Try   HackMD

Identiverse AuthZEN Interop Demo

See https://hackmd.io/@oidf-wg-authzen/identiverse-2025-interop for updated details and instructions.

Scenario

The next interoperability demonstration will focus on the Search API (Draft 03).
https://openid.github.io/authzen/

Description

We have a basic web app that allows users to get access to records.

Records have metadata associated with them:

  • owner
  • department
  • status (draft, published, archived)

Users have metadata associated with them:

  • username
  • role
  • department

We have the following basic rules:

  • a user can view a record they own
  • a user can view any record in their department
  • a manager can view a record
  • any user can edit a record they own
  • a manager can edit a record in their department
  • a user can delete a record they own

Users

Define sample users here

Sample User Data

[
	{
		"name": "alice",
		"role": "manager",
		"department": "Sales"
	},
	{
		"name": "bob",
		"role": "employee",
		"department": "Legal"
	},
	{
		"name": "carol",
		"role": "contractor",
		"department": "Legal"
	},
	{
		"name": "dan",
		"role": "manager",
		"department": "Finance"
	},
	{
		"name": "erin",
		"role": "employee",
		"department": "Finance"
	},
	{
		"name": "felix",
		"role": "contractor",
		"department": "Accounting"
	}
]

See also github (interop\authzen-search-demo\data\users.json)

Data (Items)

Sample records are defined in interop\authzen-search-demo\data\records.json

Sample Records

Demo App

The Demo App is a simple UX that has 3 options:

  1. User search (who can view record X?)
  2. Resource search (which records can Alice view?)
  3. Action search (what action can Alice do on record X?)

The Demo App lets the end-user choose the record identifier and action. The Demo App lets the end-user choose the PDP endpoint. The Demo has a button called "Search" which, when clicked, sends the AuthZEN search request to the backend and gets a response back and visualizes it on-screen.

Conformance Tests

Once the sample data is defined, we can write the conformance tests.

Conformance Payloads

App Hosting

  • Investigate either Axiomatics, Hexa, or David B's personal GCP
  • Each PDP needs to handle their own data store given the search response contains the data
  • The 'Demo App' is just a glorified, stateless, PEP

Participants & Schedule

  • Confirmed: Axiomatics (David), Cerbos (Alex O), Ping (via David H), SGNL (Atul), PlainID (Vladi), Permit.io (Gabriel), Thales (Cyril), AWS (Jeff), IndyKite (Alex B), EmpowerID (Patrick), Apache KIE (Elie), WSO2 (Hasintha), Topaz (Omri)

Schedule

  • April 16th
    • Use case defined
    • Sample data defined
    • Conformance tests defined
  • May 2nd
    • Demo app is up and running
  • May 19th
    • Participants have run through the conformance tests

On-site logistics

  • TBD

Assignments

  • Demo app & sample data: @davidbrossard

    • Host the demo app
      • Jeff will see if AWS can host the demo app
    • Vladi will help with the backend development
    • Create conformance test
    • Manage the config file with compliant implementations
    • Alex O also offered to work on this

  • Participant outreach: @gerryatstrata

  • On-site logistics: TBD

  • Liaison with OpenID (Marketing, etc):

  • Clone datasheet and produce new one

    • Remove todo app and add search use case: TBD

  • Vladi, David H, and Atul also asked what they could do to help

Last changed by 
OIDF AuthZEN WG
OpenID Foundation AuthZEN Working Group
7
292

Read more

Meeting Notes 2025-07-15

Alex B has a presentation to review resource_id from the ReBAC perspective

Jul 16, 2025
Meeting Notes 2025-07-08

Schedule for this call going forward

Jul 8, 2025
Meeting Notes 2025-06-24

Review open issues with the group

Jun 24, 2025
Meeting Notes 2025-06-17

Reviewing 2H25 plans

Jun 17, 2025
Read more from OIDF AuthZEN WG
Published on HackMD