# Meeting Notes 2026-01-22 ## Attendees * Alex Olivier * Alex Babeanu * Mike Kiser * Gert Drapers * Jeff Lombardo * Chaithanya Yambari () * John Jiang * George Fletcher ## Agenda - Actions from last week - [x] Alex O: Copy notes to the [official wiki](https://github.com/openid/authzen/wiki/Meetings) - [ ] Alex O: Breakout the interop code into a seperate repo (blocked) - [ ] Review [JSONSchema PR](https://github.com/openid/authzen/pull/419) - Roadmap - Proposed - Certification testing (Alex O) - API Gateway profile (Gert, David) - MCP/A2A profile (Atul, Alex B) - Obligations profile (Alex B) - [Partial evaluation](https://hackmd.io/@oidf-wg-authzen/partial-evaluation) (David, Julio) - Protocol Bindings - gRPC (Gert, Julio) - Any objections - Agree on sub-group owners and expectations - Should we own/manage AuthZEN SDKs? - Outreach - to COTS/SaaS vendors to adopt the PEP/PDP pattern - to app/ai frameworks (eg Spring Security, CrewAI) for native support - Investigate to other standards working groups - EIC Standards Award submission (David) - any others? - AOB ## Notes - Gert - has a [repo](https://github.com/authzen) of gRPC bindings already. Its at the 0.5 draft. Needs updating and then finding a better home for it. Objectives was to setup the language bindings and Topaz already uses it. - AO - Not sure if there is prioir art for this - Gert - it will be a driver for adoption and feedback. - AlexB - not sure if OpenID does the ref code/sdk (CNCF does a bit). - JeffB - it should go into the openid/authzen repo - George - OIDF managing libraries has had mixed success. iOS/Android version of the OIDC spec for mobile. Issue has been maintainers and they have gotten out of date. Other OIDC implementations has relied on contributers to publish their implementation certified. Then OIDF will list the library for conformance. It is diffcult to resource the longterm management of the libraries. - JeffB - what do we do with the deployed AuthZEN interop apps (Jeff and AO have deployed instances). - AlexB - can we only deploy them when we need them - AO - everything can be shutdown and then coordinate deploying again for events. - AO: Which implementers can we contact to implement AuthZEN. AO talked to Gravitee, they already support authzen. - Chaithanya: looking at implementing Authzen for their IGA solution. - MikeK: active interest from Sailpoint to support. Initial use case - "what resources does Alice have access too" - Chaithanya: where to start? - AlexB: hopefully the spec is clear enough. We may have some blog/content around it. - MikeK: the decks from the last interops - AlexB: start with the use cases - the questions you want to ask a PDP - Chaithanya: already have a PEP and a policy engine which is being built/enhanced. Guidence on where to start - AlexB: revive the use cases track - Gert: ground it in the use cases, rather than the todo app interop scenario. - AlexB: started off with the questions you want to ask - Gert: thats how Topaz templates - Chaithanya: questions: "does this user have access to this resource" (bool), "what are my risky apps being used by this user" (continuous, scheduled, event), "what other applications does the user need to have which he doesnt have access to" (recommendations/similarity) - AlexB: we don't have an AuthZen question to answer that last question - Chaithanya: this is where vendors can build on top of the spec. - AlexB: need to twist the schmanitc - JeffB: 'should' has lots of logic behind it. What is the initiator for that? There is prior art for this. - Delegated Authorization for Agents Constrained to Semantic Task-to-Scope Matching: https://arxiv.org/pdf/2510.26702v1 - AlexB: seen this in provisioning workflows. - Chaithanya: Have templates/criteria you want to satisfy but this is old school. - AlexB: would be good not to work alone - want input, and need to establish ways of working - Chaithanya: offering to write content on how to get going as a vendor - Gert: Workstreams move notes to the github wiki so we don't lose history from slack - MikeK: where to start - interop harness or certification - Edmund: first use case (evaluation) endpoint is implemented ready to test out. Ready to test out on the confromance site. Need better documentation for setting up their policies for running against the conformance suite. Needs work to cut down interop-specific payloads with nothing outside the spec being included. - ## Actions - Do some digging into other WG that have SDKs - JeffB/AO - shutdown interops - Content on getting started with the spec. Revive the use cases track? - AO/Edmund - sync on certification and whats needed.