🚫Catatan Seekor: Authorization

"Authorization determines what you can do, after authentication has established who you are"

📚 Overview

Authorization adalah proses menentukan apa yang dapat dilakukan oleh user atau sistem yang sudah terautentikasi. Ini adalah lapisan keamanan kedua yang mengontrol akses ke resource dan menentukan permission yang dimiliki user.

🎯 Learning Objectives

Setelah mempelajari materi ini, Anda akan mampu:

Memahami konsep dasar authorization dan access control
Menerapkan berbagai model access control
Mengimplementasikan Role-Based Access Control (RBAC)
Mengelola JWT dan token dengan aman
Menerapkan OAuth 2.0 dan OpenID Connect

📖 Table of Contents

🔐 Authorization Concepts

1. Access Control

Subject: User, process, atau sistem yang meminta akses
Object: Resource yang diakses (file, database, API endpoint)
Action: Operasi yang dilakukan (read, write, delete, execute)
Context: Kondisi atau environment saat akses diminta

2. Authorization Models

Discretionary Access Control (DAC): Owner menentukan akses
Mandatory Access Control (MAC): System administrator mengontrol akses
Role-Based Access Control (RBAC): Akses berdasarkan role
Attribute-Based Access Control (ABAC): Akses berdasarkan attributes

3. Permission Levels

Read: Melihat atau membaca data
Write: Membuat atau mengubah data
Delete: Menghapus data
Execute: Menjalankan program atau script
Admin: Full control atas resource

🚀 Quick Start

🔰 Untuk Pemula

Mulai dengan Access Control Models
Pelajari Role-Based Access Control (RBAC)
Pahami JWT & Token Management

🎯 Untuk Developer

Implementasi OAuth 2.0 & OpenID Connect
Pelajari Implementation Patterns
Kuasai Attribute-Based Access Control (ABAC)

📚 Referensi & Resources

🌟 Essential Reading

📖 Books

"Role-Based Access Control" by David F. Ferraiolo
"OAuth 2 in Action" by Justin Richer
"Identity and Access Management" by Graham Williamson
"Web Application Security" by Andrew van der Stock

🎓 Online Courses

🛠️ Tools & Frameworks

Keycloak - Open source identity management
Auth0 - Identity platform
Spring Security - Security framework for Java
Passport.js - Authentication middleware for Node.js

🔗 Communities & Forums

🎯 Best Practices

🔐 Access Control

✅ Principle of Least Privilege
✅ Regular access review
✅ Segregation of duties
✅ Time-based access control
✅ Location-based restrictions

🎭 Role Management

✅ Clear role definitions
✅ Minimal role assignments
✅ Regular role review
✅ Role hierarchy management
✅ Role-based training

🔑 Token Security

✅ Secure token storage
✅ Token expiration
✅ Token rotation
✅ Secure transmission
✅ Token validation

🚫 Security Measures

✅ Input validation
✅ Output encoding
✅ Error handling
✅ Audit logging
✅ Monitoring and alerting

🚨 Security Checklist

🔍 Pre-Implementation

Authorization requirements defined
Access control model selected
Security policies established
Compliance requirements identified

🛠️ During Implementation

🧪 Testing & Deployment

📊 Maintenance

🔍 Common Vulnerabilities

🚨 Insufficient Authorization

Missing access controls
Weak permission checks
Insecure direct object references
Privilege escalation

🔓 Token Vulnerabilities

Weak token generation
Insecure token storage
Token hijacking
Missing token validation

🚫 Role-Based Issues

Over-privileged roles
Role confusion
Missing role validation
Insecure role assignment

🔐 Access Control Bypass

Parameter manipulation
URL manipulation
Session hijacking
Cross-site request forgery

🛡️ Security Controls

🔒 Preventive Controls

Strong access controls
Role-based permissions
Token validation
Input validation
Secure coding practices

🔍 Detective Controls

Access logging
Permission monitoring
Security event correlation
Intrusion detection
Regular audits

🚨 Corrective Controls

Access revocation
Incident response
Security awareness training
Regular assessments
Continuous improvement

📊 Implementation Examples

🔐 RBAC Implementation (Python)

from enum import Enum
from typing import List, Set

class Permission(Enum):
    READ = "read"
    WRITE = "write"
    DELETE = "delete"
    EXECUTE = "execute"

class Role:
    def __init__(self, name: str, permissions: Set[Permission]):
        self.name = name
        self.permissions = permissions

class User:
    def __init__(self, username: str, roles: List[Role]):
        self.username = username
        self.roles = roles
    
    def has_permission(self, permission: Permission) -> bool:
        for role in self.roles:
            if permission in role.permissions:
                return True
        return False

# Example usage
admin_role = Role("admin", {Permission.READ, Permission.WRITE, Permission.DELETE, Permission.EXECUTE})
user_role = Role("user", {Permission.READ})
admin_user = User("admin", [admin_role])
regular_user = User("user", [user_role])

print(admin_user.has_permission(Permission.DELETE))  # True
print(regular_user.has_permission(Permission.DELETE))  # False

🔑 JWT Authorization (Node.js)

const jwt = require('jsonwebtoken');
const express = require('express');

const app = express();

// Middleware untuk verifikasi JWT
const authenticateToken = (req, res, next) => {
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1];

  if (!token) {
    return res.sendStatus(401);
  }

  jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
    if (err) {
      return res.sendStatus(403);
    }
    req.user = user;
    next();
  });
};

// Middleware untuk role-based authorization
const authorizeRole = (roles) => {
  return (req, res, next) => {
    if (!req.user || !roles.includes(req.user.role)) {
      return res.status(403).json({ message: 'Insufficient permissions' });
    }
    next();
  };
};

