OpenID AuthZen Authorization API 1.0 released
11 hours ago
- #Access Control
- #API
- #Authorization
- The Authorization API facilitates communication between Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) for authorization requests and decisions.
- The API includes evaluation endpoints for access decisions and search endpoints for discovering permissible subjects, resources, or actions.
- PDPs and PEPs are defined in XACML and NIST's ABAC SP 800-162, enabling different providers to offer PDP and PEP capabilities without binding to specific implementations.
- The API is transport-agnostic, with a normative HTTPS binding described, and supports OAuth 2.0 for authentication.
- Core features include the Access Evaluation API for single access decisions, Access Evaluations API for multiple evaluations, and Search APIs for discovering authorized entities.
- The API version 1.0 is described, with future updates required to augment rather than modify the existing API.
- The information model includes entities like Subject, Action, Resource, Context, and Decision, each with specific attributes and optional properties.
- Examples and non-normative scenarios illustrate the use of evaluation and search APIs.
- Pagination is supported for managing large result sets in search APIs, with opaque tokens for navigating results.
- Security considerations emphasize securing the PEP-PDP connection, authenticating the PEP, and protecting against common attacks.