[Openid-specs-authzen] Notes from today's call

Lombardo, Jeff jeffsec at amazon.com
Tue Jul 8 21:25:36 UTC 2025 

It sounds like the whole discussion on resource-id tends to call out, at least, for a metadata attribute allowing to specific the capabilities of the PDP in terms of model support (ABAC, RBAC, ReBAC).

What do you think?

Jean-François “Jeff” Lombardo | Amazon Web Services

Architecte Principal de Solutions, Spécialiste de Sécurité
Principal Solution Architect, Security Specialist
Montréal, Canada
( +1 514 778 5565

Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net> On Behalf Of David Brossard via Openid-specs-authzen
Sent: July 8, 2025 3:03 PM
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net>
Cc: David Brossard <david.brossard at gmail.com>
Subject: [EXT] [Openid-specs-authzen] Notes from today's call


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.

Meeting Notes 2025-07-08
Attendees

  *   David Brossard
  *   Jeff Lombardo
  *   Alex Olivier
  *   Julio Auto De Medeiros
  *   Michiel Trimpe
  *   Rajiv Rajani
  *   Travis Farrell
  *   Vatsal Gupta
  *   George Fletcher
  *   Gerry Gebel
  *   Victor Lu
  *   Alex Babeanu

Agenda

  *   Schedule for this call going forward
  *   resource_id conclusions
  *   Pagination pull request #341
  *   More open issues to discuss

     *   278 Inconsistent use of reason…
     *   268 Security section needs details on Client AuthN failure
     *   250 Deny_on_first_deny… examples are cumbersome
     *   230 Search API statistics needed
     *   55 Sign access decision?
     *   46 and 47 Device ID and IP address

  *   AuthZEN briefings for Forrester and KuppingerCole

Notes
Agenda Suggestion

  *   Keep the 11am PT as is and switch the 3pm PT to a time more amenable to Europe. We need to check with APAC folks (Dave H.) whether that's ok and what times would work for them.

     *   On the current call 4 of 9 individuals are in the European time zones (CET and BST)

Resource ID Conclusion

  *   See https://github.com/openid/authzen/issues/329
  *   We want to keep resource ID mandatory for the time being

     *   All interops assumed mandatory resource IDs
     *   Graph implementations require resource ID
     *   Could we make the resource ID a SHOULD rather than a MUST?
     *   Could we make 2 sets of interops? One that requires the identifier and one that 'SHOULD's the interop?

  *   Jeff suggests we're here to create a standard that facilitates integrations and that as a result, we should make resource ID a SHOULD.
  *   We need to ask graph implementers why a mandatory resource ID is necessary.
  *   Do we need to invite Alex B, Omri, and Michael Krotscheck to present their views?

     *   We need ReBAC examples

  *   Possible wording: if a resource identifier is present, it MUST be passed into the AuthZEN request as the resource id.
  *   Alex Babeanu explained that we need a resource ID in graph-based systems

     *   George and David both pointed out that using resource ID to represent the parent is overloading semantics
     *   Ideally we'd use a parent or next-of-kin identifier in the creation cases.
     *   Jeff/Michiel suggest using the properties object

  *   We need to call a dedicated meeting to solve the issue and move forward with the standardization of 1.0 (Fall '25')

Pagination pull request 341

  *   All to review https://github.com/openid/authzen/pull/341
  *   Michiel and Omri added comments. Michiel agrees with Omri that adding obligations is confusing
  *   The work should be split across 2 PRs

     *   Pagination work
     *   Context work

Analyst Briefings
Forrester Briefing (Gerry & Andras Cser)

  *   Forrester is interested in writing more on new standards and possibly hosting interops
  *   Gerry will let the group know when Forrester is ready to move forward

Kuppinger Cole

  *   Gerry has another briefing with Nitish from KC
  *   David will post the slides<https://www.slideshare.net/slideshow/openid-authzen-analyst-briefing-july-2025/281411886> for the briefing to Slideshare for all to get access to
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250708/a182f55c/attachment-0001.htm>

More information about the Openid-specs-authzen mailing list