Meeting Notes 2025-03-18

Attendees

• JF Lombardo
• Alex Babeanu
• Julio Auto De Medeiros
• Victor Lu
• Gerry Gebel
• Ravi Erakulla
• David Brossard
• Mat Hamlin
• Shannon Roddy
• Alex Olivier
• Michiel Trimpe

Agenda

• Gartner IAM Interop
  • Datasheet review in Google Docs
  • Signs template
  • Contribution agreement
• Goals for EIC Interop
  • Partial evaluation
  • Search API
• AOB?

Notes

Partial evaluation

• Goal: EIC interop
• No update from Axiomatics' side
• AWS is onboard with partial evaluation
• The current group is: Vladi (PlainID), Michel (VNG), and David (Axiomatics).
• Schedule call after Gartner to pick up the work. Sync up with Jeff Lombardo (AWS) to determine AWS contribution.
• Material
  • Current draft: https://hackmd.io/@oidf-wg-authzen/HkLiZVdb1l
  • Feedback: https://hackmd.io/@oidf-wg-authzen/partial-evaluation-axio-feedback
  • Additional material: https://hackmd.io/@oidf-wg-authzen/Syg0dHYsYyl

Search API

• Search API draft
  • Action Search API
  • Search API
• Question: how do we expect the search API to react to relationships between entities?

Negative Testing

• The interop only has happy paths
• We need to include tests that cover errors
  • Invalid requests
  • Overly large requests
• Other testing
  • Via Search
  • Via Partial Evaluation
• Generally we test "discretely".
  • Can Alice view item 123?
• What if we wanted to test negatively?
  • Is there any way Alice can view item 123?
  • How can Alice NOT view item 123?
• When Search and Partial Evaluation are out, we need to verify how they can help us build new tests.
• Can we generate test cases from schemas?
  • If we know we have 5 roles and 10 object types and 3 actions, we could generate a matrix of tests. This is somewhat outside the scope of AuthZEN for now.

Discovery Endpoint

• We need to start working on the discovery endpoint (See roadmap)

Security Testing

• Alex (Indykite) talked to the OIDF security test folks at OSW

Hi All,
So Tim, Pedram and i just had a chat, the conclusion of which was that since AuthZen is just essentially a payload format for a communication protocol, there is no inherent security risk to consider. Whatever security testing would be performed would actually test the communication fwk, not really Authzen itself.
Ralf will provide the final answer and follow-up, just wanted to keep this thread updated with the latest.
Cheers, Alex

Ralf later confirmed

a security analysis of Authzen does not seem to make sense.

And Gail confirmed we're good to proceed to standardization.

Github issues

• https://github.com/openid/authzen/issues/250
  • deny_on_first_deny and permit_on_first_permit examples are cumbersome #250
  • We need to restructure the response format because at the moment the response size is not guaranteed given we return all the decisions that were hit. In fact we should either return MAX, the number of decisions that correspond to the # of boxcarred requests, or just 1 (the overriding decision)

{
  "evaluations": [
    {
      decision: true
    },
    {
      decision: false,
      context: {
        "id": "200",
        "reason": "deny_on_first_deny"
      }
    }
  ]
}

The aforementioned example is flawed. This forces the PEP to iterate through all the answers to figure out false is the right answer because it came from deny_on_first_deny.

• Next steps: schedule breakout sessions to go over the other issues

Upcoming Events

Confirmed

• London Gartner IAM Interop
  • Tuesday, March 25, 2025 at 1PM, 2:45PM, and 4:30PM (GMT).
  • Italian Room
  • Session: Tuesday 11am
• European Identity Conference
  • 11:40 Thursday May 8th
  • We also have a room like last year - details TBD
• Identiverse
  • 1:30pm Tuesday June 3rd

Submissions

• Authenticate 2025
• EIC Awards Submission

Next week's call

• Due to Gartner IAM, we will cancel next week's call