Oso Unbundles Security Authorization
Airbnb, Carta, Slack, and Intuit have all written about how they customized authorization at their companies. And startups including Authzed and Aserto are diving into the authorization space, Authzed having just released an open source version of Google’s Zanzibar called SpiceDB. It’s a rival to the open source Keto, also based on Zanzibar. Oso has its own take on the problem.
Neray considers authorization the next part of the application to be unbundled in the vein of what Stripe did for payment processing and Twilio did for communications. It’s an essential component of every application and developers spend huge amounts of time writing code for it, yet it’s not a central part of the value proposition.
Authentication differs from authorization, as Mary Branscombe’s recent article pointed out: Authentication involving verifying that the person actually is who they purport to be, while authorization refers to what a person or service is allowed to do once inside the system.
Yet, despite the ever-growing need for authorization across systems, especially in a microservice world, it’s a hard problem to solve in a generic way across use cases, Oso co-founder and chief technology officer Sam Scott explains in a blog post.
“There’s a broad spectrum of authorization use cases: Kubernetes admission control, database access control, microservice/application authorization, etc.,” Hacker News commenter thinrich pointed out. “Despite them all being authorization, they each have their own requirements around enforcement points, data dependencies, modeling/expressiveness, performance, etc. So it’s not surprising that with such a broad space of requirements we end up with such an interesting and rich landscape of technology choices.”
A Clean Slate
Neray previously worked at MongoDB; Scott has a background in cryptography. They share a vision of putting security tools in the hands of developers, Neray said. While working together on security tools for infrastructure, people kept asking about building application authorization, and they turned their focus there, creating the company Oso in 2018 and open sourced the technology in July last year.
“As an industry, we all started with a lot of these API as a service — AWS, Stripe, Twilio, whatever — things with pieces of the app that were easiest to separate out, because they already existed in these clearly identifiable components already, like compute or storage,” Neray said. “And authorization, which, you know, controls what you can do once you’re inside an application — what data you can see or what pages you can open — that is a hard thing to split out. And this is why people were asking us so much about it, and they had so many complicated questions. But it’s in every application … and it’s actually a really hard problem to get right.”
In the blog post, Scott takes issue with other authorization tools, including Zanzibar, listing among the problems that as data filtering grows more complex it requires a framework-level integration, which most don’t provide.
“One of the things that I think makes us uniquely positioned is that most competitors out there are starting from some pre-existing idea or product and building on top of it. And … it wouldn’t surprise me if they view that as a way to get faster time to market. But each of those prior technologies [that] could be usable for application authorization has non-trivial shortcomings that each of those vendors is now stuck with. We built from a clean slate. We actually explored a lot of those different design options with our earliest users to see what we thought made the most sense, and I think the product is better for it,” Neray said.
Oso operates from a core developed in Rust. It offers libraries in Node.js, Python, Go, Rust, Ruby and Java. Oso provides a mental model and an authorization system — a set of APIs built on top of a declarative policy language called Polar, plus a debugger and REPL — to define permissions in your application.
It provides three things for developers, according to Neray:
- A framework with best practices built-in that enables them to build something fast and easily. Early on, he said, it’s not necessary to learn the inner workings of Polar, a language they build expressly for authorization, but developers can dive more deeply into it as things get more complex.
- What they call a “forever” system that users will not outgrow. It supports any model and can be easily customized.
- The ability to sleep easy, knowing Oso supports testing, is secure and provides plenty of documentation to ensure they’re getting it right.
Its GitHub page asserts that “developers can typically write a working Oso policy in less than five minutes, add Oso to an app in less than 30 minutes, and use Oso to solve real authorization problems within a few hours.”
It released Oso 0.20 in September including:
- Authorization modeling — built-in primitives that push best practices deeper into the product, so it effectively tells users how to model common patterns like role- and relationship-based access control (RBAC and ReBAC).
- Data filtering providing the ability to beyond yes/no questions to questions like “Show me only the rows that Juno can see.” Previously only available in Python, this version adds Node.js and Ruby as well. It’s still working on supporting this feature in Go, Java, and Rust.
- APIs that help developers know which layers in the stack they need to add authorization in their apps. Oso 0.20 provides native APIs for enforcing authorization at these different layers.
Users include Intercom, First Resonance, Wayfair and BioDati.
Focus on Documentation
“I’ve used Oso at Visa and it was a fascinating product. Until it clicked, Polar was super confusing, but after speaking to the team over Slack. I realized how easy it was to use,” a Hacker News commenter called stonecharioteer, actually Vinay Keerthi, wrote.
The company also is focused on providing documentation to help developers understand authorization. That need was one of the recurring topics among commenters on the Hacker News post. To that end, it has created the Authorization Academy, a series of technical guides for building application authorization.
Citing the dearth of deep, relevant content on the topic, Neray said:
“It’s crazy. It’s like you either end up on these very heavily, SEO and vendor buzzword pages, or these academic PDF-style pages. That’s part of what we’re out to change, just make the whole thing a bit more accessible for everyone.”
So far, the company has been focused on building adoption for the open source version, but will build a commercial product in the future.