Auth0

In this audio conversation, Vittorio Bertocci and Damian Schenkelman discuss identity, OAuth2, JSON Web Tokens (JWTs) and what you can and can't do with those for various authorization scenarios. Like this episode? Be sure to leave a five-star review and share Authorization in Software with your network! You can connect with Damian on Twitter at <a href="https://twitter.com/dschenkelman" rel="noopener noreferrer" target="_blank">@dschenkelman</a>, or reach the Auth0 team focused on Fine Grained Authorization at <a href="https://twitter.com/auth0lab" rel="noopener noreferrer" target="_blank">@auth0lab</a>.

Vittorio Bertocci is a Principal Architect in Auth0 and host of the Identity, Unlocked podcast. Before Auth0, he had a lengthy career with Microsoft, where Vittorio worked with Fortune 100 and Global 100 companies, including working on Microsoft’s Azure Active Directory team as principal program manager focusing on the developer experience. He contributed to the inception and launch of Microsoft’s claims-based platform components (Windows Identity Foundation and ADFS, ADAL and MSAL SDKs, ASP.NET middleware). Vittorio is a well known speaker, educator and published author.

Vittorio Bertocci

Principal Architect @ Auth0

Damian Schenkelman hosts Authorization in Software. Damian is a Principal Engineer at Auth0's Office of the CTO, where he does research and development of forward looking products. One of his focuses is Authorization at scale. Before Auth0, Damian spent many years working for and at Microsoft on Azure, Media and patterns & practices related initiatives. He spends his spare time with family, friends, exercising and catching up on all things NBA.

Damian Schenkelman

Principal Engineer @ Auth0

In this audio conversation, Vittorio Bertocci and Damian Schenkelman discuss identity, OAuth2, JSON Web Tokens (JWTs) and what you can and can't do with those for various authorization scenarios.


Authorization with OAuth 2 and its limitations

In this first Authorization in Software chat, host Damian Schenkelman, Principal Engineer at Auth0 is joined by Vittorio Bertocci. Vittorio joins the show to discuss identity, OAuth2, JSON Web Tokens (JWTs) and what you can and can't do with those for various authorization scenarios.


This episode explores the concept of Topaz, an authorization engine that unites policy as code, relationship-based authorization models like Zanzibar, and real-time decision-making. We discuss how Topaz is designed to handle fine-grained authorization, crucial in today's zero-trust environments, by making local decisions over local data. Omri discusses the architecture of Topaz, including its use of Open Policy Agent (OPA) and a triple store model for data. You will gain insight into the challenges of authorization, the importance of keeping data and policies synchronized, and how Topaz addresses these issues. The conversation also touches on the practical aspects of implementing Topaz, such as data source integration, deployment models, and the flexibility it offers for different organizational needs. This episode is essential for anyone interested in the latest trends and tools in software authorization, providing a comprehensive look at how Topaz is paving the way for more secure and efficient application development.

Omri is the co-founder and CEO of Aserto.com, an authorization startup, and his third entrepreneurial venture. He's spent the majority of his 30-year career working on developer and infrastructure technology, most recently as the CPO of Puppet. Previously he was the VP and GM of HP's Cloud Native Platform (with business, product, and engineering oversight for OpenStack, Cloud Foundry, CloudSystem products and services), and a General Manager at Microsoft with responsibilities for Azure, SQL Server, Application Server, and the .NET Framework.

Omri Gazitt

Co-founder and CEO of Aserto

Fine Grained Authorization, Open Source and Topaz

Dive into the world of advanced authorization with Gabriel Manor, Head of DevRel and Growth at Permit.io. In this episode of Authorization in Software, Damian Schenkelman engages Gabriel in a discussion on the Open Policy Authorization Layer, better known as OPAL.Damian and Gabriel delve deep into how OPAL enables a structured and effective approach to authorization. They cover the shift from traditional Role-Based Access Control (RBAC) to the more dynamic Attribute-Based Access Control (ABAC), highlighting the need for granular control in modern application environments.This episode is insightful for those interested in understanding the complexities of policy-based authorization systems. It discusses the challenges and benefits of decoupling authorization policies from application code, emphasizing the importance of streamlined policy management for secure and efficient software development.

For the past 10 years, I have been engaged in full-stack development with a strong focus on security. Leveraging my superpower to transform mundane engineering moments into captivating stories, I currently dedicate myself to educating developers on access control at Permit.io.

Gabriel L. Manor

Director of DevRel @ Permit.io

Deep Dive into Open Policy Authorization Layer (OPAL)

In this episode of Authorization in Software, Damian Schenkelman sits down with John Huffaker, Distinguished Engineer at Box. They discuss how Box, a major file-sharing and collaboration platform, approaches authorization.The conversation touches upon:<ul><li>The importance of security for a platform like Box which handles sensitive data for countless users and businesses.</li><li>A look into the different layers of security, including application&nbsp; and infrastructure security.</li><li>The challenges and solutions to ensure that Box remains impenetrable</li><li>A detailed overview of the multiple layers involved in making different kinds of authorization decisions, from viewing files and folders to understanding user permissions and API accesses.</li><li>And more...</li></ul>Tune in to get an inside look at the ways Box keeps their customers' data remains safe and the authorization mechanisms they employ to achieve this.

