[Openid-specs-authzen] Notes from today's call

David Brossard david.brossard at gmail.com
Tue Sep 10 23:04:03 UTC 2024 

Dear all,

Thanks to those of you on the call today. We're getting closer to a
submission. Notes from the call can be found here
<https://hackmd.io/y0HPLJZ3QIOBS3cTLkvwrQ?view> and below.

Thanks,
David


*Meeting Notes 2024-09-10**Attendees*

   - @omri
   - @xmlgrrl
   - @alexbabeanu
   - Roland B
   - David Hyland
   - @davidbrossard

*Agenda*

   - Final review of changes for Authorization API draft 01
   - Ordering in boxcarring
   - Revisit the RAR discussion

*API Review*

   - See Authorization API 1.0 – draft 01.
   - RB: why call action an action and not permission or operator?
   - Decision: keep 'action' as it's the commonly accepted term.


*Evaluations API - Ordering of requests and responses.*

   - In boxcarring, the request can contain multiple authorization
   requests. The response therefore contains multiple decisions. Should we
   guarantee the order of the responses with regards to the requests?
   - The team is leaning towards an array of requests and an array of
   responses. This leads to a more lightweight PEP as it no longer needs to
   try and correlate requests to responses.
   - Additionally, it allows for future scenarios e.g. fail-on-first-deny.
      - For instance, a PEP can send the following: "Can Alice view, edit,
      delete record #123?".
      - The traditional response could be "Yes, Deny, Deny" or we could
      short-circuit and just return Deny.

*OAuth Interoperability*

   - The feedback from IETF 120 was that there is a mismatch between OAuth
   RAR and the AuthZEN profile.
   - See https://github.com/panva
   - We should also look at the OAuth grant management API and see whether
   there is an ability to plug AuthZEN in there. This would likely be the
   Search API of AuthZEN (when defined).
   - AuthZEN should be used as the standardization framework for an AS to
   talk to a PDP and request authorization (e.g. in a token issue flow to
   check whether a claim can be added to a token or which claims should be
   added)


*Let's all go to Abilene*https://en.wikipedia.org/wiki/Abilene_paradox

*Other work in flight*

   - Separate WG updates?
   - Design Patterns Doc
      - @alexbabeanu ?

*Important Dates*

   - Nordic APIs - Oct 7-9
   - Authenticate - Interop, Panel, and readout planned during the week
   - IIW - Oct 29-31, plus OIDF workshop Oct 28 - Omri is presenting
   AuthZEN WG at the workshop
   - KubeCon Nov 12-15
   - Gartner IAM - Dec 9-11
      - Omri & David have a talk similar to what was done at Identiverse.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20240910/5ba5cc47/attachment.html>

More information about the Openid-specs-authzen mailing list