by David Brossard
Well, it’s been another busy few months for the authorati (credits to Omri Gazitt of Aserto and Sebastian Rohr of Umbrella Associates for coining the term). The OpenID AuthZEN Working Group was busy putting the final touches on its first implementer’s draft all the while spreading the gospel at several events. Let’s rewind the tape and sum up the highlights.
May 2024 – Identiverse – AuthZEN Interop
We were fortunate enough that both Identiverse and OpenID lent us rooms during the event to finalize our initial interop: 12 different implementations took part and successfully tested their capabilities against a Rick & Morty-inspired demo app. So, what does the initial interop include? A fully spec’ed-out binary authorization API that allows clients to send an authorization request in the form of a yes/no question e.g. “Can Alice view document #123?” and get a decision back in the form of a boolean. For those familiar with XACML, this is a streamlined and simplified version. For developers and API lovers out there, you can check out the sample AuthZEN Postman library. Omri (Aserto) also maintains a website that walks readers through the interop.
In addition, there were several talks worth calling out:
- The Authorization Conversation panel led by Eve Maler – AI-generated summary
- Read Out from the AuthZEN Interop Event – slides
The latest version of the implementer’s draft can be accessed here. Readers interested in providing feedback should use the issues feature in the AuthZEN GitHub repository.
June 2024 – European Identity Conference – AuthZEN Interop (take 2)
Attendees and speakers of Identiverse had a mere 48 hours before heading out to Berlin for a second generous helping of IAM. EIC was also replete with authorization talks and AuthZEN presentations. My peer (and fellow editorial member) Alex Babeanu and I took part in a panel with fellow IAM expert Patrick Parker (EmpowerID): Unpacking Authorization Approaches: Policy as Code Versus Traditional Business Needs. You can watch the replay here.
On Thursday, Allan Foster, Adam Rusbridge, Alex Babeanu and I talked about the importance of standardization in authorization. All four of us are members of OpenID AuthZEN and both 3Edges and Axiomatics are part of the 12 conformant implementations.
On the last day of the conference, Gert Drapers led the second AuthZEN interop: the focus was on use cases brought by individuals from the manufacturing and banking sectors.
July 2024 – AuthZEN meets OAuth at IETF
OAuth focuses on “access delegation” and of course authentication. Authorization (ABAC/ReBAC or other models) focuses on access control. Can both models be used together? That’s what Eve Maler, Justin Richer, Allan Foster, and I attempted at IIW last October (notes). This led to a first attempt in the form of the AuthZEN Request/Response Profile for OAuth 2.0 Rich Authorization Requests which was proposed during IETF 120 in Vancouver. The profile suggests leveraging the AuthZEN request format to send a RAR request from a client to the authorization server. The hope is that this will increase interoperability and “integrability” between OAuth-based systems and “policy decision points”. For more information, check out the presentation slides or join OpenID’s Slack for a live discussion.
What’s next for AuthZEN?
The WG is already actively working on the next iteration of the standard. Members have reached consensus on a batch authorization request API (sometimes called boxcarred requests). We are planning an interop at AuthenticateCon in October and IIW a few weeks later. If you would like to join the WG, especially as a customer (non-authorization vendor) organization, we’d love to hear about your use cases. Join us on OpenID’s website
Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.
Author
In his role as CTO, David drives the technology vision and strategy for Axiomatics based on both identity and access management (IAM) market trends as well as customer feedback. He also leads the company’s strategy for standards and technology integrations in both the IAM and broader cybersecurity industries. David is a founding member of IDPro, a co-author of the OASIS XACML standard, and an expert on standards-based authorization as part of an overall IAM implementation. Most recently, David led the design and development of Salesforce’s identity offering, including customer identity and access management (CIAM) solutions.