[Openid-specs-authzen] Last-minute change
Lombardo, Jeff
jeffsec at amazon.com
Fri Sep 5 21:15:31 UTC 2025
Thanks for the notes. Sorry again, I could not meet due to plane cancellation and rebooking.
Here are some offline comments for Scenario 1/ issuance:
* I understand that AuthZEN does not want to define PDP implementation but I think a light data model on the AuthZEN representation of the relation between a user, a client, a scope, and a claim would be useful to understand the best structure for the request.
* Issuance of a full token set or a specific sub set of the token set can be dependent of multiple factors including but not limited to:
* OAuth2 Grant flow type
* Usage of dedicated extension (PKCE, DPoP)
* Type of client credentials used
* In your example
{
"subject": {
"type": "user",
"id": alice at example.com<mailto:alice at example.com>,
"properties": {
"role": "employee"
}
},
"resource": {
"type": "client",
"id": "client-id"
},
"action": {
"name": "access"
}
}
* This would only allow issuance if the question is explicitely about “issuing an access token” which infers that the PEP needs to do, potentially depending on the situations, up to 3 requests: one for the id token, one for the access token, and one for the refresh token. And to have up to 3 policies per client to match each request.
* Is that the expected outcome?
* Would a request in the following form would provide better capabilities?
{
"subject": {
"type": "user",
"id": alice at example.com<mailto:alice at example.com>,
"properties": {
"role": "employee"
}
},
"resource": {
"type": "client",
"id": "client-id",
"properties": {
"tokenTypes": [ "access", “id”]
}
},
"action": {
"name": "issue"
}
}
* Or even matching the claim issuance example?
{
"subject": {
"type": "user",
"id": alice at example.com<mailto:alice at example.com>,
"properties": {
"role": "employee"
}
},
"evaluations": [
{
"resource": {
"type": "client",
"id": "client-id",
"properties": { "tokenType": "access" }
},
"action": { "name": "issue" }
},
{
"resource": {
"type": "client",
"id": "client-id",
"properties": { "tokenType": "refresh" }
},
"action": { "name": "issue" }
}
]
}
* This would allow to match conditions allowing multiple token types while request might be focused on a specific one. It also rationalizes action on the specific one required here which is “issue”. This also fits better with the scenario 2/ Token Enrichment (Claim Insertion) where the action is “issue” too.
* For support of:
- OAuth2 Grant flow type
- Usage of dedicated extension (PKCE, DPoP)
- Type of client credentials used
* I would suggest either through properties of resource or context, that this profile describe reserved attribute names to pass the information to the PDP.
Jeff
Jean-François “Jeff” Lombardo | Amazon Web Services
Architecte Principal de Solutions, Spécialiste de Sécurité
Principal Solution Architect, Security Specialist
Montréal, Canada
( +1 514 778 5565
Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.
Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.
From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net> On Behalf Of gerry gebel via Openid-specs-authzen
Sent: September 5, 2025 9:55 AM
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net>
Cc: gerry gebel <ggebel at gmail.com>
Subject: RE: [EXT] [Openid-specs-authzen] Last-minute change
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.
Hi David
The notes are in this doc (https://hackmd.io/@oidf-wg-authzen/idp-integration) - thanks to Alex O!!!
We'd like to have another call to discuss the scenarios before the next weekly meeting and I'll get with you to schedule that.
Meanwhile, everyone - please review and add any pertinent comments.
Thanks,
Gerry
On Fri, Sep 5, 2025 at 5:48 AM David Brossard via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:
Dear all,
Unfortunately I have a last-minute change. I will not be able to attend our meeting in 15mns. Gerry, can you take the lead and I will catch up with you after the call?
My apologies for the last minute change.
David.
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250905/9beddddd/attachment-0001.htm>
More information about the Openid-specs-authzen
mailing list