AWS Partner Network (APN) Blog

Leveraging API Gateway Lambda Authorizer for Securing your APIs with Okta FGA

Okta-AWS-Partners-2023
Okta
Okta-APN-Blog-CTA-1

By Jason Patterson, Sr. WW Security PSA – AWS
By Kapil Patil, Sr. Partner Technical Architect – Okta

With the rise in data volumes from hundreds of terabytes to petabytes, that now includes sensitive Personally Identifiable Information (PII), organization are required to meet stringent regulatory requirements with respect to data access and security. Business and developers are now required to have solutions for authorization, that are reliable, compliant, and secure. Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) are commonly used authorization methods in modern applications. However, as Software-as-a-Service (SaaS) applications become more feature-rich, the inflexibility and limited scalability of these coarse-grained access controls become apparent.

RBAC grants permissions based on predefined roles, while ABAC relies on user attributes represented by JSON Web Tokens or session cookies. For instance, RBAC may grant API access based on user roles such as reader, viewer, or admin. Similarly, ABAC lacks the flexibility to handle complex developer authorization scenarios where relationships between entities play a crucial role.

Okta Fine-Grained Authorization (FGA) is a managed SaaS solution that addresses the challenge of authorization at scale for developers. Okta FGA empowers developers to design authorization models ranging from coarse-grained to fine-grained, with a centralized, flexible, fast, scalable, and user-friendly approach. Okta FGA allows businesses to simplify access control for multiple applications, parameters, and users, via ‘Authorization as a Service’, allowing developers to design and easily implement permissions at scale.

In this blog, we will explore the limitations of traditional authorization methods, and how Okta FGA offers a robust and adaptable solution.

Okta is an AWS Partner and leading independent provider of enterprise identity. It holds AWS ISV Competencies in Security, Digital Workplace, and Government and is an AWS Marketplace Seller.

Okta Fine-Grained Authorization (FGA) Overview

At present, applications typically use RBAC and ABAC to grant user access to application resources. Relationship-Based Access Control (ReBAC) offers a solution that addresses the limitations of both RBAC and ABAC by incorporating the dynamic relationships between user attributes and objects. For example, a user’s manager, ‘the parent folder’, ‘the owner of a document’, or ‘the user’s department’ can be defined as relationships. Okta FGA uses ReBAC to facilitate the ability to be conditional on a user’s relations with a given object and that object’s relationship with other objects.

Okta FGA Authorization Model

Okta FGA authorization model allows developers to define detailed authorization rules based on attributes and relationships, rather than relying solely on static roles and permissions. This model supports dynamic decision-making by considering various factors, such as user attributes, resource attributes and context.

Policies in the authorization model are based on the relationships between your application entities. These policies are managed through a policy engine that interprets and enforces the rules, ensuring access decisions are made in real-time based on current relationships.

Authorization Model enables developers to:

  • Update and manage authorization policies from one centralized location without touching the application code.
  • Define detailed access requirements, ensuring greater security and compliance.
  • Provide flexible permissions and access for app owners and developers.
  • Provides scalability and reduces latency by routing requests to the closest server.
  • Integrates with a business’s existing systems using developer-friendly tools like APIs, SDKs, CLIs, and IDE integrations.

Figure 1, below, depicts how Okta FGA authorization model by categorizing users into tiers: gold, platinum, and silver – each granting specific access rights. Okta Coupons are linked to these tiers through a can redeem relationship, dictating which tier of users can redeem which coupons.

Figure 1: Okta FGA authorization model for user, user tiers, and coupon redemption permissions.Figure 1: Okta FGA authorization model for user, user tiers, and coupon redemption permissions.

Authorizing access to Amazon API Gateway resources using Okta FGA

Developers utilize Amazon API Gateway in cloud-native applications to streamline interaction between backend services.

Amazon API Gateway acts as an intermediary, accepting API calls, routing them to the appropriate API, and then returning the responses back to the clients. Using Amazon API Gateway, developers can decouple the API management from the backend service implementation, allowing for greater flexibility, scalability, and maintainability of cloud-native applications. Amazon API Gateway provides a centralized point to enforce authorization for API resources, ensuring only authorized requests reach the backend services.

