Meeting Minutes 2024-03-12

## Agenda - EIC update (Allan) - OpenID page for interop status of participants - ToDo app: has this been added to the AuthZEN GitHub? ## Attendees (please add your name to the list) - @omri - @shaikhtn (Tariq - Capital One) - Scott Guyer (@saggy) - @alexbabeanu ## Topics that came up ... - Question raised by George about what to do with respect to advice from PDP to PEP regarding what you could do next (e.g., think step-up) - Discussion ensued about Advice vs Obligation - the need for each - Questions around what to do for data redaction use cases (notion was obligations; which forces some agreement or compliance to actually act on the obligation). - Related to obligations, the topic of how to hangle GraphQL types of structures. Alex says 3edges has some proprietary approach that prevents potentially disallowed data from getting into the graphQL response. But also, doesn't force you to code policy into the GraphQL authorizers. - David Hyland mentioned that RAR could play a role because he has a use case in the verifiable credentials space that follows similar patterns to PEP/PDPs. The model in his case was that the token tells you what you could do; and the PDP that receives the token then enforces that. - Tariq asked whether we re considering the interactions between PAP and PDPs, in particular a way to share Authz policies across various PDPs and PAPs.We all agreed that it would be valuable, but a can of worms. Worthy of its own work stream, but we started with lower hanging fruit of the AuthZen API. - Discuss around token augmentation, AS and PDPD and how clarity on design patterns may help there. Topics for future discussions: - Request/response API - Suggest splitting into part 1 (Allow/Deny) and part 2(Query). - Reconcile Resq/Resp with payload - Add advice/Obligations to API part 1. - Start a PAP workstream - Consider API part 2 to be part of PAP workstream. - IIW face to face? ## Next week We decided to resume discussions on the Design patterns, which priority given to Interop questions/issues as/if they occur/emerge. We also spoke about defining use cases for PEP (ie what are requirements for access)