[Openid-specs-authzen] Evolving the Todo interop scenario to be compliant with AuthZEN 1.0

Omri Gazitt omri at aserto.com
Mon Jul 8 20:01:40 UTC 2024 

Thanks Alex & Andres!

Andres also suggested to model a "todo_list" type / singleton instance,
which has the roles modeled as relationships (admin, evil_genius, editor).
The can_read_todos and can_create_todos permissions payloads can use
the "resource":
{ "type": "todo_list", "id": "todo-list-1" } as the resource context, which
makes sense to me.

On Mon, Jul 8, 2024 at 10:56 AM Andres Aguiar <andres.aguiar at okta.com>
wrote:

>
> FWIW, for some ReBAC implementations, sending the OwnerID in the context
> would work too.
>
>
> On Mon, Jul 8, 2024 at 2:13 PM Alex Babeanu via Openid-specs-authzen <
> openid-specs-authzen at lists.openid.net> wrote:
>
>> *This message originated outside your organization.*
>>
>> ------------------------------
>>
>> Hello there,
>>
>> @Omri Gazitt <omri at aserto.com>  and all, the simplest solution for this
>> is to send the same todo ID to the PDP on every request. Graph-based system
>> can just use 1 single Node representing all possible TODOs, you're really
>> authorizing the action only in this use-case. This singular ID can be
>> ignored by Policy-as-code systems. It's the approach we used for 3Edges in
>> the 1st interop.
>>
>> So  We don't need to store data, no need for events or APIs . This is
>> what the data looks like in 3Edges:
>> [image: image.png]
>>
>> Bottom line, let's call this singular todo `todo1` or something, and
>> always pass that single value (I can just change the current Node ID I have
>> "TodoApp" to use whatever you guys prefer).
>>
>> Cheers,
>>
>> ./\.
>>
>>
>>
>> On Sun, Jul 7, 2024 at 5:16 PM eve--- via Openid-specs-authzen <
>> openid-specs-authzen at lists.openid.net> wrote:
>>
>>> Hey Omri, thanks for all this. I’ll be on the road — Beryl willing — and
>>> can’t attend this coming week’s call. No comments on the new Evaluations
>>> section at this time, but here are quick thoughts fwtw on your Todo
>>> evolution writeup.
>>>
>>> Dynamic resources need to be catered for. A reliance on too-static
>>> resource URLs or IDs will not be sustainable for a lot of APIs needing
>>> protection. With SSF now in the picture, your idea to use it to help manage
>>> resource lifecycles is intriguing. We need a method that's lightweight and
>>> asynchronous from the tasks of policy decision making. Maybe such a
>>> solution could be an SSF profile that is optionally combinable with AuthZEN
>>> usage but on which the latter has no deep dependency.
>>>
>>> Eve Maler | cell and Signal +1 (425) 345-6756 <+1-425-345-6756>
>>> Visit the Venn Factory
>>> <https://urldefense.com/v3/__http://vennfactory.com/__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwF4a7hYEA$>
>>> Request a 15-minute consultation
>>> <https://urldefense.com/v3/__https://fantastical.app/eve/15__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFwiN4EdQ$>
>>>
>>> On Jul 7, 2024, at 4:51 PM, Omri Gazitt via Openid-specs-authzen <
>>> openid-specs-authzen at lists.openid.net> wrote:
>>>
>>> Hi folks! Hope everyone had a good weekend (and for US folks, a good
>>> holiday weekend).
>>>
>>> I took two action items in last week's call:
>>>
>>>    1. Create an AuthZEN 1.1 spec with the /access/v1/evaluations
>>>    section. This is now merged and published
>>>    <https://urldefense.com/v3/__https://openid.github.io/authzen/authorization-api-1_1__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwGTs-4mVA$>
>>>    !
>>>    2. Update the Todo backend and make it compliant with the new
>>>    AuthZEN 1.0 spec, and specifically the resource ID field being mandatory.
>>>
>>> On #2, I ran into a significant design issue that I believe is worth
>>> discussing on Tuesday's call.  Please read this background document
>>> <https://urldefense.com/v3/__https://hackmd.io/rOm3BA4qSGmX477UXRNUuw?view__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwGG6Gu17Q$>
>>> so that we can dedicate some time on the agenda to picking a way forward.
>>>
>>> Thanks,
>>> Omri.
>>>
>>> --
>>>
>>> <https://urldefense.com/v3/__http://www.aserto.com/__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFpuXwEuw$>
>>> Omri Gazitt | CEO
>>> Aserto
>>> <https://urldefense.com/v3/__http://www.aserto.com/__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFpuXwEuw$>
>>> Inc. | (425) 765-0079
>>> --
>>> Openid-specs-authzen mailing list
>>> Openid-specs-authzen at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFKAvs5_g$>
>>>
>>>
>>> --
>>> Openid-specs-authzen mailing list
>>> Openid-specs-authzen at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFKAvs5_g$>
>>>
>>
>>
>> --
>> [image: This is Alexandre Babeanu's card. Their email is alex at 3edges.com.
>> Their phone number is +1 604 728 8130.]
>> <https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFsoaPabQ$>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments
>> hereto, is for the sole use of the intended recipient(s) and may contain
>> confidential and/or proprietary information.
>> --
>> Openid-specs-authzen mailing list
>> Openid-specs-authzen at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20240708/09d1f9c1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 225621 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20240708/09d1f9c1/attachment-0001.png>

More information about the Openid-specs-authzen mailing list