* AuthZEN frees developers to focus on business features by delegating authorization to a service. * Centralized policy management streamlines access reviews and improves auditability and compliance. * The standard simplifies fine-grained authorization, reducing complexity and custom-made integrations. * It enables Zero Trust security and continuous enforcement through a standard runtime access.

1. AuthZEN: The “OpenID Connect”
of Authorization
Gartner IAM Summit Grapevine 2025
Alex Olivier
Co-founder, Cerbos
David Brossard
CTO, Axiomatics
Homan
Farahmand
VP Analyst, Gartner
Omri Gazitt
Co-founder, Aserto

2. Agenda
Introduction
Why AuthZEN
What AuthZEN provides
Demo
Homan
Farahmand
Omri Gazitt
David
Brossard
Alex Olivier

3. State of IAM
• OAuth2, OIDC, SAML, JWT
• Workforce SSO: Okta, Entra, Ping Identity, …
• CIAM: Auth0, Cognito, AAD B2C, …
“n * m”
problem
Authentication is “solved” ✅
“n + m” problem
• No widespread standard or protocol (yet)
• Each app bakes-in domain-specific AuthZ
• Overprovisioned static roles, spaghetti code
• OWASP Top Ten #1 issue: Broken Access Control
Authorization is broken: ❌

4. “n + m” problem
OpenID AuthZEN Vision
• OAuth2, OIDC, SAML, JWT
• Workforce SSO: Okta, Entra, PingID, …
• CIAM: Auth0, Cognito, AAD B2C, …
Authentication is “solved”
• AuthZEN PEP-PDP API
• Each app externalizes authorization to PDP
• Commercial Workforce and CIAM solutions
Authorization is like authentication
“n + m” problem
OpenID
AuthZEN

5. Modern Authorization
Ecosystems, standards, & OSS
Policy as code (ABAC) Policy as data (ReBAC)
Casbin
TOPAZ
Open Policy Agent
NGAC
2016
2001
AuthZEN
2024
Zanzibar
2020
2014
ALFA

6. Business Drivers
Developer
Efficiency
Let developers focus on
business features and
delegate authorization to a
dedicated service
Audit &
Compliance
Produce access reviews that
make business sense &
access detailed audit trails
Efficient IAM
Avoid role explosions;
simplify JML
Secure by Design
Enable Zero Trust &
continuous enforcement
through runtime access
Identity Fabric
Enable interoperability
between apps and identity
components

7. Gartner Hype Cycle for Digital Identity, 2025
First
mention on
the Hype
Cycle

8. AuthZEN Charter https://openid.net/wg/authzen/
Policy
Enforcemen
t Externalized
authorization
service that
delivers fine-
grained access
decisions.
Define
management APIs
to distribute
policies from the
control plane to the
PDPs.
Retrieve metadata
from underlying
sources e.g.
directories,
databases…
Protect resources
(APIs, AI, Data,
processes).
Policy
Decision
Policy
Administratio
n
Policy
Information

9. OpenID AuthZEN Enables Defense-in-Depth
Identity Providers
IdP as Enforcement
(coarse-grained)
API Gateway as PEP
(medium-grained)
App code as PEP
(fine-grained)
Data Proxy as PEP
(fine-grained)
API Gateways App Frameworks DB Proxies
OpenID
Policy Decision Point

10. OpenID AuthZEN Architecture
COMPATIBILITY
NIST ABAC 800-162
OWASP API
AI MCP
NIST Zero Trust 800-207
Defense-in-Depth

11. What’s included in OpenID AuthZEN?
Batch Binary API Search API Discovery API
Binary AuthZ API

12. AuthZEN Drafts - A History
AuthZEN 1.0 Core:
• /evaluation endpoint: Draft 01 (Implementer’s
Draft – Nov 2024)
• /evaluations endpoint: Draft 02 (Jan 2025)
• /search endpoints: Draft 03 (Mar 2025)
• /.well-known (discovery) endpoint: Draft 04 (Oct
2025)
• Draft 05 WG vote for Final Specification (Oct 23,
2025)
• 60 day review and vote for Final Specification of
Draft 05 (in progress)
Scenario Event Draft Endpoints
App Code Identiverse 2024 0 /evaluation
App Code EIC 2024 1 /evaluation
App Code Authenticate 2024 2 + /evaluations
App Code Gartner IAM US 202
4
2 + /evaluations
API Gateway Gartner IAM Lon 202
5
2 + /evaluations
Search Identiverse 2025 3
/search, /.well-
known
IdP
Gartner IAM US
2025
4 /search
7 Interops

