<div dir="ltr"><div>Hi everyone,<br></div><div><br></div><div>First of all a warm welcome to 2 new (but familiar) faces:</div><div><ul><li>Jeff Lombardo from AWS</li><li>Mat Hamlin from SGNL</li></ul><div>Here's the link to the notes: <a href="https://hackmd.io/@oidf-wg-authzen/wg-meeting-20250318">https://hackmd.io/@oidf-wg-authzen/wg-meeting-20250318</a></div></div><div><br></div><div>We also agreed to have breakout sessions to go over Jeff's issues in GH. We'll send out times on the mailing list.</div><div><br></div><div>David</div><div><br></div><div><h1 class="gmail-part" id="gmail-Meeting-Notes-2025-03-18">Meeting Notes 2025-03-18</h1><h2 class="gmail-part" id="gmail-Attendees"><a class="gmail-anchor gmail-hidden-xs" href="#Attendees" title="Attendees"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Attendees</h2><ul class="gmail-part">

<li class="gmail-">JF Lombardo</li>

<li class="gmail-">Alex Babeanu</li>

<li class="gmail-">Julio Auto De Medeiros</li>

<li class="gmail-">Victor Lu</li>

<li class="gmail-">Gerry Gebel</li>

<li class="gmail-">Ravi Erakulla</li>

<li class="gmail-">David Brossard</li>

<li class="gmail-">Mat Hamlin</li>

<li class="gmail-">Shannon Roddy</li>

<li class="gmail-">Alex Olivier</li>

</ul><h2 class="gmail-part" id="gmail-Agenda"><a class="gmail-anchor gmail-hidden-xs" href="#Agenda" title="Agenda"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Agenda</h2><ul class="gmail-part">

<li class="gmail-">Gartner IAM Interop

<ul>

<li class="gmail-">Datasheet review in <a href="https://docs.google.com/document/d/1jPkG9jBrS4cRq3cvw474vwrM_1X7Q0blCalVJlHftiw/edit?tab=t.0#heading=h.jk384qcfyhkp" target="_blank" rel="noopener">Google Docs</a></li>

<li class="gmail-">Signs <a href="https://docs.google.com/presentation/d/1dDspGqmWrHRDp49z7k4rdiSmg_6z1LBfiFETfOS9Umw/edit?slide=id.p#slide=id.p" target="_blank" rel="noopener">template</a></li>

<li class="gmail-"><a href="https://openid.net/intellectual-property/openid-foundation-contribution-agreements/" target="_blank" rel="noopener">Contribution agreement</a></li>

</ul>

</li>

<li class="gmail-">Goals for EIC Interop

<ul>

<li class="gmail-">Partial evaluation</li>

<li class="gmail-">Search API</li>

</ul>

</li>

<li class="gmail-">AOB?</li>

</ul><h2 class="gmail-part" id="gmail-Notes"><a class="gmail-anchor gmail-hidden-xs" href="#Notes" title="Notes"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Notes</h2><h3 class="gmail-part" id="gmail-Partial-evaluation"><a class="gmail-anchor gmail-hidden-xs" href="#Partial-evaluation" title="Partial-evaluation"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Partial evaluation</h3><ul class="gmail-part">

<li class="gmail-">Goal: EIC interop</li>

<li class="gmail-">No update from Axiomatics' side</li>

<li class="gmail-">AWS is onboard with partial evaluation</li>

<li class="gmail-">The current group is: Vladi (PlainID), Michel (VNG), and David (Axiomatics).</li>

<li class="gmail-">Schedule call after Gartner to pick up the work. Sync up with Jeff Lombardo (AWS) to determine AWS contribution.</li>

<li class="gmail-">Material

<ul>

<li class="gmail-">Current draft: <a href="https://hackmd.io/@oidf-wg-authzen/HkLiZVdb1l" target="_blank" rel="noopener">https://hackmd.io/@oidf-wg-authzen/HkLiZVdb1l</a></li>

<li class="gmail-">Feedback: <a href="https://hackmd.io/@oidf-wg-authzen/partial-evaluation-axio-feedback" target="_blank" rel="noopener">https://hackmd.io/@oidf-wg-authzen/partial-evaluation-axio-feedback</a></li>

