## Agenda 👉 _Add items that you would like to cover on the call_ 👈 - Reminder: Upcoming holiday schedule - No meetings on 12/26 and 1/2/24 - Define the first use case (update from @xmlgrrl) - Why other frameworks and prior art (update from @davidbrossard) - Design patterns document - Review comments from @alexbabeanu, @xmlgrrl, and others on [Authorization Design Patterns](/H2a8WW2vTjOc5xy4Tm85oQ) - PEP-PDP Patterns Document: https://hackmd.io/@oidf-wg-authzen/BJ0kLlnB6 - Review comments - Interesting articles ## Attendees 👉 _Write your name down if you plan to attend_. 👈 Rifaat Shekh-Yusef @gerryatstrata Elie Azerad Dave Hyland @omri Jason Garbis Mike Kiser George Fletcher Gabriel Manor @davidbrossard Atul Tulshibagwale (SGNL) Roland Baum @alexbabeanu Jeff Broberg Jamie Lin Apoorva Deshpande Victor Lu Darin McAdams Dima Postnikov Bjorn Hjelm ## Notes ### Review of agenda - Since Eve is not on the call, skip reviewing use cases until next call - Brief discussion of PEP-PDP pull request - clarification that comments are entered on the HackMD version of the document - comments will be reviewed on Thursday call and summary reported back to larger group - David will use the regular zoom meeting link - Skip to Design Patterns to review comments - Need a glossary of terms? Eve has been working on this - Some sections have figures, would be good to have them in other sections as well (although they fail to build in the pipeline). Alex has links to pictures for the time being. - Asking for volunteers to fill in real-world examples (David to add for traditional PEP) - Discussion of "Traditional" section - Good to have the building blocks of the basic abstract patterns, such as "P * P" model and then we can use them to compare/contrast with other models - Decision architecture - Information architecture - Enforcement architecture - Administration/management architecture - Question on where to consider the authorization data model - the information used in policies and access requests - strive to decouple app from data - Make sure we build a bridge to the implementer that knows how to add a claim to a JWT - RAR defines a pattern - should we copy that or model after that? - Could standardize more than just subject, action, resource - such as additional context from the token - Elie: an authorization decision service is a specialized decision service. There are general purpose products that do the same and should be called out as well. Not sure how often they are used for that but it is about the type of authorization we are focusing on. I can add a section about this as well. I'm talking about IBM ODM / Drools. The rationale would be that authorization is just part of the decisions that are being evaluated. ## Other ### How to join OpenID slack - Contact Mike for an invite: mike.leszcz@oidf.org ### Use Case Work (Eve) See https://hackmd.io/@oidf-wg-authzen/BJxrqVqIp ### Identiverse - @omri submitted a panel with Atul, Eve, Gerry, Alex, David, and himself. - @gerryatstrata and @davidbrossard will follow up with Andi Hindle re. floor space for AuthZEN (or OpenID?) ### Interesting Reads - [Unauthorized - the comedy of errors](https://idpro.org/unauthorized-the-comedy-of-errors/) ### Splitting into sub-calls - David set up a call for the PDP API spec on Dec 20 (contact David if you are not already on the invite) - @davidbrossard - Atul - @omri - Rifaat - Elie - Alex to set up a call for the design patterns in early Jan - @alexbabeanu - @gerryatstrata - Dani Katzman - Dave Hyland - Roland Baum - Omri - Rifaat - Elie - Jeff Broberg