Meeting Notes 2025-09-04

# Meeting Notes 2025-09-04 ## Attendees * Alex Babaenu * Wei * Vladi Berger * Gerry Gebel * Elie Azerad * Michiel Trimpe * Roland Baum * Edmund Jay * Alex Olivier * David Brossard * Julio Auto De Medeiros * Vatsal Gupta * Travis Farrell ## Agenda - Gartner interop use cases - Pull requests - 3 new ones - Issues list ## Notes ### Pull requests - 366: A robust discussion on pagination. We did not come to a conclusion on this topic as some of the key commenters (Omri or Gert) were not available. - 361: Adding optional signature to access response. This was updated and approved during the call ### Gartner - Speaking session: - Title Extend your Identity Providers with OpenID AuthZEN, achieve fine-grained authorization, and enable Zero Trust - Abstract A year ago, we introduced Gartner attendees to a new standard, OpenID AuthZEN that promised to establish a standard for fine-grained authorization. A year later and two interops later, we're happy to report that the draft is nearing final specification and that we have completed 3 new interops focusing on API gateways, the AuthZEN Search API, and IdP integrations. With AuthZEN, IAM teams can confidently externalize and standardize authorization across their application estate without being locked in to a proprietary API. Gone are the days of incomplete authorization and gaps in access control logic. With OpenID AuthZEN we are closer to enabling the Zero Trust Enterprise. This session will review the progress achieved in the past twelve months, highlight the milestones, and demo the latest integrations. - Speakers: request that Homan be moderator like last time and add Alex Olivier as co-speaker. ### Interop - IdP - AuthZEN PDP integration - What will the 'demo' look like? What's the outcome? How do we illustrate that a token has been issued or enriched? - 3 integrations - **token issuance**: IdP uses `evaluation` to ask whether a token can be issued for a user altogether - **token enrichment**: IdP uses `evaluations` to ask which claims/scopes of a well-known list should be inserted inside the token that is about to be issued - **token enrichment**: IdP uses `search` to determine which claims/scopes to insert inside the token that is about to be issued. This is functionally the same as the previous use case - **Step-up authentication**: call the IdP to determine whether the token should be issued and inspect the context object in the response to determine whether MFA is needed. - Dedicated meeting Friday 9/5 at 3pm CET/6am PT - We will use the usual Zoom bridge from the weekly call https://zoom.us/j/92150123981?pwd=YnhuSXNxU2w4Z3VGc3lrUjRNSTBUZz09 ### Certification Tests - Someone in the AuthZEN group needs to start writing the criteria for the certification test suite that Edmund and team can then use to create the formal suite. - Define requirements per endpoint - Define mandatory endpoints - Define valid payloads and responses - Check with Atul from Shared Signals to see how they defined acceptance tests for their endpoints. - See also https://openid.net/certification/ - Check with Mike Jones re. certification process for OpenID Connect and FAPI profiles - See also this [example](https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf) (OpenID Connect Conformance Profiles). - Certification testing covers both client (PEP) and server (PDP). - Alex O. will take a stab