<li class="gmail-">Additional material: <a href="https://hackmd.io/@oidf-wg-authzen/Syg0dHYsYyl" target="_blank" rel="noopener">https://hackmd.io/@oidf-wg-authzen/Syg0dHYsYyl</a></li>

</ul>

</li>

</ul><h3 class="gmail-part" id="gmail-Search-API"><a class="gmail-anchor gmail-hidden-xs" href="#Search-API" title="Search-API"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Search API</h3><ul class="gmail-part">

<li class="gmail-">Search API draft

<ul>

<li class="gmail-"><a href="https://hackmd.io/@oidf-wg-authzen/S1RmIUFF1e" target="_blank" rel="noopener">Action Search API</a></li>

<li class="gmail-"><a href="https://hackmd.io/@oidf-wg-authzen/ByeaUn3vyg" target="_blank" rel="noopener">Search API</a></li>

</ul>

</li>

<li class="gmail-">Question: how do we expect the search API to react to relationships between entities?</li>

</ul><h3 class="gmail-part" id="gmail-Negative-Testing"><a class="gmail-anchor gmail-hidden-xs" href="#Negative-Testing" title="Negative-Testing"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Negative Testing</h3><ul class="gmail-part">

<li class="gmail-">The interop only has happy paths</li>

<li class="gmail-">We need to include tests that cover errors

<ul>

<li class="gmail-">Invalid requests</li>

<li class="gmail-">Overly large requests</li>

</ul>

</li>

<li class="gmail-">Other testing

<ul>

<li class="gmail-">Via Search</li>

<li class="gmail-">Via Partial Evaluation</li>

</ul>

</li>

<li class="gmail-">Generally we test "discretely".

<ul>

<li class="gmail-">Can Alice view item 123?</li>

</ul>

</li>

<li class="gmail-">What if we wanted to test negatively?

<ul>

<li class="gmail-">Is there any way Alice can view item 123?</li>

<li class="gmail-">How can Alice NOT view item 123?</li>

</ul>

</li>

<li class="gmail-">When Search and Partial Evaluation are out, we need to verify how they can help us build new tests.</li>

<li class="gmail-">Can we generate test cases from schemas?

<ul>

<li class="gmail-">If we know we have 5 roles and 10 object types and 3 actions, we could generate a matrix of tests. This is somewhat outside the scope of AuthZEN for now.</li>

</ul>

</li>

</ul><h3 class="gmail-part" id="gmail-Discovery-Endpoint"><a class="gmail-anchor gmail-hidden-xs" href="#Discovery-Endpoint" title="Discovery-Endpoint"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Discovery Endpoint</h3><ul class="gmail-part">

<li class="gmail-">We need to start working on the discovery endpoint (<a href="https://hackmd.io/@oidf-wg-authzen/roadmap" target="_blank" rel="noopener">See roadmap</a>)</li>

</ul><h3 class="gmail-part" id="gmail-Security-Testing"><a class="gmail-anchor gmail-hidden-xs" href="#Security-Testing" title="Security-Testing"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Security Testing</h3><ul class="gmail-part">

<li class="gmail-">Alex (Indykite) talked to the OIDF security test folks at OSW</li>

</ul><blockquote class="gmail-part">

<p>Hi All,<br>

So Tim, Pedram and i just had a chat, the conclusion of which was that since AuthZen is just essentially a payload format for a communication protocol, there is no inherent security risk to consider. Whatever security testing would be performed would actually test the communication fwk, not really Authzen itself.<br>

Ralf will provide the final answer and follow-up, just wanted to keep this thread updated with the latest.<br>

Cheers, Alex</p>

</blockquote><p class="gmail-part gmail-in-view">Ralf later confirmed</p><blockquote class="gmail-part gmail-in-view">

<p>a security analysis of Authzen does not seem to make sense.</p>

</blockquote><p class="gmail-part gmail-in-view">And Gail confirmed we're good to proceed to standardization.</p><h2 class="gmail-part gmail-in-view" id="gmail-Github-issues"><a class="gmail-anchor gmail-hidden-xs" href="#Github-issues" title="Github-issues"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Github issues</h2><ul class="gmail-part gmail-in-view">

