Meeting Notes 2025-02-18

# Meeting Notes 2025-02-18 ## Attendees - Roland Baum - Budhaditya Bhattacharya (Budha) - Tyk - Eve Maler ## Agenda - Partial evaluation update (David B) - Action Search (David H) - Interop participation update (Omri) - Security review process by OpenID Foundation (David B) ## Notes ### Partial Evaluation Meeting - Vladi, Michiel, and David met to discuss the spec - We received feedback from Pablo (Axiomatics) - David to publish - We need to generalize the function concept so we can allow for nested functions (e.g. lower(stringEqual())) - We agree to follow the AuthZEN request structure - Only one unknown category - What about context? - We agree partial evaluation will be exposed on a separate endpoint - We agreed we would have profiles to convert partial evaluation responses into target system filters e.g. SQL, GraphQL... - We agreed there would be an extension mechanism for functions not supported by all vendors - **Next step:** David to write the formal part of the partial evaluation spec ### Action Search Profile - Presented by Dave Hyland - https://hackmd.io/DQcL9fXfSW6EsxEp_DefRg?view - Questions - Are actions assumed to be flat? (George) - Yes - there is generally no hierarchy - Vladi: the action full access could include read and write - Conclusion: the evaluation doesn't have any hierarchy. - Should there be a `context` category in the request? - Should the `action` category be removed? ### Interop Update - 2 confirmed scenarios: the demo and the gateway - 3 interop sessions with 5 slots (tables) each - 10-15 slots - about 8 people showing up - 2 possible new PDPs: Okta OpenFGA and AWS AVP - 4 gateway implementations: AWS API Gateway, Kong, Zuplo, Envoy. - Tyk and WSO2 are likely gateways as are 42crunch and Layer 7 ### OpenID Security Review Process - Gail has reached out to the chairs to talk about the testing process of the AuthZEN spec as part of the steps to standardization. - It sounds like this would require additional funding - We're trying to understand what we need to do specifically - Has anyone gone through this process previously? - George: see FAPI's [attacker model](https://openid.net/specs/fapi-2_0-attacker-model-ID2.html) - Are requests immutable? Can the PDP trust the request coming from the PEP? Can the PDP trust the PEP to enforce the decision? Can the PDP be manipulated? - The process is from the University of Stuttgart - We need to identify the core threats we see in AuthZEN ### Repository Structure - The OpenID AuthZEN repository will contain the spec - The AuthZEN [github repository](https://github.com/authzen/) will contain code ## Next Steps - Dedicated partial evaluation meeting on Wednesday - see mailing list for details - Schedule Alex B's OSW presentation for a future call after the AuthZEN interop - David to follow up with Gail re. security testing