John Huffaker aka “Huff” is a Distinguished Engineer at Box, a secure, high scale online content collaboration platform targeted at large enterprises as well highly regulated and government customers. Over his 10+ tenure at Box, he’s led a wide scope of work. Initially he launched Box’s metadata platform before moving to successfully launch an internal platform based on early versions of kubernetes based platform in 2014 (k8s version 0.8). During the process, he rode numerous early waves like envoy/service mesh, jsonnet/declarative management, spiffee, calico/tigera, and more. He later moved back to the application backend side of the world (Files, Folders, Users, Enterprises, etc.) including deep permissions and authorization questions. Prior to Box, he worked at a faceted search company and early big data pioneer, Endeca, which was acquired by Oracle in 2011 (Newegg, bhphoto, etc), Endeca was an early explorer of columnar, generational storage storage techniques. Huff earned his BS and MS degrees from UC Irvine where he specialized in optimizing compilers.

John Huffaker aka "Huff"

Distinguished Engineer at Box

How Box Does Authorization

Join Jennifer Wong, a seasoned expert in product management and application security at Workday, as she takes us through a decade-long journey at the forefront of one of the world's leading financial and human capital management software companies. Dive into the complexities of platform solutions and the significance of reusable components, as Jennifer outlines how Workday achieves seamless interoperability, ensuring reduced time-to-value for their customers. Learn how authorization is crucial in a company that is trusted with sensitive data from global corporate giants, and how they maintain its revered industry-standard security, even as it grows through acquisitions. Learn about the nuances of their authorization capabilities, how they adapt to evolving threats, and the underlying principle of Zero Trust. If you're curious about how Workday handles user roles, permissions, and where authorization decisions are made, this episode is a must-listen.

Jennifer is a Director in Product Management for the Security Products team at Workday. She oversees Workday application security products including authentication, authorization, identity management, platform security and privacy framework. Jennifer joined Workday 10 years ago and have led product management in Workday’s foundation framework such as business process, organization, globalization etc. Prior to joining Workday, she led multiple on-premise-to-cloud initiatives at Cathay Pacific Airways. Jennifer holds an MBA degree at UCLA Anderson School of Management.

Jennifer Wong

Director, Product Management – Security Products, Workday

Authorization at Workday

In this episode, host Damian Schenkelman and cybersecurity expert Neil Madden deep dive into the world of macaroons for authorization. Neil starts by distinguishing between JSON Web Tokens (JWT) and macaroons, and shares the origins and unique properties of the latter. They discuss how these Google-invented tokens can enhance security by enabling the addition of conditions, or "caveats", to the token even after it's been issued. The discussion also includes the difference between first-party and third-party caveats, key considerations for implementing macaroons, and how they can be integrated into existing systems like OAuth.

Neil is the founder and CEO of Illuminated Security and a recognized expert in the fields of application security and applied cryptography. The author of API Security in Action, Neil was previously the Security Architect for ForgeRock, and is an active contributor to the OAuth Working Group and Cryptographic Forum Research Group. In 2021, Neil discovered a critical vulnerability in Java's elliptic curve digital signature algorithm, which was dubbed the "cryptography bug of the year" and named as one of the top 10 web hacking techniques of 2022. Neil has a PhD in Computer Science and lives in the Cotswolds, England with his wife and daughter.

Neil Madden

Founder and CEO, Illuminated Security Ltd

Macaroons for Authorization with Neil Madden

Join us in this episode of Authorization in Software, where we're joined by Atul Tulshibagwale, CTO of SGNL. In an enlightening conversation with our host Damian Schenkelman, Atul dives deep into the concept of Real-Time Authorization, an innovative approach to dynamic access control.This episode sheds light on how Real-Time Authorization operates, continuously assessing and authorizing access based on a variety of dynamically determined factors rather than preassigned privileges. In this ideal scenario, access to resources is granted only when necessary, enhancing security and limiting potential vulnerabilities.

Atul is the CTO of SGNL, the leading developer of continuous access management solutions. Atul is an enterprise identity expert and the inventor of the Continuous Access Evaluation Protocol (CAEP). He was most recently a software engineer at Google, where his seminal blog post kicked-off the industry-wide movement that culminated in the OpenID Foundation’s Shared Signals Framework (SSF), and Continuous Access Evaluation Profile draft specifications. He is also a co-chair of the OpenID Foundation’s Shared Signals Working Group. At Google he led the development of the BeyondCorp Devices API, a critical part of Google’s BeyondCorp zero- trust solution. Previously, Atul was a co-founder and the CEO of Trustgenix, a federated identity pioneer that was acquired by HP. Trustgenix contributed to the development of federated identity standards such as SAML 2.0 and the Liberty Alliance Framework.

Atul Tulshibagwale

CTO of SGNL

Real Time Authorization with Atul Tulshibagwale

Authorization in Software features chats with industry subject matter experts in Authorization. Some of the covered topics are: how authorization is implemented at specific companies (e.g.: Airbnb, Slack, Github), how industry standards relate to authorization, and the history of authorization in software. Damian Schenkelman hosts Authorization in Software. Damian is the creator of the <a href="https://github.com/openfga/openfga" rel="noopener noreferrer" target="_blank">OpenFGA project</a> and a Principal Architect on the Auth0 Lab team, where he does research and development of forward looking products. Before Auth0, Damian spent many years working for and at Microsoft on Azure, and patterns &amp; practices related initiatives. He loves spending his spare time with family, friends and catching up on all things NBA.

Authorization with OAuth 2 and its limitations

DESCRIPTION

Today's Host

Damian Schenkelman

Today's Guests

Vittorio Bertocci

Damian Schenkelman

Recent Episodes

Authorization with OAuth 2 and its limitations

DESCRIPTION

Today's Host

Damian Schenkelman

Today's Guests

Vittorio Bertocci

Damian Schenkelman

Related Resources

Recent Episodes

Fine Grained Authorization, Open Source and Topaz

Deep Dive into Open Policy Authorization Layer (OPAL)

How Box Does Authorization

Authorization at Workday

Macaroons for Authorization with Neil Madden

Real Time Authorization with Atul Tulshibagwale