[Openid-specs-authzen] Meeting notes for December 5th 2023

David Brossard david.brossard at gmail.com
Tue Dec 5 18:06:23 UTC 2023 

See also https://hackmd.io/@oidf-wg-authzen/wg-meeting-20231205

Agenda👉 *Add items that you would like to cover on the call* 👈

   -

   Upcoming holiday schedule
   - Cancel calls during Christmas and New Years weeks? Yes.
      - No meetings on 12/26 and 1/2/24
   -

   Request for APAC friendly call time
   - Decision to move to 11am PT to accommodate a slightly better time for
      APAC. @gerryatstrata <https://hackmd.io/@gerryatstrata> to notify
      Mike L. of the change. New time effective as of 12/12/23
   -

   Don’t forget to join the community in
   - 📄https://hackmd.io/@oidf-wg-authzen
      - 💬OpenID Slack Channel for AuthZEN
      <https://oidf.slack.com/archives/C0630873JGK>
      - 📧Mailing list
      <https://lists.openid.net/mailman/listinfo/openid-specs-authzen>
      - 👩‍💻Github Repo <https://github.com/openid/authzen>
      (
      https://docs.google.com/presentation/d/1bWnazk6D54efbO08FUpwOyeLyrxz04hoSx2XwauyID8/edit?usp=sharing
      )
   -

   What is the strategy for an interop?
   - Goal: May 2024 at RSA
      - Is there still such a thing as a PEP SDK?
      - Should we avoid mentioning the word SDK?
   -

   Review comments from @alexbabeanu, @xmlgrrl , and others on Authorization
   Design Patterns <https://hackmd.io/H2a8WW2vTjOc5xy4Tm85oQ>
   -

   Discuss plans for EIC (David) and Identiverse
   - Tabled to next meeting
   -

   Use cases doc (Roland and Alex)
   - Tabled to next meeting

<https://hackmd.io/LYp9s7KbRESqUC3T_WBeWA?both#Attendees>Attendees

👉 *Write your name down if you plan to attend*. 👈

   - Atul Tulshibagwale - SGNL (will join 30 minutes after start of the
   call) - PST
   - @xmlgrrl <https://hackmd.io/@xmlgrrl> - CST
   - @gerryatstrata <https://hackmd.io/@gerryatstrata> - MST
   - Rifaat Shekh-Yusef - EST
   - Roland Baum - CET
   - Omri Gazitt - PST
   - Jeff Broberg - EST
   - Alex Babeanu - PST
   - George Fletcher - EST
   - David Hyland - AEST
   - Dani Katzman - Israel
   - Victor Lu - EST
   - Mickey Martin - EST
   - Bjorn Hjelm - PST
   - @davidbrossard <https://hackmd.io/@davidbrossard> - PST

<https://hackmd.io/LYp9s7KbRESqUC3T_WBeWA?both#Interop-Conversation>Interop
Conversation

If we think of PEP-PDP, let’s create a site where we have a site (e.g.
jwt.io) of authorization to demonstrate the interoperability.

   - Language SDKs on the site
   - Gateway support e.g. Kong support for authorization, AWS API GW, Zuplo…
      - Kong already has a plugin for OPA
      - Styra did develop standard patterns for the PEP-PDP
   - What’s our intent with the interop?
      - Do we want to raise awareness?
      - Do we want to show true interop between vendors/implementations?
      - Do we want to encourage software developers to adopt AuthZEN?
      - We want the “OIDC” moment

For the spec, we probably need to start with an implementer’s draft that
defines some of the basics/core common use cases and build from that. That
would allow us to have a draft 2 months from now (end of Jan, early Feb)
leaving 2 months before interop at RSA in May. (George)

@alexbabeanu <https://hackmd.io/@alexbabeanu> suggests focusing on the
Permit/Deny part of the API.

We need to define a well-known use case that brings value to the attendee
(developer/CISO).

Omri draws an comparison with OIDC: there were 2 draws. On the one hand,
SDKs to handle the auth flow. On the other SSO and integration with
identity management products. The interesting aspect here would be plug 'n
play authorization.

George suggests that the OAuth Step-Up spec probably needs an update to
point to a policy identifier.

What looks like a developer-friendly approach or impedence to developers in
2024 (@xmlgrrl <https://hackmd.io/@xmlgrrl>)?
<https://hackmd.io/LYp9s7KbRESqUC3T_WBeWA?both#Authorization-Spec>Authorization
Spec

   -

   David to provide links to the REST Profile of XACML and the
   Request/Response model as well as the JSON profile of XACML.
   -

   Atul: we could use the sub IDs. See here
   <https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers>
   .

<https://hackmd.io/LYp9s7KbRESqUC3T_WBeWA?both#Use-case-opportunities>Use
case opportunities

   - Go down the path of being industry-specific? FHIR etc.
   - Go down the path of technical orientation? OWASP
   - Be mindful of the audience/persona (application developer seems
   primary)

<https://hackmd.io/LYp9s7KbRESqUC3T_WBeWA?both#Collateral-opportunities>Collateral
opportunities

   - Site equivalent to oauth.net: vendor neutral, dev resources -
   authzen.io!
   - FAQ - start on HackMD
   - Terminology doc(s)

<https://hackmd.io/LYp9s7KbRESqUC3T_WBeWA?both#Next-steps>Next steps

   - Define the first use case → @xmlgrrl <https://hackmd.io/@xmlgrrl>
   - Why other frameworks? document + prior art → @davidbrossard
   <https://hackmd.io/@davidbrossard>
   - Next week’s meeting will be dedicated to the design patterns document
      - Review comments from @alexbabeanu, @xmlgrrl , and others on
Authorization
      Design Patterns <https://hackmd.io/H2a8WW2vTjOc5xy4Tm85oQ>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20231205/97c3bcb0/attachment-0001.html>

More information about the Openid-specs-authzen mailing list