<div dir="ltr">Hi Scott,<div><br></div><div>Thanks for the input. I moved my email to a HackMD document so you (and others) can add your comments directly there: <a href="https://hackmd.io/@oidf-wg-authzen/pep-pdp-api-design-suggestions">https://hackmd.io/@oidf-wg-authzen/pep-pdp-api-design-suggestions</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 23, 2024 at 10:55 AM Scott Guyer <<a href="mailto:scott.guyer@capitalone.com">scott.guyer@capitalone.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">My thoughts ... <br><br>1.2.1 agreed ... I believe this is how envoy proxy ext-authz filter (<a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#envoy-v3-api-msg-service-auth-v3-checkrequest" target="_blank">https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#envoy-v3-api-msg-service-auth-v3-checkrequest</a>) works. Though, I can't speak exhaustively on how other PEPs work. Still the right call, IMO.<br><br>On 2 ... no opposition. I have questions from an operational perspective how to do "search" anyway. In my environment, I wouldn't want to burden the runtime cluster with what feels like an audit capability. But that likely would go in the patterns discussion. It's the kind of thing that could potentially be serviced by a PAP as well.<br><br>5.2 ... works for me.<br><br>Re: 3 and 4 ... not quite following yet. <br><br>Best,<div>-Scott</div><div><br><br><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 23, 2024 at 12:27 AM David Brossard via Openid-specs-authzen <<a href="mailto:openid-specs-authzen@lists.openid.net" target="_blank">openid-specs-authzen@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Dear all,<div><br></div><div>Last week, it became apparent we need to start simple and low for the PEP-PDP API if we want to ship anything out and I'd like to propose a few principles:</div><div><ol><li>Keep transport and message separate</li><ol><li>The spec for what a request/response should look like should be decoupled from the underlying transport (HTTP or anything else)</li><li>As a result, nothing in the transport layer conveys any authZ meaning whatsoever</li><ol><li>For instance, 401/403 are indications you cannot use the authorization service. They don't convey anything about the request you sent or what the PDP (in the broad sense) would have said</li></ol></ol><li>Propose a first iteration of request/response that focuses exclusively on the easy "binary" yes/no use case</li><ol><li>No additional statements/obligations/advice</li><li>No batch</li><li>No search</li></ol><li>Propose a model that is largely attribute-based (where an attribute is a key-value pair)</li><li>Propose a model that follows the ALFA Subject/Action/Resource/Environment or the Cedar Principal/Action/Resource/Context</li><li>Publish the results using a standardized schema</li><ol><li>In the WS-* days of yore, it would have been WSDL</li><li>For us, would OpenAPI be good enough?</li></ol></ol><div>So with that being said, should we have a request that looks like the following:</div><div><ul><li>Made up of 4 objects of the same type (e.g. Category to use ALFA parlance):</li><ul><li>Subject, Action, Resource, Context</li><li>If these objects are arrays of the said type, then we are paving the way for batch requests</li></ul><li>Each of these objects contains an array of attributes e.g. key-value pairs</li><ul><li>The attributes could be primitive types e.g. string, double, boolean</li><li>The attributes could be complex e.g. a JSON payload</li></ul></ul><div>The response should simply be the decision itself:</div></div><div><ul><li>Permit/Deny</li><ul><li>Again, if we want to plan ahead and think of batch requests then the response should be an array rather than an object.</li></ul><li>Optionally the list of identifiers of things (policies) used in the decision-making process</li></ul></div><div>Thoughts?</div></div></div>
-- <br>
Openid-specs-authzen mailing list<br>
<a href="mailto:Openid-specs-authzen@lists.openid.net" target="_blank">Openid-specs-authzen@lists.openid.net</a><br>
<a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!FrPt2g6CO4Wadw!ML4h4ehzGsQ3xEXYD5Tv_-tGL7lUYg6oL_4dF8MPfw3FwXlzsleLr5tfe5WMer1zqYmvhpZ-jOZsohjifn2Vi7rLzBXk5FkUga4aVg$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!FrPt2g6CO4Wadw!ML4h4ehzGsQ3xEXYD5Tv_-tGL7lUYg6oL_4dF8MPfw3FwXlzsleLr5tfe5WMer1zqYmvhpZ-jOZsohjifn2Vi7rLzBXk5FkUga4aVg$</a> <br>
</blockquote></div>
<hr><br><font color="#404040">The information contained in this e-mail may be confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.</font><table border="0" cellspacing="0" cellpadding="0" width="100%" height="30"><tbody><tr><td><br>
</td></tr><tr>
</tr><tr><td><br>
<br>
</td></tr></tbody></table><br>
</blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr">---<br>David Brossard<br><a href="http://www.linkedin.com/in/davidbrossard" target="_blank">http://www.linkedin.com/in/davidbrossard</a><br><a href="http://twitter.com/davidjbrossard" target="_blank">http://twitter.com/davidjbrossard</a><br><a href="http://about.me/brossard" target="_blank">http://about.me/brossard</a><br>---<br>Stay safe on the Internet: <a href="https://www.capefearnetworks.com/wp-content/uploads/2017/05/Internet-Fraud-Prevention-Tips-IC3.pdf" target="_blank">IC3 Prevention Tips</a><br>Prenez vos précautions sur Internet: <a href="http://www.securite-informatique.gouv.fr/gp_rubrique34.html" target="_blank">http://www.securite-informatique.gouv.fr/gp_rubrique34.html</a></div></div>