Is it possible to authenticate and authorise both device and user?

[ghost]

(First of all, big fan of Ory Kratos and Hydra. The possibility of using Oathkeeper as a reverse proxy itself, or integrating it with a different one is fantastic. Planning to check out Keto as well ;) )

Oathkeeper introduces itself as a Zero-Trust, BeyondCorp, Identity and Access Proxy. The Google BeyondCorp model is based on the idea that every connection must be made from a secure device, by a user with sufficient privileges. As the Access Proxy, I believe that Oathkeeper would then be the party making decisions based off of the combination of these two parts:
"An Access Control Engine within the access proxy provides service-level authorization to enterprise applications on a per-request basis. The authorization decision makes assertions about the user, the groups to which the user belongs, the device certificate, and artifacts of the device from the Device Inventory Database." - BeyondCorp, A New Approach to Enterprise Security, more info in the rest of the BeyondCorp reports

The issue is that it is only possible to have one authentication and authorisation flow per connection:
"Authenticators are checked iteratively from index 0 to n and the first authenticator to return a positive result will be the one used." - docs , and "There is a 1:1 mandatory relationship between an authoriser and an access rule." - docs

This means that I can only allow requests based on information about either the device, or the user. To me it seems like it would be logical to have a separate authorisation for the user and the device, and only if both pass should Oathkeeper give the all-clear. Even if Oathkeeper wants to outsource the authorisation decision, should it not still authenticate both and pass that information on to the authorisation service?

So my questions are:

• Have I misunderstood some part of the BeyondCorp model?
• Have I missed/misunderstood some function in Oathkeeper?
• Is this something that is planned for the future?

[gen1us2k]

Hello. Thank you for this question. Firstly I want to start with this quote.

BeyondCorp uses the concept of a "managed device," which is a
device procured and actively managed by the enterprise.
Only managed devices can access corporate applications

That works for the specific cases. For instance, as a software engineer, you work for a company. A company gives you a laptop with a pre-configured software engineering environment. This device is connected to an access control engine that grants you permissions (e.g, you have access to these microservices and have access to specified hosts in the standing environment). If the device is compromised, the organization can easily revoke access for the whole device.

You can meet this implementation in Google services, Slack, Telegram, Whatsapp, and you can remove sessions for a specified device.

You don't need to implement this model unless you build something secure (fintech product, secure messenger, or something else). However, the user owns a device, and we can create a session for the user logging in from a specific device. It always ends with a session in that we can grant/deny access to a requested resource. So answering the question, oathkeeper can easily check access with configured authenticators/authorizer, because there will be different sessions/rules to check.

Could you please describe an issue you want to solve and provide additional context why do you need this feature? I hope that my answer helps.

[vinckr]

Hey @jeffreym-m ,
Just checking in if your question was answered or if there was still something unclear.
I will mark this as answered for now, but feel free to come back to the discussion any time.

Thanks a ton! 🐝