Meeting Notes 2023-12-05

## Agenda 👉 _Add items that you would like to cover on the call_ 👈 - Upcoming holiday schedule - Cancel calls during Christmas and New Years weeks? Yes. - No meetings on 12/26 and 1/2/24 - Request for APAC friendly call time - Decision to move to 11am PT to accommodate a slightly better time for APAC. @gerryatstrata to notify Mike L. of the change. New time effective as of 12/12/23 - Don't forget to join the community in - 📄https://hackmd.io/@oidf-wg-authzen - 💬[OpenID Slack Channel for AuthZEN](https://oidf.slack.com/archives/C0630873JGK) - 📧[Mailing list](https://lists.openid.net/mailman/listinfo/openid-specs-authzen) - 👩‍💻[Github Repo](https://github.com/openid/authzen) (https://docs.google.com/presentation/d/1bWnazk6D54efbO08FUpwOyeLyrxz04hoSx2XwauyID8/edit?usp=sharing) - What is the strategy for an interop? - Goal: May 2024 at RSA - Is there still such a thing as a PEP SDK? - Should we avoid mentioning the word SDK? - Review comments from @alexbabeanu, @xmlgrrl , and others on [Authorization Design Patterns](/H2a8WW2vTjOc5xy4Tm85oQ) - Discuss plans for EIC (David) and Identiverse - Tabled to next meeting - Use cases doc (Roland and Alex) - Tabled to next meeting ## Attendees 👉 _Write your name down if you plan to attend_. 👈 - Atul Tulshibagwale - SGNL (will join 30 minutes after start of the call) - PST - @xmlgrrl - CST - @gerryatstrata - MST - Rifaat Shekh-Yusef - EST - Roland Baum - CET - Omri Gazitt - PST - Jeff Broberg - EST - Alex Babeanu - PST - George Fletcher - EST - David Hyland - AEST - Dani Katzman - Israel - Victor Lu - EST - Mickey Martin - EST - Bjorn Hjelm - PST - @davidbrossard - PST ## Interop Conversation If we think of PEP-PDP, let's create a site where we have a site (e.g. jwt.io) of authorization to demonstrate the interoperability. - Language SDKs on the site - Gateway support e.g. Kong support for authorization, AWS API GW, Zuplo... - Kong already has a plugin for OPA - Styra did develop standard patterns for the PEP-PDP - What's our intent with the interop? - Do we want to raise awareness? - Do we want to show true interop between vendors/implementations? - Do we want to encourage software developers to adopt AuthZEN? - We want the "OIDC" moment For the spec, we probably need to start with an implementer's draft that defines some of the basics/core common use cases and build from that. That would allow us to have a draft 2 months from now (end of Jan, early Feb) leaving 2 months before interop at RSA in May. (George) @alexbabeanu suggests focusing on the Permit/Deny part of the API. We need to define a well-known use case that brings value to the attendee (developer/CISO). Omri draws an comparison with OIDC: there were 2 draws. On the one hand, SDKs to handle the auth flow. On the other SSO and integration with identity management products. The interesting aspect here would be plug 'n play authorization. George suggests that the OAuth Step-Up spec probably needs an update to point to a policy identifier. What looks like a developer-friendly approach or impedence to developers in 2024 (@xmlgrrl)? ## Authorization Spec - David to provide links to the REST Profile of XACML and the Request/Response model as well as the JSON profile of XACML. - Atul: we could use the sub IDs. See [here](https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers). ## Use case opportunities - Go down the path of being industry-specific? FHIR etc. - Go down the path of technical orientation? OWASP - Be mindful of the audience/persona (application developer seems primary) ## Collateral opportunities - Site equivalent to oauth.net: vendor neutral, dev resources - authzen.io! - FAQ - start on HackMD - Terminology doc(s) ## Next steps - Define the first use case → @xmlgrrl - Why other frameworks? document + prior art → @davidbrossard - Next week's meeting will be dedicated to the design patterns document - Review comments from @alexbabeanu, @xmlgrrl , and others on [Authorization Design Patterns](/H2a8WW2vTjOc5xy4Tm85oQ)