[Openid-specs-authzen] The PEP-PDP API

David Brossard david.brossard at gmail.com
Tue Jan 23 05:25:00 UTC 2024 

Dear all,

Last week, it became apparent we need to start simple and low for the
PEP-PDP API if we want to ship anything out and I'd like to propose a few
principles:

   1. Keep transport and message separate
      1. The spec for what a request/response should look like should be
      decoupled from the underlying transport (HTTP or anything else)
      2. As a result, nothing in the transport layer conveys any authZ
      meaning whatsoever
         1. For instance, 401/403 are indications you cannot use the
         authorization service. They don't convey anything about the
request you
         sent or what the PDP (in the broad sense) would have said
      2. Propose a first iteration of request/response that focuses
   exclusively on the easy "binary" yes/no use case
      1. No additional statements/obligations/advice
      2. No batch
      3. No search
   3. Propose a model that is largely attribute-based (where an attribute
   is a key-value pair)
   4. Propose a model that follows the ALFA
   Subject/Action/Resource/Environment or the Cedar
   Principal/Action/Resource/Context
   5. Publish the results using a standardized schema
      1. In the WS-* days of yore, it would have been WSDL
      2. For us, would OpenAPI be good enough?

So with that being said, should we have a request that looks like the
following:

   - Made up of 4 objects of the same type (e.g. Category to use ALFA
   parlance):
      - Subject, Action, Resource, Context
      - If these objects are arrays of the said type, then we are paving
      the way for batch requests
   - Each of these objects contains an array of attributes e.g. key-value
   pairs
      - The attributes could be primitive types e.g. string, double, boolean
      - The attributes could be complex e.g. a JSON payload

The response should simply be the decision itself:

   - Permit/Deny
      - Again, if we want to plan ahead and think of batch requests then
      the response should be an array rather than an object.
   - Optionally the list of identifiers of things (policies) used in the
   decision-making process

Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20240122/01812bf0/attachment.html>

More information about the Openid-specs-authzen mailing list