[bbor]

A) fair, b) I think this common distinction is a little overblown. Authorization is just a particularly straightforward CRUD feature, perhaps with some inheritance logic — authentication seems to be where 99% of all security sadness comes into play.

Plus there’s the less-often-discussed task of protecting some of your users from other users, such as Google vetting their html5 ads for malware, and military (all B2B?) contractors trying to write tools that aren’t useful to insider threats. It’s worse than either auth* domain IMO, as it usually involves unavoidable tradeoffs for benign users; I haven’t read this book in full but I suspect it didn’t make the list!

TBF, I’m not sure it even has a standard name yet like the other two… anyone know enough to correct me? Maybe… “encapsulation”? “Mitigation”? The only “auth*” term left is arguably “authorship”, which doesn’t really fit https://www.thefreedictionary.com/words-that-start-with-Auth

Edit; I think I just taught myself what complex authorization is! I’ve always treated it as role management, but “what roles can do what” does also fit, I have now realized. Sorry y’all - leaving it up in case it’s a learning experience for others lol

[lelandbatey]

Authz is usually much more complex than strict authN since authz gets much more into the thorny people problems, things like "how do you build a system allowing arbitrary organizations of people (your customers) to systematize how they want the people within their organization to be able to access/change things." A better term I've heard is "governance" which is more indicative of the stodgy, thorny, people-oriented nature of the problem, just like governments!

There's also lots of potential levels of granularity and thus complexity, with the most granular (that I've seen) being able to model access through time as a continuum down to the individual field of each object in the business, based on wide arrays of arbitrary other factors. Think modeling problems like:

> "If condition X in the business is true then I want user X to be unable to view/edit the 'foobar' field of entity 'powzap', and I only want this rule to be true on Tuesdays of the months April and October".

That's a tough problem to tackle with a lot of subtlety to wrangle.

[foobazgt]

I have two reactions to this:

- Complicated authorization systems bleed through everything else, adding exponential complexity. Maybe, as an industry, we should seek better tradeoffs? One example I can think of is preferring auditing over authorization. It's a lot easier to build a generic, unified auditing system and interface than to build sleek, fluent UIs that also have to accommodate arbitrarily complex authz behaviors.

- OTOH, I'm very keen on fine-grained controls over what data I grant third parties access to. For example, I want to be able to say, "grant this lender access to the last 18 months of account balance for this specific account" and exactly no more or less.

[efitz]

What people want is authorization. Authentication is a painful activity that must be performed in order to do authorization properly in most cases.

Side note: there is a trivial case where authentication is reduced to “whoever is physically holding/interacting with the system”. This is when either the operation to be authorized is relatively low risk (changing the channel on the TV with the line-of-sight IR remote control) or when you’re depending on physical security controls to prevent access to people who shouldn’t be doing the thing, e.g. requiring data center technicians to badge in before they can go into the server room and start disconnecting things.

[Zondartul]

To be fair, once someone has physical access to the machine, them having full access is just a matter of time and effort. So at that point it's security-through-too-much-effort-to-bother.

[Kinrany]

There should be a unified theory that all auth can be stacked on top of. Like, a theory of secure communication, that deals with the problem of adding security/reliability/etc. properties to a communication channel.

[efitz]

There is a lot of formal research on both authentication and authorization. IIRC Butler Lampson’s Turing Award was based on work he did in that area: https://amturing.acm.org/award_winners/lampson_1142421.cfm

[GoblinSlayer]

Authorization sadness is just hidden under complexity and you don't suspect anything until a breach. It needs xfail tests, but who writes them?