[Openid-specs-authzen] Notes from Thursday's call

[David Brossard]

Dear all,

Thanks to those who attended the call yesterday. Here are the notes
<https://hackmd.io/@oidf-wg-authzen/wg-meeting-20250904>.
<#Pull-requests>Pull requests

   - 366: A robust discussion on pagination. We did not come to a
   conclusion on this topic as some of the key commenters (Omri or Gert) were
   not available.
   - 361: Adding optional signature to access response. This was updated
   and approved during the call

<#Gartner>Gartner

   - Speaking session:
      -

      Title
      Extend your Identity Providers with OpenID AuthZEN, achieve
      fine-grained authorization, and enable Zero Trust
      -

      Abstract
      A year ago, we introduced Gartner attendees to a new standard, OpenID
      AuthZEN that promised to establish a standard for fine-grained
      authorization. A year later and two interops later, we're happy to report
      that the draft is nearing final specification and that we have
completed 3
      new interops focusing on API gateways, the AuthZEN Search API, and IdP
      integrations.

      With AuthZEN, IAM teams can confidently externalize and standardize
      authorization across their application estate without being
locked in to a
      proprietary API. Gone are the days of incomplete authorization
and gaps in
      access control logic. With OpenID AuthZEN we are closer to enabling the
      Zero Trust Enterprise.

      This session will review the progress achieved in the past twelve
      months, highlight the milestones, and demo the latest integrations.
      -

      Speakers: request that Homan be moderator like last time and add Alex
      Olivier as co-speaker.

<#Interop>Interop

   - IdP - AuthZEN PDP integration
   - What will the 'demo' look like? What's the outcome? How do we
   illustrate that a token has been issued or enriched?
   - 3 integrations
      - *token issuance*: IdP uses evaluation to ask whether a token can be
      issued for a user altogether
      - *token enrichment*: IdP uses evaluations to ask which claims/scopes
      of a well-known list should be inserted inside the token that is about to
      be issued
      - *token enrichment*: IdP uses search to determine which
      claims/scopes to insert inside the token that is about to be issued. This
      is functionally the same as the previous use case
      - *Step-up authentication*: call the IdP to determine whether the
      token should be issued and inspect the context object in the response to
      determine whether MFA is needed.
   - Dedicated meeting Friday 9/5 at 3pm CET/6am PT
      - We will use the usual Zoom bridge from the weekly call
      https://zoom.us/j/92150123981?pwd=YnhuSXNxU2w4Z3VGc3lrUjRNSTBUZz09

<#Certification-Tests>Certification Tests

   - Someone in the AuthZEN group needs to start writing the criteria for
   the certification test suite that Edmund and team can then use to create
   the formal suite.
      - Define requirements per endpoint
      - Define mandatory endpoints
      - Define valid payloads and responses
   - Check with Atul from Shared Signals to see how they defined acceptance
   tests for their endpoints.
   - See also https://openid.net/certification/
   - Check with Mike Jones re. certification process for OpenID Connect and
   FAPI profiles
   - See also this example
   <https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf>
   (OpenID Connect Conformance Profiles).
   - Certification testing covers both client (PEP) and server (PDP).
   - Alex O. will take a stab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250905/6bb13863/attachment-0001.htm>