Meeting Notes 2024-07-16

# Meeting Notes 2024-07-16 ## Attendees - @omri - @davidbrossard - @gerryatstrata - @xmlgrrl - Alex Babeanu - Roland Baum - David Hyland - Victor Lu ## Agenda - Spec submission process update - Complete Security Considerations section - Add "Notices" Appendix (mandatory) - Determine if IANA is to be included (optional) - Once the above are complete, we submit a package to OIDF for review - They publish on the spec page https://openid.net/developers/specs/ - Then the review period of 45 days starts - The voting period starts 7 days before the end of review and continues for 14 days total - Need 20% of membership at that time to reach quorum - OIDF will construct blog posts and send email notifications - Refine interop scenario to make it adhere to the spec (and become more ReBAC friendly) ## Notes ### Specification work - We need someone to add a security section/considerations. \[TBD\] - [Shared Signals Framework Security Considerations](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID2.html#name-security-considerations) - All three drafts are [here](https://openid.net/three-shared-signals-drafts/) but there's not much in the other specs - [UMA2 Grant Security Considerations](https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html#sec-consid) - [UMA2 FedAuthz Security Considerations](https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html#sec-consid) and the [UMA2 FedAuthz API protection infrastructure](https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html#api-sec) - Gerry also brought up the schedule - Shared Signals [example](https://openid.net/three-shared-signals-drafts/) ### Interop Scenario - [Background](https://hackmd.io/rOm3BA4qSGmX477UXRNUuw?view) - With the introduction of mandatory id and type for subject and resource, we need to update the interop. - Omri also suggested we support 'stateful implementations' - option between a fully-spec'ed request and a barebones request - Should we decide to pass in all the required data in the PEP-PDP request? - Today, how we handle/retrieve data is out of scope of AuthZEN. - Moving forward with the redesign of the demo app, other implementations e.g. OpenFGA should be able to join in AuthZEN. - [Payloads for the Todo application interop scenario](https://hackmd.io/tT8iVNbVQNuJvKfWfyjv0Q?view) - Pet Store analogy: PUT/DELETE on /pets/{123} and GET/POST on /pets (listing pets vs. creating a new pet) - Updating the interop app requests to be inline with the new spec - Comment directly in the document ### Boxcarring - All to review the 1.1 spec avaiable on the [OpenID AuthZEN Github repo](https://openid.github.io/authzen/authorization-api-1_1.html). - Focus on the new section [Access Evaluations API](https://openid.github.io/authzen/authorization-api-1_1.html#name-access-evaluations-api) ### AuthZEN RAR Binding - All can review the [current draft](https://www.ietf.org/archive/id/draft-brossard-oauth-rar-authzen-03.html) ## Action Items - All to review material aforementioned - David to take up the security considerations section - Gerry to own other sections - IANA considerations are optional and we will not submit any (yet).