Consider a hypothetical example where an e-commerce application allows customers to use coupons for discounts, as depicted in Figure 2 below. An Amazon API Gateway endpoint is used to receive redemption requests and routes them to the Redeem Coupon action. This API resource performs coupon redemption by sending an HTTP POST request with relevant user data.

When Amazon API Gateway routes the request to the appropriate API endpoint for coupon redemption, the API endpoint, typically hosted using AWS Lambda, performs the business logic for redemption operations. Finally, the response is sent back through the Amazon API Gateway, confirming the success or failure of the redemption process.

Figure 2: Performing coupon redemption without Okta FGA and AWS Lambda AuthorizerFigure 2: Performing coupon redemption without Okta FGA and API Gateway Lambda Authorizer.

Authorization decisions for the Redeem Coupon action require querying and parsing data from external sources, which slows down response times. Additionally, it may introduce higher complexity in the authorization logic, involving numerous IF-ELSE rules and multiple database lookups, making the system inefficient and difficult to maintain.

The AWS Lambda function must query various data sources and services, such as user, coupon, and product information, and infer the relationship between the three entities to redeem a coupon. As the business grows, the data model becomes intricate and difficult to modify. This complexity leads to significant time spent on data model management instead of developing new features. Scaling the Redeem Coupon action will also become challenging given the complexity of maintaining multiple external systems.

In the next section, let’s examine how Okta FGA authorization model simplifies the design by using an Amazon API Gateway Authorizer to interact with Okta’s FGA API directly querying and managing multiple data sources.

AWS Architecture Overview

Figure 3, below, depicts how Okta FGA and Amazon API Gateway can be integrated to solve developer authorization problems.

Figure 3: Perform Authorization Decision using Okta FGA and Amazon API Gateway Lambda AuthorizerFigure 3: Perform Authorization Decision using Okta FGA and Amazon API Gateway Lambda Authorizer.

The architecture of this integrated solution includes the following steps:

  1. User Login: The user logs into the application using their credentials and gets access to the application’s features.
  2. Initiate Redeem Action: The user performs a Redeem Coupon action on their logged-in device.
  3. Request Forwarded to Amazon API Gateway: The application backend server forwards the request to the Amazon API Gateway.
  4. Amazon API Gateway Authorizer: Invokes its Amazon API Gateway Lambda Authorizer to verify if the user is authorized to redeem the coupon. The authorizer checks the user’s permissions and eligibility based on the data model present in Okta FGA.
  5. Redeem Action: If authorized by the Amazon API Gateway, the request is routed to the API’s AWS Lambda function to perform the redeem action.

The crucial segment within the architecture is the Amazon API Gateway Lambda Authorizer that leverages Okta FGA’s SDK and APIs to enforce custom authorization logic for APIs deployed on Amazon API Gateway.

When a request from an application is made to the AWS API Gateway endpoint, the API Gateway Lambda Authorizer validates the user action. This function verifies the action and relevant user’s context. Based on the policy definitions in the authorization model, FGA determines whether a user is authorized to perform an action.

Conclusion

As shown in the blog, by leveraging Amazon API Gateway Authorizer and Okta FGA Data model, businesses and developers can ensure that only authorized users can perform only those actions within the context of an operation, enhancing security and simplifying authorization logic and data management.

Okta FGA streamlines the process of migrating and building to ReBAC enabled applications.

To learn and explore more about Okta FGA, head over to fga.dev to sign up for free trial. Also visit Okta’s blog for a technical step-by-step approach to setting up the integration between AWS API Gateway and Okta.

Okta-APN-Blog-Connect-2023

Okta – AWS Partner Spotlight

Okta is an AWS Advanced Technology Partner and AWS Competency Partner and leading independent provider of enterprise identity. It holds AWS ISV Competencies in Security, Digital Workplace, and Government and is an AWS Marketplace Seller.

Contact Okta | Partner Overview | AWS Marketplace