[Openid-specs-authzen] Comments on the Authzen API GW Profile
Michael Schwartz
mike at gluu.org
Wed Jan 15 01:51:55 UTC 2025
Here is the feedback on the discussion about the API GW authzen profile
that I also posted on OpenID Authzen Slack for the official mailing list
record:
1. IMHO, the Resource type should be "HTTP_Request" not "path" -- there is
always way more to an API proxy decision than just a path. And the path
itself is not even enough to uniquely identify a resource. The entitlement
request is to perform an HTTP Request with a certain method and
context--not to just access a certain path.
2. We can define a minimum required schema but allow room for extension. I
guess what I'm wondering is if we can reduce the scope of this profile more.
3. A URL may include schema, host, port, path, query, and fragment. Also, I
wonder if the host should allow for policies based on the domain, i.e. for
google.com domain do this.. for gmail.com domain... do something else.
4. The HTTP request includes url , headers, body . These are all things
the developer is sending from Postman in the request. IMHO, Context should
be for data that is external to the resource, like the time of day, which
you don't send in the Postman request.
5. It's unclear why the sample shows the route as ".../pets/{id}". The
request would be for an exact path3. It may seem trivial, but we don't
want to define any kind of replacement or regex syntax here.
6. For the resource id (or the subject id), why not make it a hash of the
properties? That way it will be unique, and represent the totality of the
request. It's really quick and easy for the API gateway to generate a
sha-256 hash.
7. I really don't like the subject sent as "JWT" with the value as the id.
At a minimum, you should use the fingerprint of the token, and not the
token itself. Perhaps it would be better to send client claims in the
subject properties, like client_id, scopes, and allow for extension for
customers who have custom access token claims?
8 .For the resource... what about something like this:
"type": "AuthZen::HTTP_REQUEST",
"id": "31d342599750a22f90a1d6b3d765549231e6b3091530f8f813e2f754e9d62422",
"properties": {
"header": {
"Accept": "application/json",
"User-Agent": "AuthzenClient/1.0",
"Host": "www.acme.com",
"Content-Type": "multipart/form-data"
},
"url": {
"scheme": "https",
"host": "www",
"domain": "acme.com",
"port": 443,
"path": "/protected",
"query": "query": {
"param1": "value"
}
"fragment": "TOC"
},
"body": {
"form1": {
"field1": "value1",
"field2": "value2"
}
}
}
--------------------------------------
Michael Schwartz
Glue
Founder/CEO
mike at gluu.org
https://www.linkedin.com/in/nynymike
--
*CONFIDENTIALITY NOTICE*
This message may contain confidential or
legally privileged information.
If you are not the intended recipient,
please immediately advise the sender by reply e-mail that you received this
message, and delete this e-mail from your system.
Thank you for your
cooperation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250114/08d4e301/attachment.htm>
More information about the Openid-specs-authzen
mailing list