AuthZEN Boxcarring Proposal
April 30, 2024
| openid.net
1
1
The current spec
We currently have an API ({{host}}/access/v1/evaluation) that allows:
Can Alice do X?
True/False
2
The desire
3
Prior Art: XACML & ALFA
4
Multiple Decisions by Repetition (XACML/ALFA)
{
"Request": {
"AccessSubject": {
"Attribute": [{
"AttributeId": "com.acme.user.username", "Value": "Alice"
}]
},
"Action": [{
"Attribute": [{
"AttributeId": "com.acme.action", "Value": "view"
}]
}],
"Resource": [{
"Attribute": [{
"AttributeId": "com.acme.objectType", "Value": "record"
}, {
"AttributeId": "com.acme.record.recordId", "Value": "123",
"IncludeInResult": true
}]
},{
"Attribute": [{
"AttributeId": "com.acme.objectType", "Value": "record"
}, {
"AttributeId": "com.acme.record.recordId", "Value": "124",
"IncludeInResult": true
}]
},{
"Attribute": [{
"AttributeId": "com.acme.objectType", "Value": "record"
}, {
"AttributeId": "com.acme.record.recordId", "Value": "125",
"IncludeInResult": true}]}]}}
5
Multiple Decisions by Reference (Cherry-picking)
{
"Request": {
"AccessSubject": {
"Attribute": [{
"AttributeId": "com.acme.user.username", "Value": "Alice"
}]
},
"Action": [{
"Attribute": [{
"AttributeId": "com.acme.action", "Value": "view"
}]
}],
"Resource": [{
"Attribute": [{
"AttributeId": "com.acme.objectType", "Value": "record"
}, {
"AttributeId": "com.acme.record.recordId", "Value": "123",
"IncludeInResult": true
}]
},{
"Attribute": [{
"AttributeId": "com.acme.objectType", "Value": "record"
}, {
"AttributeId": "com.acme.record.recordId", "Value": "124",
"IncludeInResult": true
}]
},{
"Attribute": [{
"AttributeId": "com.acme.objectType", "Value": "record"
}, {
"AttributeId": "com.acme.record.recordId", "Value": "125",
"IncludeInResult": true}]}]}}
6
Suggestions for AuthZEN
{
"subject": {"identity": "Alice"},
"action": {"name": "can_read_user"},
"resource": {
"type": "user",
"userID": "beth@the-smiths.com"
}
}
[{
"identifier": 12345,
"subject": {"identity": "Alice"},
"action": {"name": "can_read_user"},
"resource": {
"type": "user",
"userID": "beth@the-smiths.com"
}
},
{
"identifier": 123456,
"subject": {"identity": "Bob"},
"action": {"name": "can_read_user"},
"resource": {
"type": "user",
"userID": "beth@the-smiths.com"
}}]
7
Suggestions from the 4/30 call
8
Thank you.
Visit: www.OpenID.net
9