[Openid-specs-authzen] Notes from today's AuthZEN call
Gerry Gebel
gerry at strata.io
Tue Feb 4 21:23:54 UTC 2025
Meeting Notes 2025-02-04 <#Attendees>Attendees
- Omri Gazitt
- Alex Babeanu
- Alex Olivier
- George Fletcher
- Vladi Berger
- Mike Kiser
- Wade Ellery
- Victor Lu
- Michiel Trimpe
- Gerry Gebel
- David Brossard
- David Hyland
- Roland Baum
- Elizabeth Garber
<#Agenda>Agenda
- Review latest updates to Search API
- https://openid.github.io/authzen/
- Envoy demo
- AWS API gateway demo
- Discuss STS / Tokenetes pattern
- Design Patterns document
<#Notes>Notes
- Search API updates
- Formal draft (03) now published on openid.net
https://openid.github.io/authzen/
- Subject and Resource search are separated, per discussion from last
week
- DH: What about "action"? It's required for things like RAR (but RAR
is always in the context of a subject). OG: We only talked a
couple minutes
on this last week so it was not included yet.
- Getting ids for more than one type, seems like it would be
difficult to achieve an interoperable spec
- OG: In order to have a stable spec for the Gartner interop, we
should go with the current version for now and can always add an action
search later.
- David Hyland will write up a proposal to add action search
- Gartner IAM update (March 24-25)
- We have 3 sessions
- Homan + David/Omri will have an overview session
- There is room for up to 15 vendor implementations
- Evaluation scenario with ToDo app, as done before
- API gateway scenario
- IDPs making an AuthZEN call to compliant PDPs to determine which
scopes/claims to enrich an access token with
- You all are encouraged to share this call for participation that is
published on the openid site:
https://openid.net/authzen-at-gartner-iam/
- Let David/Omri know if you can attend Gartner - there are a few
passes available if you can cover the T&E
- Zuplo is committed to participate and also talking to AWS API
gateway as well as AVP/Cedar team
- David also reached out to other API vendors as well as Mark O'Neill
(lead API analyst at Gartner)
- Alex O demonstrates Envoy implementation
- There is a PR of this code
https://github.com/openid/authzen/pull/201
- Omri demos Amazon API gateway
- imported json info model
- created lambda authorizers for each
- ToDo app updated so you can select whether or not an API gateway is
part of the request flow
- Tokenetes discussion
- Devs are conditioned to "look in the token" for authZ
- The idea is that Tokenetes.io could be another PEP for AuthZEN
- Ergonomics is similar to what the devs are already used to
- Atul points out that Google does not make a Zanzabar call for every
request, using a similar technique
- GF: Has seen scenarios where access tokens passed down a services
chain, can be overloaded with extra functionality that each downstream
service needs (also potential threat vector). Want to be able to
downscope
the capabilities, so you gain security properties
- Called the claim a "purpose" rather than "scope" to separate the
terms
- Some additional discussion comparing this to RAR approach
- Alex B to add this pattern to Design Patterns document
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250204/210d719f/attachment.htm>
More information about the Openid-specs-authzen
mailing list