Workgroup: OpenID AuthZEN Published: Authors: D.Hyland, Ed ID Partners Abstract This specification defines a profile for using AuthZEN (Authorization Evaluation) which would be used by an OAuth 2.0 client on the Autorization Server or Resource Servers it has been granted access to. It provides a standardized approach for performing access evaluations by extending the AuthZEN information model to work seamlessly with OIDC and OAuth 2.0 protocols. The profile specifies how to handle evaluation requests and responses while maintaining compliance with existing OIDC and OAuth standards, including support for scopes, claims, and Rich Authorization Requests. 1. Introduction In today’s dynamic security landscape, merely relying on static scopes or basic claim checks is insufficient to accurately determine whether a user or client should be granted access. Modern authorization evaluations often require complex decision-making that goes beyond simple scope- or claim-based controls, considering contextual factors such as user risk level, resource sensitivity, real-time threat indicators, and environmental variables (e.g., device type or geolocation).

Abstract This specification defines how OAuth 2.0 clients can request and receive authorization evaluations through HTTP headers alongside REST operations (POST, PUT, PATCH, DELETE). This enables clients to understand how authorization state may have changed as a result of the RESTful request, without requiring separate authorization API calls. The profile extends the AuthZEN specification to work within OAuth 2.0 environments while maintaining compliance with OAuth standards. 1 Introduction As online digital experiences become more modular, a system understanding when to transiation from one user flow to another brings about a demand for continuous evaluation of state. For example, customer onboarding journeys for regulated industries such as Financial Services, Gambling and Gaming, Real Estate require the capture and maintenance of information to a particular standard, and services not provided unless the record is complete. Fraud and scam prevention adds further complexity by introducing the need for probabilistic risk assessment — an approach that relies on calculating likelihoods or “risk scores” based on multiple signals rather than making purely binary, rule-based decisions. These signals may include user behavior analytics, geolocation data, device fingerprinting, transaction velocity, and other contextual factors. Defining a user journey design time is not possible or highly complex and a new set of techniques and patterns to drive user experience is required. Attempting to develop user journies to ensure a customer record is in the correct state or mitigate all risk introduce “friction” for legitimate users, such as additional identity checks, one-time passwords, or manual reviews. While these measures protect against malicious activity, they may also negatively impact user satisfaction or lead to customer abandonment if the process feels overly intrusive. The continuous evaluation of authorization decisions in real time, which drives the user journey dynamically, offers a balanced way to address these concerns.

Abstract This specification extends the Grant Management API to enable real-time evaluation of access rights against existing grants . By introducing a standardized Grant Evaluation API endpoint, the extension allows clients to verify ongoing access permissions while considering contextual attributes and current grant constraints. The proposal defines the necessary protocol flows, API formats, and security requirements, making it particularly valuable for scenarios like Open Banking and healthcare where continuous verification of complex permissions is essential. [Add to Section 3: Use cases supported] 3.8 Evaluating Access Against a Grant A client needs to evaluate whether a subject has access to a resource under an existing grant. This evaluation must consider: The subject's identity The grant's current permissions The specific resource/location being accessed