[Openid-specs-authzen] Notes from today's call

David Brossard david.brossard at gmail.com
Tue Jul 8 19:03:18 UTC 2025 

Meeting Notes 2025-07-08 <#Attendees>Attendees

   - David Brossard
   - Jeff Lombardo
   - Alex Olivier
   - Julio Auto De Medeiros
   - Michiel Trimpe
   - Rajiv Rajani
   - Travis Farrell
   - Vatsal Gupta
   - George Fletcher
   - Gerry Gebel
   - Victor Lu
   - Alex Babeanu

<#Agenda>Agenda

   - Schedule for this call going forward
   - resource_id conclusions
   - Pagination pull request #341
   - More open issues to discuss
      - 278 Inconsistent use of reason…
      - 268 Security section needs details on Client AuthN failure
      - 250 Deny_on_first_deny… examples are cumbersome
      - 230 Search API statistics needed
      - 55 Sign access decision?
      - 46 and 47 Device ID and IP address
   - AuthZEN briefings for Forrester and KuppingerCole

<#Notes>Notes <#Agenda-Suggestion>Agenda Suggestion

   - Keep the 11am PT as is and switch the 3pm PT to a time more amenable
   to Europe. We need to check with APAC folks (Dave H.) whether that's ok and
   what times would work for them.
      - On the current call 4 of 9 individuals are in the European time
      zones (CET and BST)

<#Resource-ID-Conclusion>Resource ID Conclusion

   -

   See https://github.com/openid/authzen/issues/329
   -

   We want to keep resource ID mandatory for the time being
   - All interops assumed mandatory resource IDs
      - Graph implementations require resource ID
      - Could we make the resource ID a SHOULD rather than a MUST?
      - Could we make 2 sets of interops? One that requires the identifier
      and one that 'SHOULD's the interop?
   -

   Jeff suggests we're here to create a standard that facilitates
   integrations and that as a result, we should make resource ID a SHOULD.
   -

   We need to ask graph implementers why a mandatory resource ID is
   necessary.
   -

   Do we need to invite Alex B, Omri, and Michael Krotscheck to present
   their views?
   - We need ReBAC examples
   -

   Possible wording: if a resource identifier is present, it MUST be passed
   into the AuthZEN request as the resource id.
   -

   Alex Babeanu explained that we need a resource ID in graph-based systems
   - George and David both pointed out that using resource ID to represent
      the parent is overloading semantics
      - Ideally we'd use a parent or next-of-kin identifier in the creation
      cases.
      - Jeff/Michiel suggest using the properties object
   -

   We need to call a dedicated meeting to solve the issue and move forward
   with the standardization of 1.0 (Fall '25')

<#Pagination-pull-request-341>Pagination pull request 341

   - All to review https://github.com/openid/authzen/pull/341
   - Michiel and Omri added comments. Michiel agrees with Omri that adding
   obligations is confusing
   - The work should be split across 2 PRs
      - Pagination work
      - Context work

<#Analyst-Briefings>Analyst Briefings
<#Forrester-Briefing-Gerry-amp-Andras-Cser>Forrester Briefing (Gerry &
Andras Cser)

   - Forrester is interested in writing more on new standards and possibly
   hosting interops
   - Gerry will let the group know when Forrester is ready to move forward

<#Kuppinger-Cole>Kuppinger Cole

   - Gerry has another briefing with Nitish from KC
   - David will post the slides
   <https://www.slideshare.net/slideshow/openid-authzen-analyst-briefing-july-2025/281411886>
   for the briefing to Slideshare for all to get access to
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250708/190e153c/attachment.htm>

More information about the Openid-specs-authzen mailing list