[Openid-specs-authzen] Open issues and PRs

Lombardo, Jeff jeffsec at amazon.com
Tue Aug 19 09:13:12 UTC 2025 

Hi,

I took action on the two items under my name:

  *   Gerry will check the status of issue 300<https://github.com/openid/authzen/issues/300>. Jeff L., you were working on it.
     *   Updated the proposal for metadata
     *   Pushed a new PR:
        *   Decision: Preserved the usage of the iss metadata document parameter.
           *   Rationale:
              *   iss is only required is signature of metadata is enforced by the PDP
              *   Preserving the same taxonomy allows convergence with OAuth2 Protected Resource Metadata RFC
              *   iss (issuer) is pointing to the entity ensuring the metadata anti-tampering protection by exposing the JWKS there. While the iss might point to the PDP server itself, it is not mandatory as the function of acting as PDP and signing metadata can be provided by two different components
              *   Therefore iss does not provide any confusion with the notion of PDP even if coming from the OAuth2 world
              *   Doing otherwise would have AuthZEN having to declare new attribute to IANA
        *   Added the capabilities metadata document field
        *   Added the declaration of the associated IANA registry
  *   Jeff, we need clarification on issue 268<https://github.com/openid/authzen/issues/268> re. authentication.
     *   While it was pretty clear from the beginning that this was not a proposal to make authentication mandatory, I added a new statement in #268 and the associated PR
     *   To answer the comments:
        *   Realm is notion defined by HTTP when using a response header of format WWW-Authenticate. There is nothing new, nothing fancy.
        *   There is no typo (double checked with 2 other spelling tools)
        *   the only MUST is that a 401 has to be returned
        *   Any other information is covered by a SHOULD already
        *   If one does not one authentication, then the initial if makes it sure that the conditions does not apply cause, when no authentication is required, there are no ways you can provide a bad credential, a bad authentication scheme, nor a bad authentication proof.
     *   Still the text as been updated to:
If the protected resource request does not include the proper authentication credentials, does not contain an the proper the correct authentication scheme, or does not have a valid authentication scheme proof that enables access to the protected resource, the resource server MUST respond with a 401 HTTP code and SHOULD include the HTTP "WWW-Authenticate" response header field; it MAY include it in response to other conditions as well. The "WWW-Authenticate" header field uses the framework defined by HTTP/1.1 [RFC2617] and indicate the expected auth-scheme as long as the realm that has authority for it.

Jeff

Jean-François “Jeff” Lombardo | Amazon Web Services

Architecte Principal de Solutions, Spécialiste de Sécurité
Principal Solution Architect, Security Specialist
Montréal, Canada
( +1 514 778 5565

Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net> On Behalf Of David Brossard via Openid-specs-authzen
Sent: August 19, 2025 9:59 AM
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net>
Cc: David Brossard <david.brossard at gmail.com>
Subject: [EXT] [Openid-specs-authzen] Open issues and PRs


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.

Dear all,

We still have 11 issues<https://github.com/openid/authzen/issues/> and 2 pull requests<https://github.com/openid/authzen/pulls> open on the specification draft. In order to move forward to final spec, we need to close these out.


  *   Issue 352 (Michiel) deals with normative HTTP binding paths. I remember early on Omri wanting to formalize the structure of the URLs (/access/v1/evaluation) but the current draft<https://openid.github.io/authzen/> doesn't make any mention of mandatory or normative URLs. In addition, the fact we introduced the metadata endpoint negates the need for normative URLs formats. The only necessary endpoint becomes the metadata endpoint. Given this, Michiel pointed out (and I agree) we probably need to make the metadata endpoint mandatory to be conformant. Today, it's optional.

     *   If there are no objections, we will therefore close this issue i.e. not make any runtime paths normative
     *   We will make the metadata API path normative
     *   We will make the metadata API mandatory

  *   Issue 339 is easy to fix: we write 4-tuple in cases when in fact it can be a 3-tuple or an n-tuple. We should just reword to avoid a specific number. I assigned Alex but he's on PTO. Any takers for the fix?
  *   Issue 325<https://github.com/openid/authzen/issues/325> is outstanding. It has to do with pagination methods. It needs to be wrapped

     *   Also, pagination is defined in no less than 3 sections (8.3.1, 9.3.1, and 10.3.1). They need to be abstracted away. We will use the same pagination method for all API endpoints so no need to rewrite 3 times and risk inconsistencies. Alex B., you were working on this. Do you have time to fix it?

  *   Gerry will check the status of issue 300<https://github.com/openid/authzen/issues/300>. Jeff L., you were working on it.
  *   Jeff, we need clarification on issue 268<https://github.com/openid/authzen/issues/268> re. authentication.
  *   We need to agree to punt issue 250<https://github.com/openid/authzen/issues/250> to after the 1.0 spec. Or punt the entire Evaluations semantics to after 1.0
  *    Issues 230 <https://github.com/openid/authzen/issues/230> and 229 need work. Roland, this was your baby. We can choose to punt it to after 1.0 as well.
  *   Issue 55<https://github.com/openid/authzen/issues/55>: Elie, can you add a proposal?
  *   Issue 47<https://github.com/openid/authzen/issues/47> should be rejected given the extensive rewrites
  *   The same applies to 46.

Thanks all for reading,
David

--
---
David Brossard
http://www.linkedin.com/in/davidbrossard
http://twitter.com/davidjbrossard
http://about.me/brossard
---
Stay safe on the Internet: IC3 Prevention Tips<https://www.capefearnetworks.com/wp-content/uploads/2017/05/Internet-Fraud-Prevention-Tips-IC3.pdf>
Prenez vos précautions sur Internet: https://cyber.gouv.fr/bonnes-pratiques-protegez-vous
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250819/b3eb7ea0/attachment-0001.htm>

More information about the Openid-specs-authzen mailing list