[Openid-specs-authzen] notes from Sep 4
gerry gebel
ggebel at gmail.com
Fri Sep 5 01:52:04 UTC 2025
Attendees
- Alex Babaenu
- Wei
- Vladi Berger
- Gerry Gebel
- Elie Azerad
- Michiel Trimpe
- Roland Baum
- Edmund Jay
- Alex Olivier
- David Brossard
- Julio Auto De Medeiros
- Vatsal Gupta
- Travis Farrell
<#Agenda>Agenda
- Gartner interop use cases
- Pull requests - 3 new ones
- Issues list
<#Notes>Notes <#Pull-requests>Pull requests
- 366: A robust discussion on pagination. We did not come to a
conclusion on this topic as some of the key commenters (Omri or Gert) were
not available.
- 361: Adding optional signature to access response. This was updated
and approved during the call
<#Gartner>Gartner
- Speaking session:
-
Title
Extend your Identity Providers with OpenID AuthZEN, achieve
fine-grained authorization, and enable Zero Trust
-
Abstract
A year ago, we introduced Gartner attendees to a new standard, OpenID
AuthZEN that promised to establish a standard for fine-grained
authorization. A year later and two interops later, we're happy to report
that the draft is nearing final specification and that we have
completed 3
new interops focusing on API gateways, the AuthZEN Search API, and IdP
integrations.
With AuthZEN, IAM teams can confidently externalize and standardize
authorization across their application estate without being
locked in to a
proprietary API. Gone are the days of incomplete authorization
and gaps in
access control logic. With OpenID AuthZEN we are closer to enabling the
Zero Trust Enterprise.
This session will review the progress achieved in the past twelve
months, highlight the milestones, and demo the latest integrations.
-
Speakers: request that Homan be moderator like last time and add Alex
Olivier as co-speaker.
<#Interop>Interop
- IdP - AuthZEN PDP integration
- What will the 'demo' look like? What's the outcome? How do we
illustrate that a token has been issued or enriched?
- 3 integrations
- *token issuance*: IdP uses evaluation to ask whether a token can be
issued for a user altogether
- *token enrichment*: IdP uses evaluations to ask which claims/scopes
of a well-known list should be inserted inside the token that is about to
be issued
- *token enrichment*: IdP uses search to determine which
claims/scopes to insert inside the token that is about to be issued. This
is functionally the same as the previous use case
- *Step-up authentication*: call the IdP to determine whether the
token should be issued and inspect the context object in the response to
determine whether MFA is needed.
- Dedicated meeting Friday 9/5 at 3pm CET/6am PT
- We will use the usual Zoom bridge from the weekly call
https://zoom.us/j/92150123981?pwd=YnhuSXNxU2w4Z3VGc3lrUjRNSTBUZz09
<#Certification-Tests>Certification Tests
- Someone in the AuthZEN group needs to start writing the criteria for
the certification test suite that Edmund and team can then use to create
the formal suite.
- Define requirements per endpoint
- Define mandatory endpoints
- Define valid payloads and responses
- Check with Atul from Shared Signals to see how they defined acceptance
tests for their endpoints.
- See also https://openid.net/certification/
- Check with Mike Jones re. certification process for OpenID Connect and
FAPI profiles
- See also this example
<https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf>
(OpenID Connect Conformance Profiles).
- Certification testing covers both client (PEP) and server (PDP).
- Alex O. will take a stab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250904/b7dae6e6/attachment.htm>
More information about the Openid-specs-authzen
mailing list