Meeting Notes 2024-10-29

# Meeting Notes 2024-10-29 ## Attendees Gerry Gebel Mike Kiser Vladi Berger Roland Baum Jonas Iggbom Victor Lu Alex Babeanu David Brossard Eve Maler ## Agenda - Curity description/demo of their integration with API 1.1 (single request) - Review additional feedback on the interop spec for API 1.1 - Voting on 1.0 Implementer's Draft starts on Nov 7 - Revisiting the use cases doc - Restart discussion on search ## Notes - Curity - wrote an authorization manager utilizing the AuthZEN API. Have multiple ways of dealing with authorization. It can be invoked for their SCIM API and also have a user management GraphQL API for managing DCR clients where filters can be applied. - Took about 45 minutes to do the implementation - Interested to see how the working group handles context (obligations) that are included in a response - This will be useful when constructing tokens and what claims are included - Feedback - We will review Omri's comments when he is on the call. Alex already made some comments in the doc Omri posted. - Pablo from Axio: Having a multi value attribute is not the same as having an array. David will ask for further clarification - Use cases document - We should reach out to non PDP vendors to implement the API - Therefore we need a strategy for marketing - The working group will have to undertake the task of marketing the benefits of AuthZEN to a wider audience - David will create a spreadsheet (md) of people to contact - Search - David and Alex had started a document but don't fully agree on what search means - Different vendor implementations are quite different from each other - Definition: Given a set of conditions (constraints, determine what can happen (allowed actions) - The search response could take two forms: - The list of items/permissions allowed - A predicate/filter (such as a SQL where clause) - David walks thru an example to illustrate the point - Policies - Managers can view documents in their dept - Managers can edit documents they own in draft mode - Assumptions - Alice is a manager in the sales. dept. Doc 123 is a draft in engineering owned by Alice. Doc 124 is a final doc in sales - Q: Can Alice edit document 123? - A: Permit/Deny - Q: Which documents can Alice edit? - A: doc.owner == "Alice" AND doc.status == "draft" Subsequently, someone converts the raw answer to a filter the SoR understands e.g. GraphQL, SQL ... SELECT * FROM docs WHERE owner='Alice' and status = 'draft' - Vladi offered to provide a draft of how the response can be structured