# Meeting Notes 2026-01-29 ## Attendees * ## Agenda - Actions from last week - [ ] Alex O: Breakout the interop code into a seperate repo (blocked) - [x] JeffB/AO - shutdown interops - [ ] Review [JSONSchema PR](https://github.com/openid/authzen/pull/419) - [ ] Do some digging into other WG that have SDKs - [ ] Content on getting started with the spec. Revive the use cases track? - [x] AO/Edmund - [sync on certification]((https://hackmd.io/n3O_ppuFTBaJnQto__NbBA)) and whats needed. - [XACML 3.0 Profile of OpenID AuthZEN 1.0](https://hackmd.io/csAsA5RSTuixU1u2uwgsAg) - SDKs - https://github.com/authzen/access - [.NET SDK](https://github.com/RockSolidKnowledge/AuthZenClient)from RockSolidKnowledge - EIC Standards Award submission (David) - any others? - [Certification Scenario](https://hackmd.io/n3O_ppuFTBaJnQto__NbBA) - AOB ### Roadmap Items from last week: - Certification testing (Alex O) - API Gateway profile (Gert, David) - MCP/A2A profile (Atul, Alex B) - Obligations profile (Alex B) - Partial evaluation (David, Julio) - Protocol Bindings - gRPC (Gert, Julio) - Contact external vendors -> Adopt AuthZEN, reach-out ## Notes ### Interop Apps - Jeff hosted some interops in AWS for free. We may lose them. Need to check with Jeff + AlexO - George: - need to constantly evaluate the security posture. Should be shut down for security at least. - Certification: should not be using interop but proper cert repo - Owner: @jeffsec and @alexolivier ### JSON Schema PR - Walk thru Thomas's OpenAI spec: needs more work, T will update us ### XACML Profile - XACML binding - [map AuthZEN to XACML](https://hackmd.io/@oidf-wg-authzen/xacml-to-authzen) - Owner: @davidbrossard - [ ] Looking for volunteers to review the initial text ### Partial Evaluation - Vladi, David, and Julio will pick up the work where we left off last summer. - See [current draft](https://hackmd.io/@oidf-wg-authzen/partial-evaluation-wip) - Owners: @vladi, @julioauto, @davidbrossard ### MCP Apps Martin: - adopted everywhere, becomes very important. - mcp extensions repo: gather recommendations. E.g., cross domain communications -> chat with Aaron Parecki - See https://github.com/modelcontextprotocol/ext-apps - Use cases - Build PEPs for MCP, MCP API, MCP GW - Define access delegation examples/models - Owner: Martin, @alexbabeanu ### Upcoming Events - Gartner IAM London March 9th 2026 - The agenda lists the AuthZEN session - European Identity Conference Berlin May 20th 2026 - we have a few sessions including with OpenID and EIC will likely give us a breakout room for the WG to work. - David talking to Forrester to see whether they want to host interop events ### References - https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-1_0-05.html ## Suggestions for certification Define a use case ### `Evaluation API Certification` - Define a well-known request e.g. Alice view record 123 ```json { "subject":{"id": "alice", "type": "user"}, "action":{"name": "view"}, "resource":{"id": "123", "type": "record" } } ``` - Define an expected response e.g. true. - The PDP must implement the following scenario - Policy: Alice can view record 123. - Given the aforementioned scenario, the following MUST be true: - The presence of any field in the properties object of any of the subject/action/resource/context entities must have no bearing on the final decision. - The context entity MUST be ignore and cannot have no bearing on the final decision. - The order of the entities MUST have no bearing on the final decision. - Define a well-known request e.g. Alice the manager in Sales can view object 123