[Openid-specs-authzen] Notes from yesterday's call

David Brossard david.brossard at gmail.com
Wed Feb 12 19:58:23 UTC 2025 

Link <https://hackmd.io/@oidf-wg-authzen/ryylneYFyg>Meeting Notes 2025-02-11
<#Attendees>Attendees

   - omri Gazitt
   - David Brossard
   - Michiel Trimpe
   - Vladi Berger
   - Amos Alubala
   - Gerry Gebel
   - Eve Maler
   - Alex Babeanu
   - Roland Baum
   - Mark Berg
   - Victor Lu

<#Agenda>Agenda

   - Open API spec: we are asking for a volunteer to write this up
   - Interop demo - what we have so far
   - Confirming participation at Gartner IAM in London
      - Aserto
      - Axiomatics
      - Cerbos
      - PlainID (not able to attend in person)
      - Okta FGA (may not be able to send someone)
      - Zuplo
      - SGNL
      - Curity (potential)
      - Layer7 (potential)
      - 42Crunch (potential)
   - Partial evaluation feedback
   - Action Search draft
      - https://hackmd.io/DQcL9fXfSW6EsxEp_DefRg?view
   - AlexB:
      - Should we sign authzen requests and/or responses? Tokenize authzen?
      - conveying from Dave H. : GTWY integration granularity - should
      conform to standards (e.g., FAPI)

<#Notes>Notes

   - Open API spec: Michiel offered to create a draft
      - JSON schema is here:
      https://github.com/openid/authzen/tree/main/api/schemas
   - Interop
      - two additional selects plus the original are normalized (1_0-00,
      1_0-01 and 1_0-02)
      - API gateway selector and Gateway PDP selector
      - Repo includes code for AWS and Envoy gateways
      - Test harness review
      - Results table for PDPs that have passed compliance
      - Create a pull request to add a gateway or PDP for the API gateway
      scenarios
   - Partial evaluation feedback
      - David, Vladi, and Michiel will schedule a break out session
   - Should AuthZEN requests and responses be signed?
      - Agreement on the call that this should not be in the spec, but
      security suggestions could be part of an implementation guide
   - Some discussion around fine grained vs coarse grained authZ at the
   gateway
      - Proxied from David H via Alex B - shouldn't the interop follow
      conventions like FAPI.
      - There is no blocker in the spec, it's that there are some
      limitations in the demo set up. Specifically the gateway does not have
      enough context to make fine grained requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250212/621a4227/attachment.htm>

More information about the Openid-specs-authzen mailing list