1
David Brossard
Omri Gazitt
Gerry Gebel
AuthZEN Briefing
2
Scope and Objectives (mid 2023)
▪ Increase interoperability between existing standards and approaches to
authorization - examples include ALFA, Cedar, OPA, IDQL, Graph-based and
Zanzibar-inspired systems such as OpenFGA, Topaz and SpiceDB
▪ Define and formalize interoperable communication patterns between major authZ
components, for example PAP, PDP, PEP, and PIP
▪ Establish and promote the use of externalized authZ as the preferred pattern
3
The AuthZEN Charter approved Oct 2023
PEP
PAP
PDP
PIP
Initial focus: PEP-PDP API
Follow-on: Policy
Discovery & Management
Follow-on: Event delivery
4
First Implementer’s Draft (single access request)
{
"subject": {
"identity": "CiRm…2Fs"
},
"action": {
"name": "can_read_user"
},
"resource": {
"type": "user",
"userID": "beth@the-
smiths.com"
}
}
{
"decision": true
}
https://openid.github.io/authzen/
5
First Interop Participants (June 2024)
6
Second Interop Dec 2024 (multiple access requests)
TOPAZ
7
API Gateway interop March 2025
TOPAZ
Policy Decision Points
API Gateways
8
Search API Interop June 2025
TOPAZ
9
Search API demo scenario
AuthZEN PDP
{...}
Browser
Records DB
Data Backend
Search API Demo
Frontend
{
"subject": {
"type": "user"
},
"action": {
"name": "view"
},
"resource": {
"type": "record",
"id": "101"
}
}
SELECT…
{
"results": [
{
"type": "user",
"id": "bob"
},
{
"type": "user",
"id": "carol"
}]
}
10
Search API demo policies
Policies
A user can view a record in their
department or that they own
A manager can view any record
A user can edit a record they own
A manager can edit a record in their
department
0
1
0
2
0
3
0
4
A user can delete a record they own
0
5
https://search.authzen-interop.net
11
AuthZEN progress and roadmap
AuthZEN 1.0 Core
/evaluation endpoint
Draft 01 (Implementer’s Draft – Nov ‘24)
/evaluations endpoint
Draft 02 (Jan 2025)
/search/{subject,resource,action}:
Draft 03 (March 2025)
Discovery mechanism:
Draft 04 (May 2025, ID 2)
Final Specification: Summer/Fall 2025
Roadmap
Summer 2025
AuthZEN Partial Evaluation
AuthZEN 1.0 API Gateway Profile
Fall 2025
AuthZEN 1.0 Events (Shared Signals)
AuthZEN 1.0 IdP Profile
12
More info
■ AuthZEN mailing list: https://openid.net/wg/authzen
■ GitHub: https://github.com/openid/authzen
■ OpenID Slack: #wg-authzen
■ Meeting notes & docs: https://hackmd.io/@oidf-wg-authzen
■ Email: omri@aserto.com, david.brossard@axiomatics.com, ggebel@gmail.com
13
Thank You!
14
Proposers
▪ Atul Tulshibagwale, SGNL, atul@sgnl.ai
▪ Gerry Gebel, Strata Identity, gerry@strata.io
▪ Steve Venema, ForgeRock, steve.venema@forgerock.com
▪ Omri Gazitt, Aserto, omri@aserto.com
▪ Pieter Kasselman, Microsoft, pieter.kasselman@microsoft.com
▪ Alex Babeneau, 3Edges, alex@3edges.com
▪ David Brossard, Axiomatics, david.brossard@axiomatics.com
▪ Allan Foster, allan@macguru.com
▪ Andrew Hughes, Ping Identity, andrewhughes@pingidentity.com
▪ Mike Kiser, SailPoint, mike.kiser@sailpoint.com
▪ Roland Baum, Umbrella Associates, rbaum@umbrella.associates

OpenID AuthZEN - Analyst Briefing July 2025

  • 1.
    1 David Brossard Omri Gazitt GerryGebel AuthZEN Briefing
  • 2.
    2 Scope and Objectives(mid 2023) ▪ Increase interoperability between existing standards and approaches to authorization - examples include ALFA, Cedar, OPA, IDQL, Graph-based and Zanzibar-inspired systems such as OpenFGA, Topaz and SpiceDB ▪ Define and formalize interoperable communication patterns between major authZ components, for example PAP, PDP, PEP, and PIP ▪ Establish and promote the use of externalized authZ as the preferred pattern
  • 3.
    3 The AuthZEN Charterapproved Oct 2023 PEP PAP PDP PIP Initial focus: PEP-PDP API Follow-on: Policy Discovery & Management Follow-on: Event delivery
  • 4.
    4 First Implementer’s Draft(single access request) { "subject": { "identity": "CiRm…2Fs" }, "action": { "name": "can_read_user" }, "resource": { "type": "user", "userID": "beth@the- smiths.com" } } { "decision": true } https://openid.github.io/authzen/
  • 5.
  • 6.
    6 Second Interop Dec2024 (multiple access requests) TOPAZ
  • 7.
    7 API Gateway interopMarch 2025 TOPAZ Policy Decision Points API Gateways
  • 8.
    8 Search API InteropJune 2025 TOPAZ
  • 9.
    9 Search API demoscenario AuthZEN PDP {...} Browser Records DB Data Backend Search API Demo Frontend { "subject": { "type": "user" }, "action": { "name": "view" }, "resource": { "type": "record", "id": "101" } } SELECT… { "results": [ { "type": "user", "id": "bob" }, { "type": "user", "id": "carol" }] }
  • 10.
    10 Search API demopolicies Policies A user can view a record in their department or that they own A manager can view any record A user can edit a record they own A manager can edit a record in their department 0 1 0 2 0 3 0 4 A user can delete a record they own 0 5 https://search.authzen-interop.net
  • 11.
    11 AuthZEN progress androadmap AuthZEN 1.0 Core /evaluation endpoint Draft 01 (Implementer’s Draft – Nov ‘24) /evaluations endpoint Draft 02 (Jan 2025) /search/{subject,resource,action}: Draft 03 (March 2025) Discovery mechanism: Draft 04 (May 2025, ID 2) Final Specification: Summer/Fall 2025 Roadmap Summer 2025 AuthZEN Partial Evaluation AuthZEN 1.0 API Gateway Profile Fall 2025 AuthZEN 1.0 Events (Shared Signals) AuthZEN 1.0 IdP Profile
  • 12.
    12 More info ■ AuthZENmailing list: https://openid.net/wg/authzen ■ GitHub: https://github.com/openid/authzen ■ OpenID Slack: #wg-authzen ■ Meeting notes & docs: https://hackmd.io/@oidf-wg-authzen ■ Email: omri@aserto.com, david.brossard@axiomatics.com, ggebel@gmail.com
  • 13.
  • 14.
    14 Proposers ▪ Atul Tulshibagwale,SGNL, atul@sgnl.ai ▪ Gerry Gebel, Strata Identity, gerry@strata.io ▪ Steve Venema, ForgeRock, steve.venema@forgerock.com ▪ Omri Gazitt, Aserto, omri@aserto.com ▪ Pieter Kasselman, Microsoft, pieter.kasselman@microsoft.com ▪ Alex Babeneau, 3Edges, alex@3edges.com ▪ David Brossard, Axiomatics, david.brossard@axiomatics.com ▪ Allan Foster, allan@macguru.com ▪ Andrew Hughes, Ping Identity, andrewhughes@pingidentity.com ▪ Mike Kiser, SailPoint, mike.kiser@sailpoint.com ▪ Roland Baum, Umbrella Associates, rbaum@umbrella.associates