13. Binary API Sample Payload
https://openid.github.io/authzen/
Use Cases
● Transactional authorization
● API Access Control
● Address the OWASP API Top Ten
{
"subject": {
"type": "user",
"id": "Alice"
},
"action": {
"name": "view"
},
"resource": {
"type": "record",
"id": "1"
"properties": {
"ownerID": "Bob"
}
}
}
{
"decision": true
}
Reque
st
Respon
se

14. Batch Binary API: Sample Payload
Use Cases
● Same as previous API plus
● Functional access control
● UI access control
● Access to medium-sized datasets
● Access to fields of a given record…
{
"subject": {
"type": "user",
"id": "alice@example.com"
}, "resource": {
"type": "record",
"id": "123"
}, "evaluations": [{
"action": {
"name": "read"
}
},{
"action": {
"name": "edit"
}
}]}
{"evaluations": [
{"decision": true},
{"decision": false}
]}
Reque
st
Respon
se

15. Search API: Sample Payload
Search APIs
● Subject Search
○ Who can view record #1?
● Resource Search
○ Which record can Alice view?
● Action Search
○ What can Alice do on record #1?
Use Cases
● Dynamic data filtering
● Entitlement access review
● Entitlement provisioning
● Access matrix generation
● Authorization logic testing
{
"subject": {
"type": "user"
},
"action": {
"name": "view"
},
"resource": {
"type":
"record",
"id": "101"
}
}
{
"results": [
{
"type": "user",
"id": "bob"
},
{
"type": "user",
"id": "carol"
}]
}
Reque
st
Respon
se
Who can view
record 101?
Bob and Carol

16. Interop History
Initial Interops (June 2024 and later)
● The PDPs get together and prove interoperability with one another
● App-centric
API Gateway-centric Interop (March 2025)
● API gateways act as the PEP and show they can use any compatible PDP
IdP-centric Interop (December 2025)
● Identity providers (e.g. OAuth AS) can now interact with AuthZEN-based PDPs in a standard way (token
issuance, enrichment…)
Future Interops
● Externalized Authorization for SaaS & COTS
● Native support in app development frameworks

17. API Gateways as PEP
Policy Decision Points
(PDP)
Interoperable implementations (Dec. 2025)
TOPAZ
Identity Providers as
PEP

18. Gartner IAM December 2025 Interop
The Challenge
● OAuth is identity-centric
● Access based on scopes/claims is coarse-
grained
● Access still depends on app code
● No consistent access policy
● Lack of policy in OAuth makes audit &
compliance difficult
● OAuth focuses mostly on access
delegation rather than runtime access
control.
The solution
● Extend your IdP with an AuthZEN-
compatible PDP
● The IdP can then ask
○ “Should I issue this token?”
○ “Which claims should I inject into the
token?”
Extend OAuth with
AuthZEN to achieve
finer-grained near-
runtime access control

19. Gartner IAM December 2025 Interop Architecture
AuthZEN Call
Authenticate OAuth Code Flow
ID Token/AT/RT
AuthZEN Resource Search Request
AuthZEN Response
OIDC Auth
Server
AuthZEN-compatible
Policy Decision Point
TOPAZ

20. And now for something completely different
Live Demo!

21. 2026 Roadmap
AuthZEN Partial
Evaluation
A generalization of the Search API
AuthZEN 1.0 API
Gateway Profile
Building on top of the API Gateway
March 2025 Interop
AuthZEN 1.0 IdP
Profile
Building on top of the IdP December
2025 Interop
AuthZEN 1.0 Events
(Shared Signals)
Integrating with our sibling WG

22. Call to Action
• Attend one or more of the AuthZEN
interop showcase sessions
• Create an AuthZEN-based
Authorization Control Plane for your
enterprise (just like you did for
OpenID-based SSO)
• Externalize the authorization for your
internal apps whenever possible
• Encourage your SaaS vendors to
become AuthZEN-compliant and plug
into your Authorization Control Plane
Session Information
Tuesday (today)
● 12 to 12:30pm
● 2 to 2:30pm
● 3:45 to 4:15pm
Wednesday (tomorrow)
● 10:30 to 11am
● 12 to 12:30pm
Room: Austin 1

23. Where to find us
• AuthZEN mailing list: https://openid.net/wg/authzen
• GitHub: https://github.com/openid/authzen
• OpenID Slack: #wg-authzen
• Meeting notes & docs: https://hackmd.io/@oidf-wg-authzen
• Email: omri@aserto.com, david.brossard@axiomatics.com