# Meeting Notes 2026-01-15 ## Attendees * Alex Olivier * David Brossard * Atul Tulshibagwale * Alex Babeanu * Julio Auto de Medeiros * George Fletcher * Victor Lu * Gert Drapers * Edmund Jay * John Jiang ## Agenda - EIC, Identiverse and other event updates - Finish off the laundry list of possible directions for this year - Determine a priority set of items and any willing owners - Certification progress - ## Notes - Event Updates - Gartner IAM London - Just a panel, no room - EIC - David & Alex B doing 40min session with Gail - Run up to EIC podcast (David) - AuthZEN standards award EIC - Identiverse - Panel been submitted, Feb 13th for result - Prioritizing topics for 2026 - JSON schema and Open API spec - [PR raised by Thomas Tran](https://github.com/openid/authzen/pull/419) - Finish partial evaluation API - David? Julio? - Julio - Some initial work started - No active workstream, clean slate to start from - [Partial evaluation proposal / draft](https://hackmd.io/@oidf-wg-authzen/HkLiZVdb1l) - Advice/Oligations - Some early work - sitting in a PR raised by Alex B - MCP/A2A integration - Atul/Alex O/Alex B - API gateway integration - Gert. George (reviwer) - George - Maybe dependancy on the Advice/Obligations work to have a AuthZEN response trigger some action eg step up AuthN. Take a use case based approach as an allow/deny isn't sufficent in real world scenarios - Alex B - could also be relevant for the IdP use case - George - and leads to other OAuth use cases (Jeff - AWS, David Hyland have been looking at this wrt RAR) - David B - split into two profiles - Technical profile at the route level - Business profile at the object level - George - Prior work around defining a pattern to deny a request as early as possible (can subject access the downstream application at all) - Nuance from location, history, user profile makes externalization more sane - more about access, less about the specific resource in the specific service - Gert - coarse-grain at gateway, fine-grain at the application layer. - Different teams and owners. Need to have a similiar understanding of payloads, users etc at both levels for it to be scalable - David - We could support different levels in the profiles - Basic mapping of path, headers etc into AuthZEN request - Business/Best practice profiles - outlines specifc types of requests eg get patient request from EHR based on HL7 standard. Profile would further constrain/define the spec based on the standard mapping to AuthZEN feilds - Technical profile - Gert - What is the impact of having profiles on a PDP in terms of how it needs to scale? - Alex O/Gert - Start with a scoped example eg REST API? - Support different OAuth grant types (token exchange, RAR) - Alex B + David + Omri - proposed a RAR profile at IETF, wasn't accepted - Gert - start with the gateway vendors to get momentum and then goto IETF - [Prior work](https://davidjbrossard.github.io/authzen-rar-profile/draft-brossard-oauth-rar-authzen.html) - Certification testing (Edmund, Alex B, Gert) - Evaluation API is implemented - can be tested now on the certification site - Evaluations in progress - Interop examples missing some data to implement the full test suite - Question about how to make the test data configurable so its not specifically using the interop - The current scenarios being used are not clearly defined - needs to be written down to vendors can setup their policies/test data in their PDPs - Need a document/data file of the use case - the decision matrix? - To be discussed still: - Focusing on adoption - Profiles - IDP integration - Use cases for decentralized enforcement - How to centralize policy to leverage a common language model (policy distribution API) - Enable human to delegate authZ to AI agents - How can OAuth clients reason about the delegated subject's scopes. - Building a fuller demo environment that can represent more real world scenarios - Shared signals integration scenario - Audit log profile TODO: - [x] Alex O: Copy notes to the official wiki: https://github.com/openid/authzen/wiki/Meetings - [ ] Review [JSONSchema PR](https://github.com/openid/authzen/pull/419) - [ ] Alex O: Breakout the interop code into a seperate repo