<li class="gmail-"><a href="https://github.com/openid/authzen/issues/250" target="_blank" rel="noopener">https://github.com/openid/authzen/issues/250</a>

<ul>

<li class="gmail-">deny_on_first_deny and permit_on_first_permit examples are cumbersome #250</li>

<li class="gmail-">We need to restructure the response format because at the moment the response size is not guaranteed given we return all the decisions that were hit. In fact we should either return MAX, the number of decisions that correspond to the # of boxcarred requests, or just 1 (the overriding decision)</li>

</ul>

</li>

</ul><div class="gmail-part gmail-code-block-wrapper gmail-in-view"><div class="gmail-code-toolbar"><button class="gmail-rounded gmail-text-normal gmail-font-normal gmail-leading-normal gmail-flex gmail-bg-transparent gmail-text-text-default gmail-border gmail-border-solid gmail-border-transparent gmail-hocus:bg-element-bg-hover gmail-hocus:text-text-emphasize gmail-hover:border-element-bg-hover gmail-focus:shadow-[0_0_0_2px_#77777733] gmail-focus:border-element-border-hover gmail-disabled:bg-transparent gmail-disabled:hocus:bg-transparent gmail-disabled:hocus:border-transparent gmail-disabled:text-element-text-disabled gmail-disabled:hocus:text-element-text-disabled gmail-ui-code-block-copy-button gmail-p-[7px]"><i class="gmail-inline-flex gmail-ph gmail-ph-clipboard-text" aria-hidden="true" style="width:20px;height:20px;font-size:20px;line-height:20px"></i></button></div>

        <pre><code>{

  "evaluations": [

    {

      decision: true

    },

    {

      decision: false,

      context: {

        "id": "200",

        "reason": "deny_on_first_deny"

      }

    }

  ]

}

</code></pre>

      </div><p class="gmail-part gmail-in-view">The aforementioned example is flawed. This forces the PEP to iterate through all the answers to figure out <code>false</code> is the right answer because it came from <code>deny_on_first_deny</code>.</p><ul class="gmail-part gmail-in-view">

<li class="gmail-">Next steps: schedule breakout sessions to go over the other issues</li>

</ul><h2 class="gmail-part gmail-in-view" id="gmail-Upcoming-Events"><a class="gmail-anchor gmail-hidden-xs" href="#Upcoming-Events" title="Upcoming-Events"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Upcoming Events</h2><h3 class="gmail-part gmail-in-view" id="gmail-Confirmed"><a class="gmail-anchor gmail-hidden-xs" href="#Confirmed" title="Confirmed"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Confirmed</h3><ul class="gmail-part gmail-in-view">

<li class="gmail-">London Gartner IAM Interop

<ul>

<li class="gmail-">Tuesday, March 25, 2025 at 1PM, 2:45PM, and 4:30PM (GMT).</li>

<li class="gmail-">Italian Room</li>

<li class="gmail-">Session: Tuesday 11am</li>

</ul>

</li>

<li class="gmail-">European Identity Conference

<ul>

<li class="gmail-">11:40 Thursday May 8th</li>

<li class="gmail-">We also have a room like last year - details TBD</li>

</ul>

</li>

<li class="gmail-">Identiverse

<ul>

<li class="gmail-">1:30pm Tuesday June 3rd</li>

</ul>

</li>

</ul><h3 class="gmail-part gmail-in-view" id="gmail-Submissions"><a class="gmail-anchor gmail-hidden-xs" href="#Submissions" title="Submissions"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Submissions</h3><ul class="gmail-part gmail-in-view">

<li class="gmail-">Authenticate 2025</li>

<li class="gmail-">EIC Awards Submission</li>

</ul><h3 class="gmail-part gmail-in-view" id="gmail-Next-weeks-call"><a class="gmail-anchor gmail-hidden-xs" href="#Next-weeks-call" title="Next-weeks-call"><span class="gmail-octicon gmail-octicon-link gmail-ph gmail-ph-link-simple-horizontal"></span></a>Next week's call</h3><ul class="gmail-part gmail-in-view">

<li class="gmail-">Due to Gartner IAM, we will cancel next week's call</li></ul></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"></div></div>