[Openid-specs-authzen] Notes from today's call

David Brossard david.brossard at gmail.com
Tue Feb 18 20:09:12 UTC 2025 

Also available here <https://hackmd.io/@oidf-wg-authzen/wg-meeting-20250218>
.

Meeting Notes 2025-02-18 <#Attendees>Attendees

   - Roland Baum
   - Budhaditya Bhattacharya (Budha) - Tyk

<#Agenda>Agenda

   - Partial evaluation update (David B)
   - Action Search (David H)
   - Interop participation update (Omri)
   - Security review process by OpenID Foundation (David B)

<#Notes>Notes <#Partial-Evaluation-Meeting>Partial Evaluation Meeting

   - Vladi, Michiel, and David met to discuss the spec
   - We received feedback from Pablo (Axiomatics)
      - David to publish
   - We need to generalize the function concept so we can allow for nested
   functions (e.g. lower(stringEqual()))
   - We agree to follow the AuthZEN request structure
      - Only one unknown category
      - What about context?
   - We agree partial evaluation will be exposed on a separate endpoint
   - We agreed we would have profiles to convert partial evaluation
   responses into target system filters e.g. SQL, GraphQL…
   - We agreed there would be an extension mechanism for functions not
   supported by all vendors
   - *Next step:* David to write the formal part of the partial evaluation
   spec

<#Action-Search-Profile>Action Search Profile

   - Presented by Dave Hyland
   - https://hackmd.io/DQcL9fXfSW6EsxEp_DefRg?view
   - Questions
      - Are actions assumed to be flat? (George)
         - Yes - there is generally no hierarchy
         - Vladi: the action full access could include read and write
         - Conclusion: the evaluation doesn't have any hierarchy.
      - Should there be a context category in the request?
      - Should the action category be removed?

<#Interop-Update>Interop Update

   - 2 confirmed scenarios: the demo and the gateway
   - 3 interop sessions with 5 slots (tables) each
   - 10-15 slots
   - about 8 people showing up
   - 2 possible new PDPs: Okta OpenFGA and AWS AVP
   - 4 gateway implementations: AWS API Gateway, Kong, Zuplo, Envoy.
   - Tyk and WSO2 are likely gateways as are 42crunch and Layer 7

<#OpenID-Security-Review-Process>OpenID Security Review Process

   - Gail has reached out to the chairs to talk about the testing process
   of the AuthZEN spec as part of the steps to standardization.
   - It sounds like this would require additional funding
   - We're trying to understand what we need to do specifically
   - Has anyone gone through this process previously?
      - George: see FAPI's attacker model
      <https://openid.net/specs/fapi-2_0-attacker-model-ID2.html>
      - Are requests immutable? Can the PDP trust the request coming from
      the PEP? Can the PDP trust the PEP to enforce the decision? Can
the PDP be
      manipulated?
   - The process is from the University of Stuttgart
   - We need to identify the core threats we see in AuthZEN

<#Repository-Structure>Repository Structure

   - The OpenID AuthZEN repository will contain the spec
   - The AuthZEN github repository <https://github.com/authzen/> will
   contain code

<#Next-Steps>Next Steps

   - Dedicated partial evaluation meeting on Wednesday - see mailing list
   for details
   - Schedule Alex B's OSW presentation for a future call after the AuthZEN
   interop
   - David to follow up with Gail re. security testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250218/c7d288b9/attachment.htm>

More information about the Openid-specs-authzen mailing list