Check out my latest post on the Cedar policy engine 🌲📝
Learn where common policy authoring mistakes can happen, and the solutions to those issues to help ensure you keep your authorization system secure 💪
Check out my new blog post about #Pundit and different #RSpec test approaches.
https://tobiasmaier.info/posts/2023/06/19/pundit-rspec-approaches.html
#pundit #rspec #ruby #rubyonrails #authz #authorization
Working on a project with non-InfoSec folks I was reminded that not everyone's gotten the message. All the contributors were accessing the collaboration platform with the admin's credentials ('cause it was easier than creating separate accounts). #sigh
#sigh #infosec #authn #authz #fail #meme
Qqn sait où on peut trouver plus d'info sur le protocole en "double anonymat" que le gouv veut déployer en mars pour restreindre l'accès à certains sites, dont les sites porno ?
J'ai vu un schéma et moralement, ça ressemble a du "sous-privacy pass", mais je voudrais bien étudier la spec ou le code.
#cryptography #france #pornography #privacypass #sécurité #security #authz #authn
#cryptography #france #pornography #privacypass #securite #security #authz #authn
Whoa. Today I learned that the OAuth.net website was not owned by a foundation, but by a single member. The banner for advertising is what gave it away. #OAuth #AuthZ #Authorization #ads
#oauth #authz #authorization #ads
There's a 'grain' of truth in every joke
#AWS fine-grained permissions and #authorization is no joke
Or is it?
https://aws.amazon.com/verified-permissions/
Any practitioner can tell you that #authz is entirely about 'actions', guess what the one thing about AWS #IAM they didn't include in this service derived from IAM policy document format and #API?..
#aws #authorization #authz #iam #api
Excuse the hashtag spam, but I'm trying to find my tribe.
I'm interested in production deployments of ReBAC (relationship based access control) in "enterprise" environments.
Specifically, anyone who has worked on something similar to Google Zanzibar to authorize access into, not just "resources", but dynamic workflow/process driven APIs. Bonus if it is was in a SaaS setting, where each tenant has unique workflows.
#authz #spicedb #ory #keto #abac #rbac #auth0 #openfga
My boss: "Learn about Zanzibar"
1. What I expected
2. What I got
(feel free to share any educational resource in the comments, let's try to make sense of this all together)
#zanzibar #authorization #authz
@VidmoOreda @nf3xn The scraper would just be grabbing and parsing the html off the page. API interaction isn't scraping and can require authN/authZ or be wide open. If the API doesn't require authN/authZ, then I don't see how any AUP is enforceable. (I still have a way to go on API security. I'm familiar with the use of OAuth tokens for authZ. I think OIDC can be used instead, which I think uses an OAuth token with a "wrapper" to add authN. Reckon JWT is in play for authN/authZ, as well.) #api #authn #authz
Avec un passage par
🍪 https://en.wikipedia.org/wiki/HTTP_cookie
🍪 https://en.wikipedia.org/wiki/Macaroons_(computer_science)
🍪 jwt https://jwt.io/