## Agenda 👉 _Add items that you would like to cover on the call_ 👈 - Reminders: - All members can vote in the OIDF Community Representative election https://openid.net/foundation/members/elections/58 - Corporate members can vote for Corporate Representatives - Voting is open until 12 pm PST on Jan 16 - Identiverse update - @davidbrossard spoke with Andi on Jan 8 (update here?) - Why other frameworks and prior art - Darin McAdams on Amazon Verified Permissions - David Hyland on OAuth - @davidbrossard on XACML - Define the first use case (update from @xmlgrrl) - Design patterns document - Review comments from @alexbabeanu, @xmlgrrl, and others on [Authorization Design Patterns](/H2a8WW2vTjOc5xy4Tm85oQ) - PEP-PDP Patterns Document: https://hackmd.io/@oidf-wg-authzen/BJ0kLlnB6 - Review comments - Use Cases: PDP ↔ PEP Communication Scheme [Use Cases: PDP ↔ PEP Communication Scheme](https://hackmd.io/@oidf-wg-authzen/BJ0kLlnB6) - Interesting articles - @gerryatstrata's article on AuthZEN in Forbes: https://www.forbes.com/sites/forbestechcouncil/2023/12/27/how-standardization-could-bridge-gaps-in-authorization/ ## Attendees 👉 _Write your name down if you plan to attend_. 👈 Sean O'Dell @HEYeftZsRoKWZN2WjscpGA @xmlgrrl Alex Babeanu Mike Kiser Roland Baum Darin McAdams David Hyland Elie Azerad Jamie Lin Victor Lu Wade Ellery George Fletcher Ash Narkar Rifaat Shekh-Yusef Atul Tulshibagwale (SGNL) ## Notes Notes are going here :) Darin - was there a date to be ready to present? Darin - Get more time with the api subgroup next Tue/Wed @ 11amPT David - working on getting a time setup for OAuth Atul - Darin's preso during regular slot, his preference. Atul - If meeting as subgroups for P*P do we change this frequency to bi-weekly or weekly? Eve, would we be doing interop planning here? Atul - We don't ahve a spec and need one for interop planning. Sean - Agree with Atul, Eve. Alex - repurpose next week for design patterns, but putting Darin there instead Darin - He will be ready next week. Sean/Alex - Will get the design pattern call setup with Gerry for the following week. Roland - Do we schedule, a separate call, for the PDP - PEP Communication scheme post Design patterns? Generally it is a yes, we sould. Eve - Will help with the benefits and proof points for interop. Roland - The communication scheme is more technical. Eve - asked some intersting question on which P*P to ask? Eve - terminology exercise...categorizing it in HackMD is not the right tool. Rabbit hole going down with tools, but looking at graphing it out :) Going to put together the raw data and how to map it to a friendly form. Relates a lot to "Comedy of Errors" below and will be a useful tool. We are proving we understand old and new tools and how the relate and inter-relate. Showed a great visual drawing. Not leave OAuth in the cloud. George - We tend to bein a world authN first and authN a session to a significant enough level so that users got seamless enough access. Oh I need access to X but AuthN is part of the AuthZ policy. We inverted the UX. OAuth is the authorization first model, but wait you need to login. But it does not have the modern hooks needed to do what we need it to do. It could be the order of them is important but it is super super fuzzy. What could we do with OAuth? Alex - OAuth has the Rich Authorization Request (RAR) extension George - RAR and OAuth...how do I allow a transaction for a transaction token to be specific to that context? There is a resource indicator spec as well. Are those sufficient for describing the policy being invoking? David - Extending the usage of RAR to get VC's and is being used as a conduit for communication what we need and when. OID VC is starting to add more attributes into more of the paylod for RAR. Lower level detail below scopes has not been defined. Sean - Transaction Tokens...as an option for an extension. David - what is a subject? Is it really? the subject should have control over a private key. Roland - Chicken and egg problem will occur with scope creep with RAR and PDP...big big rabbit hole. Eve- Policy Information Points are mui importante 100%. Atul - RAR can provide the context and requestor...but the context should be considered along with other things. RAR by itself may not be sufficient. Alex - RAR was to convey a request with possible additional information. Atul - Transaction Tokens Spec: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/ Elie - We see more and more use cases on privacy. We can keep anonymity along with privacy here as well. Its occuring more in the financial sector/space . David - Multi party accounts for open banking type of things. Grant Mgmt API was mentioned here. Important to signal chaining and is a signal for authorization. George - there is or are multiple data models in the multi-party context (i.e. an IDentity graph). Delegated authorization. But there is an underlying data model for certain use cases for delegation and will need both. Data model dependent on restrictions or enablement. David - consent and delegation is key Roland - Delegated AuthZ = reminds of AuthZ Assurance Levels ROFL Eve - ZAL Roland - AuthZ Consent Sean - Have to call the meeting early...the ACL did it Wade - PDP/PEP comment. If you start distributing it at the PDP layer you have synchronization complexity. It's a trap - Admiral Ackbar. We have to avoid this...more sources of truth get plumbed in the scenario. where you source your PIP from is of critical importance. Making decisions on the same kind of centralized data is important, like session based info...if you have a one stop shop less complexity and less drift (both poicy and data). Eve - who is approach PEP/PDP? OAuth is the client. Jamie - authz if we matured it, we need something like authz exchange. Elie - APL - Authorization Persistence Layer ## Other ### How to join OpenID slack - Contact Mike for an invite: mike.leszcz@oidf.org ### Use Case Work (Eve) See https://hackmd.io/@oidf-wg-authzen/BJxrqVqIp ### Identiverse - @omri submitted a panel with Atul, Eve, Gerry, Alex, David, and himself. - @gerryatstrata and @davidbrossard will follow up with Andi Hindle re. floor space for AuthZEN (or OpenID?) ### Interesting Reads - [Unauthorized - the comedy of errors](https://idpro.org/unauthorized-the-comedy-of-errors/) ### Splitting into sub-calls - David set up a call for the PDP API spec on Dec 20 (contact David if you are not already on the invite) - @davidbrossard - Atul - @omri - Rifaat - Elie - Sean O - Roland Baum - @alexbabeanu - Mike Kiser - Alex Babenau - Wade Ellery - George Fletcher - Dave Hyland - Alex to set up a call for the design patterns in early Jan - @alexbabeanu - @gerryatstrata - Dani Katzman - Dave Hyland - Roland Baum - Omri - Rifaat - Elie - Jeff Broberg - @xmlgrrl - Sean O - George Fletcher - Mike Kiser