[Openid-specs-authzen] notes from today's call

Gerry Gebel gerry at strata.io
Tue Jun 24 22:07:21 UTC 2025 

Attendees

   - Gerry Gebel
   - David Brossard
   - George Fletcher
   - Vatsal Gupta
   - Elie Azerad
   - Julio Auto De Medeiros
   - Michiel Trimpe
   - Jonathan Falconnier
   - Alex Babeanu

<#Agenda>Agenda

   -

   Review open issues with the group
   - 329 Resource creation when id is not yet known
      - 325 Leave more leeway for pagination
      - 278 Inconsistent use of reason…
      - 268 Security section needs details on Client AuthN failure
      - 250 Deny_on_first_deny… examples are cumbersome
      - 230 Search API statistics needed
      - 55 Sign access decision?
      - 46 and 47 Device ID and IP address
   -

   Alex B and reason code update
   -

   Authenticate update: speaking proposal was accepted
   -

   Gartner interop planning - update details on all the potential
   participants
   -

   Meeting time schedule - let's review and also talk about the summer
   schedule

<#Notes>Notes

Open issue review

   - David, Gerry and Jeff met last week to review all the open issues. The
   following are issues that we wanted to discuss with the broader group
   - 329: Resource id will be optional. We recommend that id always be
   included except during create. Alex B agreed to make an update and pull
   request
   - 325: Recommendation:
   We introduce a type field inside the page object. Define pagination type
   values. There are 2 values at the moment:
   token
   offset
   The type determines which other fields are present in the page object.
   For instance token will require a token field.
   We also need to think about limits we have to apply to pagination to
   avoid DoS attacks or server overloads. The backend needs to have its own
   limits/validation. (either under security considerations or in the
   pagination section).
   Recommendation #2: factor out pagination from the specific sections they
   are in into a single pagination section that applies to all parts
   pagination is relevant.
   Note: we need to steer clear of transport-level breakup principles
   (chunked responses, multi-parts, etc…) that are specific to the
   transport mechanism chosen (HTTP REST vs. gRPC vs. other)
   - 230: See parent issue 325 for comments.
   The metadata endpoint could specify which statistics are provided.
   - Other
      - Michiel asked if a logging standard could be added to AuthZEN
      - David is agreeable
      - George - some similar discussions have emerged in the SSF, may want
      to take this to IETF if it is broad enough
      - Michiel will work on a proposal and share it with the group on a
      future call
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250624/0e3488de/attachment.htm>

More information about the Openid-specs-authzen mailing list