# Meeting Notes 2025-02-04 ## Attendees * Omri Gazitt * Alex Babeanu * Alex Olivier * George Fletcher * Vladi Berger * Mike Kiser * Wade Ellery * Victor Lu * Michiel Trimpe * Gerry Gebel * David Brossard * David Hyland * Roland Baum * Elizabeth Garber ## Agenda - Review latest updates to Search API - https://openid.github.io/authzen/ - Envoy demo - AWS API gateway demo - Discuss STS / Tokenetes pattern - Design Patterns document ## Notes - Search API updates - Formal draft (03) now published on openid.net https://openid.github.io/authzen/ - Subject and Resource search are separated, per discussion from last week - DH: What about "action"? It's required for things like RAR (but RAR is always in the context of a subject). OG: We only talked a couple minutes on this last week so it was not included yet. - Getting ids for more than one type, seems like it would be difficult to achieve an interoperable spec - OG: In order to have a stable spec for the Gartner interop, we should go with the current version for now and can always add an action search later. - David Hyland will write up a proposal to add action search - Gartner IAM update (March 24-25) - We have 3 sessions - Homan + David/Omri will have an overview session - There is room for up to 15 vendor implementations - Evaluation scenario with ToDo app, as done before - API gateway scenario - IDPs making an AuthZEN call to compliant PDPs to determine which scopes/claims to enrich an access token with - You all are encouraged to share this call for participation that is published on the openid site: https://openid.net/authzen-at-gartner-iam/ - Let David/Omri know if you can attend Gartner - there are a few passes available if you can cover the T&E - Zuplo is committed to participate and also talking to AWS API gateway as well as AVP/Cedar team - David also reached out to other API vendors as well as Mark O'Neill (lead API analyst at Gartner) - Alex O demonstrates Envoy implementation - There is a PR of this code https://github.com/openid/authzen/pull/201 - Omri demos Amazon API gateway - imported json info model - created lambda authorizers for each - ToDo app updated so you can select whether or not an API gateway is part of the request flow - Tokenetes discussion - Devs are conditioned to "look in the token" for authZ - The idea is that Tokenetes.io could be another PEP for AuthZEN - Ergonomics is similar to what the devs are already used to - Atul points out that Google does not make a Zanzabar call for every request, using a similar technique - GF: Has seen scenarios where access tokens passed down a services chain, can be overloaded with extra functionality that each downstream service needs (also potential threat vector). Want to be able to downscope the capabilities, so you gain security properties - Called the claim a "purpose" rather than "scope" to separate the terms - Some additional discussion comparing this to RAR approach - Alex B to add this pattern to Design Patterns document