[Openid-specs-authzen] Notes from today's call

David Brossard david.brossard at gmail.com
Tue Mar 18 19:03:47 UTC 2025 

Hi everyone,

First of all a warm welcome to 2 new (but familiar) faces:

   - Jeff Lombardo from AWS
   - Mat Hamlin from SGNL

Here's the link to the notes:
https://hackmd.io/@oidf-wg-authzen/wg-meeting-20250318

We also agreed to have breakout sessions to go over Jeff's issues in GH.
We'll send out times on the mailing list.

David

Meeting Notes 2025-03-18 <#Attendees>Attendees

   - JF Lombardo
   - Alex Babeanu
   - Julio Auto De Medeiros
   - Victor Lu
   - Gerry Gebel
   - Ravi Erakulla
   - David Brossard
   - Mat Hamlin
   - Shannon Roddy
   - Alex Olivier

<#Agenda>Agenda

   - Gartner IAM Interop
      - Datasheet review in Google Docs
      <https://docs.google.com/document/d/1jPkG9jBrS4cRq3cvw474vwrM_1X7Q0blCalVJlHftiw/edit?tab=t.0#heading=h.jk384qcfyhkp>
      - Signs template
      <https://docs.google.com/presentation/d/1dDspGqmWrHRDp49z7k4rdiSmg_6z1LBfiFETfOS9Umw/edit?slide=id.p#slide=id.p>
      - Contribution agreement
      <https://openid.net/intellectual-property/openid-foundation-contribution-agreements/>
   - Goals for EIC Interop
      - Partial evaluation
      - Search API
   - AOB?

<#Notes>Notes <#Partial-evaluation>Partial evaluation

   - Goal: EIC interop
   - No update from Axiomatics' side
   - AWS is onboard with partial evaluation
   - The current group is: Vladi (PlainID), Michel (VNG), and David
   (Axiomatics).
   - Schedule call after Gartner to pick up the work. Sync up with Jeff
   Lombardo (AWS) to determine AWS contribution.
   - Material
      - Current draft: https://hackmd.io/@oidf-wg-authzen/HkLiZVdb1l
      - Feedback:
      https://hackmd.io/@oidf-wg-authzen/partial-evaluation-axio-feedback
      - Additional material: https://hackmd.io/@oidf-wg-authzen/Syg0dHYsYyl

<#Search-API>Search API

   - Search API draft
      - Action Search API <https://hackmd.io/@oidf-wg-authzen/S1RmIUFF1e>
      - Search API <https://hackmd.io/@oidf-wg-authzen/ByeaUn3vyg>
   - Question: how do we expect the search API to react to relationships
   between entities?

<#Negative-Testing>Negative Testing

   - The interop only has happy paths
   - We need to include tests that cover errors
      - Invalid requests
      - Overly large requests
   - Other testing
      - Via Search
      - Via Partial Evaluation
   - Generally we test "discretely".
      - Can Alice view item 123?
   - What if we wanted to test negatively?
      - Is there any way Alice can view item 123?
      - How can Alice NOT view item 123?
   - When Search and Partial Evaluation are out, we need to verify how they
   can help us build new tests.
   - Can we generate test cases from schemas?
      - If we know we have 5 roles and 10 object types and 3 actions, we
      could generate a matrix of tests. This is somewhat outside the scope of
      AuthZEN for now.

<#Discovery-Endpoint>Discovery Endpoint

   - We need to start working on the discovery endpoint (See roadmap
   <https://hackmd.io/@oidf-wg-authzen/roadmap>)

<#Security-Testing>Security Testing

   - Alex (Indykite) talked to the OIDF security test folks at OSW

Hi All,
So Tim, Pedram and i just had a chat, the conclusion of which was that
since AuthZen is just essentially a payload format for a communication
protocol, there is no inherent security risk to consider. Whatever security
testing would be performed would actually test the communication fwk, not
really Authzen itself.
Ralf will provide the final answer and follow-up, just wanted to keep this
thread updated with the latest.
Cheers, Alex

Ralf later confirmed

a security analysis of Authzen does not seem to make sense.

And Gail confirmed we're good to proceed to standardization.
<#Github-issues>Github issues

   - https://github.com/openid/authzen/issues/250
      - deny_on_first_deny and permit_on_first_permit examples are
      cumbersome #250
      - We need to restructure the response format because at the moment
      the response size is not guaranteed given we return all the
decisions that
      were hit. In fact we should either return MAX, the number of
decisions that
      correspond to the # of boxcarred requests, or just 1 (the overriding
      decision)

{
  "evaluations": [
    {
      decision: true
    },
    {
      decision: false,
      context: {
        "id": "200",
        "reason": "deny_on_first_deny"
      }
    }
  ]
}

The aforementioned example is flawed. This forces the PEP to iterate
through all the answers to figure out false is the right answer because it
came from deny_on_first_deny.

   - Next steps: schedule breakout sessions to go over the other issues

<#Upcoming-Events>Upcoming Events <#Confirmed>Confirmed

   - London Gartner IAM Interop
      - Tuesday, March 25, 2025 at 1PM, 2:45PM, and 4:30PM (GMT).
      - Italian Room
      - Session: Tuesday 11am
   - European Identity Conference
      - 11:40 Thursday May 8th
      - We also have a room like last year - details TBD
   - Identiverse
      - 1:30pm Tuesday June 3rd

<#Submissions>Submissions

   - Authenticate 2025
   - EIC Awards Submission

<#Next-weeks-call>Next week's call

   - Due to Gartner IAM, we will cancel next week's call
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250318/84269419/attachment-0001.htm>

More information about the Openid-specs-authzen mailing list