[Openid-specs-authzen] Last-minute change

gerry gebel ggebel at gmail.com
Mon Sep 8 21:58:09 UTC 2025 

Omri -

We focused on the evaluations API call during this meeting and briefly
spoke about search. One aspect we (at least I) had not considered until now
was the location of data, whether authz data or identity data.

It seems to me that there will be at least two situations:
1) The IDP has all the identity and authz data
or
2) User data and authz data are split in some manner between IDP and PDP

When using the search API, it implies that the authz data resides with the
PDP - am I right in that understanding?

Therefore, we will need to be clear with participants regarding our
expectations on where identity and authz data are stored. We can
arbitrarily decide what the configuration should be, but I would like it to
be as closely aligned with real world scenarios as possible

Gerry

On Fri, Sep 5, 2025 at 12:46 PM Omri Gazitt <omri at aserto.com> wrote:

> Thanks for the detailed notes!
>
> I’m surprised we’re not using the search API for the token enrichment
> scenario - I think a very common scenario is listing group membership in
> the token, and it would naturally complement the scenario described (which
> uses boxcarred evaluations).
>
> Is it because we are concerned about not enough implementations support
> search?
>
> Thanks,
> Omri.
>
> On Fri, Sep 5, 2025 at 6:55 AM gerry gebel via Openid-specs-authzen <
> openid-specs-authzen at lists.openid.net> wrote:
>
>> Hi David
>>
>> The notes are in this doc (
>> https://hackmd.io/@oidf-wg-authzen/idp-integration) - thanks to Alex O!!!
>>
>> We'd like to have another call to discuss the scenarios before the next
>> weekly meeting and I'll get with you to schedule that.
>>
>> Meanwhile, everyone - please review and add any pertinent comments.
>>
>> Thanks,
>> Gerry
>>
>> On Fri, Sep 5, 2025 at 5:48 AM David Brossard via Openid-specs-authzen <
>> openid-specs-authzen at lists.openid.net> wrote:
>>
>>> Dear all,
>>>
>>> Unfortunately I have a last-minute change. I will not be able to attend
>>> our meeting in 15mns. Gerry, can you take the lead and I will catch up with
>>> you after the call?
>>>
>>> My apologies for the last minute change.
>>>
>>> David.
>>> --
>>> Openid-specs-authzen mailing list
>>> Openid-specs-authzen at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>>
>> --
>> Openid-specs-authzen mailing list
>> Openid-specs-authzen at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250908/79774c28/attachment.htm>

More information about the Openid-specs-authzen mailing list