)
If you are using OPA policies, you need Open policy containers (OPCR). OPCR is an open-source project that secures the lifecycle of OPA policies. It is a CNCF sandbox project that adds the ability to push, pull, tag, test, and sign OPA policies just like you would any OCI (Docker) container. This helps you treat policies as immutable, versioned, signed images, helping provide a secure software supply chain for these important artifacts.
OpenFGA
OpenFGA is a CNCF sandbox project that provides a relationship-based access control (ReBAC) system, inspired by Google’s authorization system, Zanzibar. In ReBAC systems, permissions are based on relationships between subjects (users/groups) and application resources. They are also graph-based systems, built for scale and speed.
Google Docs is one well known example of a ReBAC system. Resource owners can share files and folders with other users, and determine what actions are available to those users (view, comment, or edit).
OpenFGA is a great project to get your going with ReBAC. But, if you’d like to combine relationships and attributes, so you can gate access based on the department or title of the user, their location, network (VPN/public), or device, you’ll have to look for an alternative, like Topaz.
Learn more about OpenFGA in their community Discord channel.
Topaz
Topaz is an open-source, standalone authorization system. It supports attribute-based systems with OPA policies, and has an embedded relationship database to provide support for ReBAC and RBAC.
Topaz is a great project for implementing fine-grained access controls in your applications. Its relationship database and support for OPA policies mean you can seamlessly evolve your policy as your needs evolve in complexity.
Learn more about Topaz in our community Slack channel.
Conclusion
Every application needs both login and access controls to be secure. You can’t just walk into a bank and open the vault, nor do you get access to every room in a hotel. In the digital world, you don’t want every user to be a super-user and be given the keys to the kingdom as soon as they login. Fortunately, you don’t have to.
In this post, we shared five open-source tools you can use to secure access to your applications and application resources. We hope you find this post useful and we’d love to hear from you. Drop us a line here, or join our community Slack.
Glenn Block
Related Content
Netflix authorizes extra members using environmental attributes
Netflix recently rolled out a system to combat account sharing, on a global scale. The enforcement system uses environmental attributes to determine access. This is a great real-world use-case for an attribute-based access control (ABAC) system. Get all the details in the post!
Sep 27th, 2023
The power of externalized authorization
Eternalizing authorization into a purpose built service has many benefits. In this post, we describe those benefits and demonstrated the power of externalized authorization, namely the ability to add or change functionality based on policy change alone and without re-deploying the application.
Oct 11th, 2023
Using scopes vs. permissions for application authorization
One of the earliest authorization patterns applications implement bases access on OAuth 2.0 scopes that are embedded in access tokens issued by an identity provider. While convenient, this method has significant limitations. In this post, we describe those limitations and provide alternatives for managing application permissions.
Oct 18th, 2023