Meeting Notes 2024-11-05

# Meeting Notes 2024-11-05 ## Attendees - @omri - @davidbrossard - @rolandbaum - @vladi ## Agenda - Vote! It's the thing to do today - https://openid.net/foundation/members/polls/343 - OIDF workshop update - Conformance suite - Review of IIW - Sessions - Cedar - Policy Routing proposal - Continuation of 1.1 feedback - Continuation of search discussion - Partial evaluation vs returning results - Vlad to share draft of response format ## Notes ### Updates - OIDF workshop was low-key. Talk of a conformance suite - IIW: - Steve Venema gave AuthZ 101 - Rohit Khare (AuthZ Substack) presented the work in the newsletter - Omri gave 3 talks - AuthZEN - Authorization 102: the 5 laws of authorization - OAuth claims vs. dynamic authorization - Talk on Cedar - Alex (Cerbos) gave a talk on RAG - Cerbos and Aserto gave RAG access control demos - Gert gave a talk on policy-as-code - Elie A. organized an identibeer (8-10 attendees) - AuthZ Substack meetup was not well-attended (it happens on the backend of IIW) - Cedar update - Julian Lovelock of AWS is interested in building an AuthZEN interface for Cedar. - Scopes vs. dynamic authorization - Vast confusion - Should I make scopes fine-grained? Coarse-grained? - Fine-grained scopes given an illusion of fine-grained authz but it really isn't. Scopes/claims should be seen as a first line of defense. - Action item: build a BoK article on authz (claims vs policies) - Questions from Victor Lu - Can this technology be used for database access control or RAG? - A: yes, of course. 2 ways to handle access control - Produce the filter expression (stateless approach) - Produce the list of items (stateful approach) ### Policy Routing Proposal - [Background](https://hackmd.io/t8s_EzAqSnCJKNklIuvbng) - The need for discovery - A PDP can implement the `evaluation` and the `evaluations` endpoints - A PDP can be AuthZEN-compliant by implementing just the first endpoint, `evaluation`. - The discovery service can help discover which services the PDP offers and what the URL/routing is. - Routing - Some products have a single endpoint for all tenants - Some products use headers to route to a tenant - Some products change the URL based on the tenant (e.g. Entra ID) - Some products change the hostname - Option: change the payload of the request to route - we all agree this is not a good option as it modified the semantic of the authZ request ### Evaluations Mechanism (boxcarred requests) - How do we convey semantics on how the PEP/PDP process boxcarred requests? - Send 10 boxcarred requests and give me 10 (a mix of true/false) - Deny on first deny - short-circuit the entire evaluation - Permit on first permit - Fail on first error - Options - Metadata in the request - Leverage the context element - Other? - XACML has a CombinedDecision flag on the request - See [spec](https://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Ref248640899) ## Actions - Omri to add a discovery mechanism in a 1.2 draft