// Protected routes
app.get('/admin', authenticateToken, authorizeRole(['admin']), (req, res) => {
  res.json({ message: 'Admin access granted', user: req.user });
});

app.get('/user', authenticateToken, authorizeRole(['user', 'admin']), (req, res) => {
  res.json({ message: 'User access granted', user: req.user });
});

🔒 OAuth 2.0 Implementation (Java)

@RestController
@RequestMapping("/api")
public class OAuthController {
    
    @Autowired
    private OAuth2Service oauth2Service;
    
    @PostMapping("/token")
    public ResponseEntity<TokenResponse> getToken(@RequestBody TokenRequest request) {
        try {
            TokenResponse token = oauth2Service.generateToken(request);
            return ResponseEntity.ok(token);
        } catch (InvalidGrantException e) {
            return ResponseEntity.status(400).body(null);
        }
    }
    
    @GetMapping("/resource")
    public ResponseEntity<ResourceResponse> getResource(
            @RequestHeader("Authorization") String authorization) {
        
        String token = authorization.replace("Bearer ", "");
        
        if (!oauth2Service.validateToken(token)) {
            return ResponseEntity.status(401).body(null);
        }
        
        // Check scopes
        if (!oauth2Service.hasScope(token, "read")) {
            return ResponseEntity.status(403).body(null);
        }
        
        return ResponseEntity.ok(new ResourceResponse("Protected resource"));
    }
}

🚀 Advanced Topics

🔐 Attribute-Based Access Control (ABAC)

Dynamic access control
Context-aware permissions
Policy-based authorization
Risk-based access control

🌐 Federated Authorization

Cross-domain authorization
Trust relationships
Policy federation
Identity federation

🔒 Zero-Trust Authorization

Continuous verification
Context-aware access
Risk-based decisions
Micro-segmentation

🎭 Advanced RBAC

Hierarchical roles
Dynamic role assignment
Role inheritance
Temporal roles

🔍 Authorization Patterns

🏗️ Pattern 1: Resource-Based Authorization

def can_access_resource(user, resource, action):
    # Check if user has permission for specific resource
    return user.has_permission(resource.id, action)

# Usage
if can_access_resource(user, document, "read"):
    return document.content

🎭 Pattern 2: Role-Based Authorization

def can_perform_action(user, action):
    # Check if user's role allows the action
    return any(action in role.permissions for role in user.roles)

# Usage
if can_perform_action(user, "delete_user"):
    delete_user(user_id)

🔐 Pattern 3: Attribute-Based Authorization

def can_access(user, resource, context):
    # Check attributes for authorization decision
    if user.department == resource.department:
        if context.time.hour < 18:  # Business hours
            return True
    return False

🤝 Contributing

Kontribusi untuk memperbaiki dan menambahkan konten authorization sangat dihargai! Silakan:

Fork repository ini
Buat branch untuk fitur baru
Commit perubahan Anda
Push ke branch
Buat Pull Request

📄 License

Konten ini tersedia di bawah MIT License.

🙏 Acknowledgments

OWASP Foundation untuk authorization guidelines
OAuth and OpenID Connect communities
Security researchers dan practitioners
Open source authorization frameworks

⚠️ Disclaimer: Catatan ini dibuat untuk tujuan pembelajaran. Selalu test authorization measures di environment yang aman dan konsultasikan dengan security experts untuk implementasi production.

🚫 Remember: Proper authorization is crucial for maintaining security boundaries. Implement it carefully!

Last updated 5 months ago

hashtag📚 Overview

hashtag🎯 Learning Objectives

hashtag📖 Table of Contents

hashtag🔐 Authorization Concepts

hashtag1. Access Control

hashtag2. Authorization Models

hashtag3. Permission Levels

hashtag🚀 Quick Start

hashtag🔰 Untuk Pemula

hashtag🎯 Untuk Developer

hashtag📚 Referensi & Resources

hashtag🌟 Essential Reading

hashtag📖 Books

hashtag🎓 Online Courses

hashtag🛠️ Tools & Frameworks

hashtag🔗 Communities & Forums

hashtag🎯 Best Practices

hashtag🔐 Access Control

hashtag🎭 Role Management

hashtag🔑 Token Security

hashtag🚫 Security Measures

hashtag🚨 Security Checklist

hashtag🔍 Pre-Implementation

hashtag🛠️ During Implementation

hashtag🧪 Testing & Deployment

hashtag📊 Maintenance

hashtag🔍 Common Vulnerabilities

hashtag🚨 Insufficient Authorization

hashtag🔓 Token Vulnerabilities

hashtag🚫 Role-Based Issues

hashtag🔐 Access Control Bypass

hashtag🛡️ Security Controls

hashtag🔒 Preventive Controls

hashtag🔍 Detective Controls

hashtag🚨 Corrective Controls

hashtag📊 Implementation Examples

hashtag🔐 RBAC Implementation (Python)

hashtag🔑 JWT Authorization (Node.js)

hashtag🔒 OAuth 2.0 Implementation (Java)

hashtag🚀 Advanced Topics

hashtag🔐 Attribute-Based Access Control (ABAC)

hashtag🌐 Federated Authorization

hashtag🔒 Zero-Trust Authorization

hashtag🎭 Advanced RBAC

hashtag🔍 Authorization Patterns

hashtag🏗️ Pattern 1: Resource-Based Authorization

hashtag🎭 Pattern 2: Role-Based Authorization

hashtag🔐 Pattern 3: Attribute-Based Authorization

hashtag🤝 Contributing

hashtag📄 License

hashtag🙏 Acknowledgments