An overview of the ALFA Abbreviated Language for Authorization and how it accepts authorization requests and produces authorization decisions that are returned to a client.
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
OpenID AuthZEN ALFA PEP-PDP Prior Art
1. 1
axiomatics.com
OpenID AuthZEN Prior Art
ALFA - Abbreviated Language for Authorization
David Brossard, January 2024 | https://www.linkedin.com/company/axiomatics/ | https://www.linkedin.com/in/davidbrossard/
3. 3
axiomatics.com
axiomatics.com
Background
• ALFA is first and foremost a policy language
• ALFA follows NIST’s ABAC special publication
o SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations | CSRC
• ALFA is based on XACML
o It uses a lightweight syntax similar to Java
• ALFA leverages the JSON Profile of XACML to send/receive authorization requests
o JSON Profile of XACML 3.0 Version 1.1
• The JSON Profile of XACML references the REST Profile of XACML for the actual transport
o REST Profile of XACML v3.0 Version 1.0
• The transport part (HTTP…) is entirely decoupled from the request/response format.
o They’re 2 different specs (see above)
4. 4
axiomatics.com
axiomatics.com
Use Cases
ALFA supports the same authorization use cases as XACML:
• Binary authorization request
o Can Alice view Document #1?
o Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️
• Batch authorization requests
o Can Alice, Bob, and Carol view, edit, or delete documents #1, 2, 3?
o 3x3x3 decisions are returned
o Batch requests are specified in another profile called the Multiple Decision Profile Version 1.0
• ⚠️Notably, ALFA (and XACML) does not support partial evaluation/search
o This is something vendors have had to build themselves
o Axiomatics has a proprietary API called Reverse Query that implements partial evaluation
5. 5
axiomatics.com
axiomatics.com
Attributes are the core elements of an authorization request
• ALFA is entirely attribute-based
o Therefore, an authorization request is (nearly exclusively) made up of attributes
• An attribute is made up of
o A category e.g. subject
o A datatype e.g. string
o An identifier (a urn) e.g. com.acme.user.name
• Attributes can be multi-valued
o citizenship can contain multiple values e.g. Swiss and Swedish
• ALFA supports
o 4 default categories: subject, action, resource, and environment
– ✅This corresponds to Cedar’s PARC model and AuthZEN’s current subject/resource/action proposal
o A dozen standard datatypes (see https://alfa.guide/alfa-datatypes/)
• ALFA is extensible
o You can add categories and datatypes if you so desire
o In practice, users stick to subject/action/resource/environment and basic datatypes (string, boolean, numbers,
dates)
10. 10
axiomatics.com
axiomatics.com
Features of the Authorization Response
• The response contains an array of results (to be able to support the Multiple Decision Profile)
• Each result contains
o One of 4 possible decisions: Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️
o An optional status that can be used to convey errors e.g. missing attributes or division by zero
o An optional array of obligations and advice
o An optional array of attributes and their values used in the decision making process
o An optional array of identifiers pointing to the policies used in the evaluation process
11. 11
axiomatics.com
axiomatics.com
Additional Features
• An Authorization Request can ask the PDP to return the identifiers of the policies evaluated
o ReturnPolicyIdList
– type boolean; default value is false
– This is useful to trace an evaluation or understand which policy triggered the eventual decision
o CombinedDecision
– type boolean; default value is false
– In the event of a Multiple Decision Request e.g. “Can Alice view and/or edit document #123”, rather than the PDP
returning 2 decisions (Permit, Deny), those decisions can be combined into a single one.
• Policies can contain obligations & advice which are additional statements that may be returned alongside
a decision e.g.
o Permit + obligation to use MFA
o It’s on the PEP to comply with the obligation
13. 13
axiomatics.com
axiomatics.com
Sample Authorization Response with Obligations
{"Response": [{
"Decision": "Deny",
"AssociatedAdvice": [
{
"Id": "tutorial.denyMessage",
"AttributeAssignment": [
{
"AttributeId": "message.denyReason",
"Value": "Sorry, Dave, you can't do that because you do not have a role",
"Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
}
]
}
]
}]}
This response contains
additional statements called
obligations
14. 14
axiomatics.com
axiomatics.com
Simplifications
• Datatypes that can be inferred from JSON e.g. String, integer, double, boolean do not need to be specified
• Some fields that are mandatory in XACML are optional in the JSON representation and have a default
value
o E.g. XPathVersion (not very useful in a JSON world)
15. 15
axiomatics.com
axiomatics.com
Features ALFA does not have by design
• You cannot ask the PDP to only consider a subset of
policies
o It is not up to the requester to decide what applies to
them
• You cannot send the PDP a policy to execute
o It is configured beforehand through different means (see
PAP-PDP)
• As previously mentioned, no ‘search’ or partial
evaluation
o Vendors e.g. Axiomatics have implemented their own
approach
No, you don’t get to tell
me what the law is.
You cannot ride a
wooden horse on I-401
16. 16
axiomatics.com
axiomatics.com
Things that could be simplified (and that AuthZEN should do)
• Let’s fully drop features and parameters that are really only
meaningful in XACML but not in ALFA or in modern-day XMLless
worlds
• Let’s support 2 decisions only: Permit and Deny
17. 17
axiomatics.com
axiomatics.com
Extending the JSON Profile to support Search
• Essentially, the same request structure could be used.
• One would have to add the desired decision, typically Permit
o What can Alice do?
o Give me the list of items Alice can delete
• Standardizing the request is straightforward
o Standardizing the response is harder
o Is it a filter?
o Is it the list of items?
18. 18
axiomatics.com
axiomatics.com
References
• JSON Profile of XACML 3.0 Version 1.1
• REST Profile of XACML v3.0 Version 1.0
• XACML v3.0 Multiple Decision Profile Version 1.0
• ALFA - the Abbreviated Language for Authorization
• Sample Requests - Postman Collection