[Openid-specs-authzen] Inconsistencies in the Interop payloads?
Omri Gazitt
omri at aserto.com
Tue Apr 30 23:31:54 UTC 2024
It’s intentional.
The GET /users/{id} uses the PID (extracted out of the sub claim in the
JET) that comes out of the IDP to retrieve the currently logged in user (in
order to render their picture).
The other users are looked up by their email (to make it much easier to see
who is the owner of a todo, rather than have to look up PIDs)
In a perfect world, we would receive the email in the subject claim from
the canned (Dex-based) IDP that we used for this demo. But I didn’t have
time to investigate how to create custom PIDs and just used what we had for
expediency.
It works, so I’d like to keep it this way…
<http://www.aserto.com/>
Omri Gazitt | CEO
Aserto <http://www.aserto.com/> Inc. | (425) 765-0079
On Tue, Apr 30, 2024 at 9:31 AM David Brossard via Openid-specs-authzen <
openid-specs-authzen at lists.openid.net> wrote:
> Dear all,
>
> It seems as though there are inconsistencies in the payload examples. I'm
> using the following docs:
>
> - the website: https://authzen-interop.net/docs/scenarios/todo
> - the hackmd note: https://hackmd.io/gNZBRoTfRgWh_PNM0y2wDA?view
> - the github tests file:
> https://github.com/openid/authzen/blob/main/interop/authzen-todo-backend/test/decisions.json
>
>
> In all cases, we use either userID or owner in the resource category to
> describe the user:
>
> {
> "subject": {
> "identity": "<subject_from_jwt>"
> },
> "action": {
> "name": "can_read_user"
> },
> "resource": {
> "userID": "<email_OR_subject>"
> },
> "context": {
> }
> }
>
> or
>
> {
> "subject": {
> "identity": "<subject_from_jwt>"
> },
> "action": {
> "name": "can_update_todo"
> },
> "resource": {
> "ownerID": "<email_of_owner>",
> "type": "todo"
> },
> "context": {
> }
> }
>
> Is that intentional? It would make more sense to always use owner since
> it's the grammatical purpose of the attribute in the resource category. Am
> I missing something?
>
> Thanks,
> David.
> --
> Openid-specs-authzen mailing list
> Openid-specs-authzen at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20240430/655dfcd6/attachment-0001.html>
More information about the Openid-specs-authzen
mailing list