Meeting Notes 2025-06-24

# Meeting Notes 2025-06-24 ## Attendees * Gerry Gebel * David Brossard * George Fletcher * Vatsal Gupta * Elie Azerad * Julio Auto De Medeiros * Michiel Trimpe * Jonathan Falconnier * Alex Babeanu ## Agenda - Review open issues with the group - 329 Resource creation when id is not yet known - 325 Leave more leeway for pagination - 278 Inconsistent use of reason... - 268 Security section needs details on Client AuthN failure - 250 Deny_on_first_deny... examples are cumbersome - 230 Search API statistics needed - 55 Sign access decision? - 46 and 47 Device ID and IP address - Alex B and reason code update - Authenticate update: speaking proposal was accepted - Gartner interop planning - update details on all the potential participants - Meeting time schedule - let's review and also talk about the summer schedule ## Notes Open issue review - David, Gerry and Jeff met last week to review all the open issues. The following are issues that we wanted to discuss with the broader group - 329: Resource id will be optional. We recommend that id always be included except during create. Alex B agreed to make an update and pull request - 325: Recommendation: We introduce a type field inside the page object. Define pagination type values. There are 2 values at the moment: `token` `offset` The type determines which other fields are present in the page object. For instance token will require a token field. We also need to think about limits we have to apply to pagination to avoid DoS attacks or server overloads. The backend needs to have its own limits/validation. (either under security considerations or in the pagination section). Recommendation #2: factor out pagination from the specific sections they are in into a single pagination section that applies to all parts pagination is relevant. Note: we need to steer clear of transport-level breakup principles (chunked responses, multi-parts, etc...) that are specific to the transport mechanism chosen (HTTP REST vs. gRPC vs. other) - 230: See parent issue 325 for comments. The metadata endpoint could specify which statistics are provided. - Other - Michiel asked if a logging standard could be added to AuthZEN - David is agreeable - George - some similar discussions have emerged in the SSF, may want to take this to IETF if it is broad enough - Michiel will work on a proposal and share it with the group on a future call