[Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet

[Mark Marciante]

There are two separate permission sets here—and technically two different resource types. The first is the permission to “create” a specific type of resource (in this case a loan). The attributes that allow the grant would be a combination of person attributes (e.g. a manager) and the resource to be created (e.g. loan amount, state the loan is originated in, etc.). This is basically the “class” of resource that need authorization. This is a different permission set than acting on an existing loan, which would be based on whether that specific person is allowed to manage the loan—essentially the actual resource itself. They are related, but not the same. I’m still getting familiar with this specification, but would think that the “create” action for a class of resource and “update” action of a specific instance of that resource would be different.

Mark Marciante | Director, Digital Health | Leavitt Partners | (410) 487-5336 (cell) | (202) 439-8578  (work) | mark.marciante at leavittpartners.com<mailto:mark.marciante at leavittpartners.com> | www.leavittpartners.com<http://www.leavittpartners.com/>

From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net> On Behalf Of Lombardo, Jeff via Openid-specs-authzen
Sent: Thursday, May 8, 2025 2:23 PM
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net>
Cc: Lombardo, Jeff <jeffsec at amazon.com>
Subject: Re: [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet

It is a real life use case and yes it can be bound a lot of constraints other than amount.

By the way it fits the API GW testing case where I check if you can POST on /loan with a body payload… before talking to the backend that could others checks.

Jean-François “Jeff” Lombardo | Amazon Web Services

Principal Solution Architect, Security Specialist - Montréal, Canada
Mobile: 514.778.5565

Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net<mailto:openid-specs-authzen-bounces at lists.openid.net>> On Behalf Of David Hyland via Openid-specs-authzen
Sent: May 8, 2025 8:33 AM
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>>
Cc: David Hyland <Dave at mydigitalid.info<mailto:Dave at mydigitalid.info>>
Subject: RE: [EXT] [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.

You do have a resource ID - it’s the product id. The amount may be a condition of the product type - determined by the product id. But I really don’t think it this would actually be a real life check as there would be a pile of other criteria including the customer, term and other loan optionality that would be customer based.

dh

Get Outlook for iOS<https://urldefense.com/v3/__https:/aka.ms/o0ukef__;!!NwMct28-Ww!MYRcQtUR_PVzLymGuGTWuxUBmYmrjcpfirmfieHbGdDBK-sSV3ikkauxJ2g9lFUASasgHZAH0kQbeRIuCWKxbiUIB2iYhZjnNkWeGRq5Icg$>
________________________________
From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net<mailto:openid-specs-authzen-bounces at lists.openid.net>> on behalf of Allan via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>>
Sent: Thursday, May 8, 2025 2:13:34 PM
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>>
Cc: Allan <allan at macguru.com<mailto:allan at macguru.com>>
Subject: Re: [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet


well it does bring up the rather interesting case of create

 create doesn't have. resource ID

allan

--
Sent from Canary<https://urldefense.com/v3/__https:/canarymail.io__;!!NwMct28-Ww!MYRcQtUR_PVzLymGuGTWuxUBmYmrjcpfirmfieHbGdDBK-sSV3ikkauxJ2g9lFUASasgHZAH0kQbeRIuCWKxbiUIB2iYhZjnNkWe9k1nRo0$>

On Thursday, May 08, 2025 at 12:58, Andres Aguiar via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:
Couldn't the resource be a higher level entity? e.g. the Region? the customer? the bank branch? If it's B2B, the organization?


On Thu, May 8, 2025 at 7:46 AM Andrew Clymer via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:

This message originated outside your organization.

________________________________


Sounds to me that resource Id shouldn't be mandatory, or that the resource Id is for the collection of loans. Passing a resource ID of 0 works, but that just feels like a magic value.

Andy
[cid:image001.png at 01DBC02F.DE862210]<https://urldefense.com/v3/__https:/registry.blockmarktech.com/certificates/53f9a3ba-4ba6-4879-8b4d-5f5d3a413118/__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jmzeCjzA$>
[cid:image002.png at 01DBC02F.DE862210]

​We are the first IdentityServer partner to become a Certified B Corporation™.
​Head to our mission <https://urldefense.com/v3/__https:/www.rocksolidknowledge.com/mission-statement__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jhI1Aj0A$> sta<https://urldefense.com/v3/__https:/www.rocksolidknowledge.com/mission-statement__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jhI1Aj0A$>tement<https://urldefense.com/v3/__https:/www.rocksolidknowledge.com/mission-statement__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jhI1Aj0A$> to read more about the ways we’re using business as a force for good.
​
​Rock Solid Knowledge Ltd is a company registered in England and Wales under number 6811209.
Registered office: C2, Vantage Office Park, Old Gloucester Road, Bristol, BS16 1GW, United Kingdom
​Vat registered: GB948 1966 72

________________________________
From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net<mailto:openid-specs-authzen-bounces at lists.openid.net>> on behalf of Allan via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>>
Sent: 08 May 2025 11:40
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>>
Cc: Allan <allan at macguru.com<mailto:allan at macguru.com>>
Subject: Re: [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet


hmmm

surely customer is part of the resource?  and a create can simply use a resource ID of 0 or -1. or null

allan

--
Sent from Canary<https://urldefense.com/v3/__https:/canarymail.io__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7iALaQ4yQ$>

On Thursday, May 08, 2025 at 12:34, David Brossard via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:
Hi all,

Interesting use case from EIC: I want to write a policy that determines how a loan-to-be can be created.

Managers can create a loan for a customer in their region up to their max allowed amount for the employee (and/or customer).

The request would then be:

  *   Can Alice the employee create loan with amount 1234?
In this type of request, because the loan hasn't been created we do not have a  loan ID or resource ID. But, because AuthZEN makes the resource ID mandatory in the evaluation API, what approach do we want to recommend?

David
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen<https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7gKBSldXg$>
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen<https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!NwMct28-Ww!MYRcQtUR_PVzLymGuGTWuxUBmYmrjcpfirmfieHbGdDBK-sSV3ikkauxJ2g9lFUASasgHZAH0kQbeRIuCWKxbiUIB2iYhZjnNkWeDw60cCs$>
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen<https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!NwMct28-Ww!MYRcQtUR_PVzLymGuGTWuxUBmYmrjcpfirmfieHbGdDBK-sSV3ikkauxJ2g9lFUASasgHZAH0kQbeRIuCWKxbiUIB2iYhZjnNkWeDw60cCs$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250508/e19f6011/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 67887 bytes
Desc: image001.png
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250508/e19f6011/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 31014 bytes
Desc: image002.png
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250508/e19f6011/attachment-0003.png>