Meeting Notes 2024-09-10

# Meeting Notes 2024-09-10 ## Attendees - @omri - @xmlgrrl - @alexbabeanu - Roland B - David Hyland - @davidbrossard ## Agenda - Final review of changes for Authorization API draft 01 - Ordering in boxcarring - Revisit the RAR discussion ## API Review See [Authorization API 1.0 – draft 01](https://openid.github.io/authzen/). RB: why call action an action and not permission or operator? Decision: keep 'action' as it's the commonly accepted term. ## Evaluations API - Ordering of requests and responses. In boxcarring, the request can contain multiple authorization requests. The response therefore contains multiple decisions. Should we guarantee the order of the responses with regards to the requests? The team is leaning towards an array of requests and an array of responses. This leads to a more lightweight PEP as it no longer needs to try and correlate requests to responses. Additionally, it allows for future scenarios e.g. `fail-on-first-deny`. For instance, a PEP can send the following: "Can Alice view, edit, delete record #123?". The traditional response could be "Yes, Deny, Deny" or we could short-circuit and just return Deny. ## OAuth Interoperability - The feedback from IETF 120 was that there is a mismatch between OAuth RAR and the AuthZEN profile. - See https://github.com/panva - We should also look at the OAuth grant management API and see whether there is an ability to plug AuthZEN in there. This would likely be the `Search` API of AuthZEN (when defined). - AuthZEN should be used as the standardization framework for an AS to talk to a PDP and request authorization (e.g. in a token issue flow to check whether a claim can be added to a token or which claims should be added) ## Let's all go to Abilene https://en.wikipedia.org/wiki/Abilene_paradox ## Other work in flight - Separate WG updates? - Design Patterns Doc - @alexbabeanu ? ## Important Dates - [Nordic APIs](https://nordicapis.com/events/platform-summit-2024/) - Oct 7-9 - Authenticate - Interop, Panel, and readout planned during the week - [IIW](https://www.eventbrite.com/e/internet-identity-workshop-iiwxxxix-39-2024b-tickets-908232647297?aff=oddtdtcreator) - Oct 29-31, plus [OIDF workshop](https://openid.net/registration-oidf-workshop-cisco-october-28-2024/) Oct 28 - Omri is presenting AuthZEN WG at the workshop - [KubeCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/) Nov 12-15 - [Gartner IAM](https://www.gartner.com/en/conferences/na/identity-access-management-us) - Dec 9-11 - Omri & David have a talk similar to what was done at Identiverse.