Authorization (B2C)
Access Control in Login 3.0
Let's start by taking a step back and talking about Access Control. There isn't one clear-cut definition of Access Control in the industry, but if you spend some time searching and reading, you'll see that most authoritative sources agree that it is the umbrella concept that puts all of Authentication, Authorization, Consent, and Policy Enforcement together to ensure that only the right people and services have access to your applications and APIs. Next, let's look more closely into the distinctions between Authentication, Authorization, Consent, and Policy Enforcement. In Login 3.0, configurations related to Authentication and Consent, as well as aspects of Authorization and Policy Enforcement, must be requested and managed by the UPBOND team.
Categories of Access Control
In general, we typically group different types of access control into three distinct categories so that it's easier to understand a) which actor is responsible for storing the information, b) which actor is responsible for making decisions, and c) which is responsible for enforcing the restrictions.
1. Application or API-wide Access
Access is either granted or denied to an application or an API in its entirety. Both the data required to enforce this and the enforcement process are managed via metadata configurations handled by the UPBOND team.
2. Subset Access
Access is either granted or denied to a specific subset of application or API functionality. The data required to enforce this is typically stored in metadata associated with a user, with enforcement processes implemented within the application or API itself. These configurations must also be set up by the UPBOND team.
3. Contextual Access
Access is either granted or denied depending on what the principal (subject) can operate on within the context of an application or API. The data required for enforcement and the enforcement process is managed contextually within the application or API, with metadata configurations facilitated by the UPBOND team as needed.
Applying RBAC and ABAC
Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC) mechanisms can be applied in any of the Access Control categories described above. When designing your system, consider the following:
Are there scenarios where access to an entire application or API should be rejected?
Will you be providing APIs that can be accessed by third-party applications?
Will your APIs also be accessed by your own (first-party) applications?
Will your application be calling a third-party API?
Should your applications and/or APIs be enforcing access control based on user claims?
Tokens and Claims
ID Tokens
For applications utilizing OpenID Connect (OIDC), ID Tokens provide a mechanism to deliver claims. Using metadata configured by the UPBOND team, Login 3.0 allows for custom claims to be associated with an ID Token, enabling your application to enforce access restrictions.
Access Tokens
For APIs, Access Tokens (OAuth2) can be used to restrict access. Login 3.0 supports adding custom claims to Access Tokens through configurations facilitated by the UPBOND team, enabling your API to make access decisions based on these claims.
Machine-to-Machine (M2M) Authorization
In scenarios where there is no user-interactive session, the OAuth 2.0 Client Credentials Grant allows applications to obtain an access token. Examples include:
Cron jobs or services communicating with APIs.
APIs with privileged access not exposed to users.
Microservice architectures requiring API-to-API communication.
Role-Based Access Control (RBAC)
Login 3.0 supports RBAC, with configurations handled by the UPBOND team, simplifying access control by assigning permissions based on user roles.
Conclusion
Whether securing APIs or applications, Login 3.0 provides robust mechanisms for managing access control. All configurations and customizations for access control, including metadata setup and token claims, must be requested and managed by the UPBOND team to ensure a secure and scalable system.
Last updated
Was this helpful?