AuthZEN is a working group within the OpenID Foundation that strives for standardizing fine-grained authorization. The goal is to increase interoperability between existing solutions and thus make it easier for developers to implement fine-grained authorization in their applications.

1. 1
David Brossard
Omri Gazitt
Gerry Gebel
AuthZEN Briefing

2. 2
Scope and Objectives (mid 2023)
▪ Increase interoperability between existing standards and approaches to
authorization - examples include ALFA, Cedar, OPA, IDQL, Graph-based and
Zanzibar-inspired systems such as OpenFGA, Topaz and SpiceDB
▪ Define and formalize interoperable communication patterns between major authZ
components, for example PAP, PDP, PEP, and PIP
▪ Establish and promote the use of externalized authZ as the preferred pattern

3. 3
The AuthZEN Charter approved Oct 2023
PEP
PAP
PDP
PIP
Initial focus: PEP-PDP API
Follow-on: Policy
Discovery & Management
Follow-on: Event delivery

4. 4
First Implementer’s Draft (single access request)
{
"subject": {
"identity": "CiRm…2Fs"
},
"action": {
"name": "can_read_user"
},
"resource": {
"type": "user",
"userID": "beth@the-
smiths.com"
}
}
{
"decision": true
}
https://openid.github.io/authzen/

5. 5
First Interop Participants (June 2024)

6. 6
Second Interop Dec 2024 (multiple access requests)
TOPAZ

7. 7
API Gateway interop March 2025
TOPAZ
Policy Decision Points
API Gateways

8. 8
Search API Interop June 2025
TOPAZ

9. 9
Search API demo scenario
AuthZEN PDP
{...}
Browser
Records DB
Data Backend
Search API Demo
Frontend
{
"subject": {
"type": "user"
},
"action": {
"name": "view"
},
"resource": {
"type": "record",
"id": "101"
}
}
SELECT…
{
"results": [
{
"type": "user",
"id": "bob"
},
{
"type": "user",
"id": "carol"
}]
}

10. 10
Search API demo policies
Policies
A user can view a record in their
department or that they own
A manager can view any record
A user can edit a record they own
A manager can edit a record in their
department
0
1
0
2
0
3
0
4
A user can delete a record they own
0
5
https://search.authzen-interop.net

11. 11
AuthZEN progress and roadmap
AuthZEN 1.0 Core
/evaluation endpoint
Draft 01 (Implementer’s Draft – Nov ‘24)
/evaluations endpoint
Draft 02 (Jan 2025)
/search/{subject,resource,action}:
Draft 03 (March 2025)
Discovery mechanism:
Draft 04 (May 2025, ID 2)
Final Specification: Summer/Fall 2025
Roadmap
Summer 2025
AuthZEN Partial Evaluation
AuthZEN 1.0 API Gateway Profile
Fall 2025
AuthZEN 1.0 Events (Shared Signals)
AuthZEN 1.0 IdP Profile

12. 12
More info
■ AuthZEN mailing list: https://openid.net/wg/authzen
■ GitHub: https://github.com/openid/authzen
■ OpenID Slack: #wg-authzen
■ Meeting notes & docs: https://hackmd.io/@oidf-wg-authzen
■ Email: omri@aserto.com, david.brossard@axiomatics.com, ggebel@gmail.com

13. 13
Thank You!

14. 14
Proposers
▪ Atul Tulshibagwale, SGNL, atul@sgnl.ai
▪ Gerry Gebel, Strata Identity, gerry@strata.io
▪ Steve Venema, ForgeRock, steve.venema@forgerock.com
▪ Omri Gazitt, Aserto, omri@aserto.com
▪ Pieter Kasselman, Microsoft, pieter.kasselman@microsoft.com
▪ Alex Babeneau, 3Edges, alex@3edges.com
▪ David Brossard, Axiomatics, david.brossard@axiomatics.com
▪ Allan Foster, allan@macguru.com
▪ Andrew Hughes, Ping Identity, andrewhughes@pingidentity.com
▪ Mike Kiser, SailPoint, mike.kiser@sailpoint.com
▪ Roland Baum, Umbrella Associates, rbaum@umbrella.associates