Open in app

Sign in

Write

Sign in

AuthZen Working Group: Establishing a Unified Authorization Exchange Standard

Addo Zhang
5 min readJan 1, 2025

--

Background

As technology evolves rapidly and grows in complexity, the demands for enhanced security and compliance increase. Traditional authorization solutions struggle to meet the dynamic needs of modern enterprises. The challenges faced by authorization systems include:

  • Dynamic and Fine-Grained Authorization Needs: Modern applications require real-time management of user permissions to adapt to ever-changing business needs and complex data access control rules. Traditional methods like embedding permissions into OAuth2 tokens often lack flexibility.
  • Lack of Interoperability and Standardization: Enterprises often adopt diverse authorization solutions that fail to integrate seamlessly or securely across systems, applications, and services, stifling innovation and complicating architectures.
  • Rising Security and Compliance Demands: With the proliferation of data protection regulations and industry standards, organizations need precise, controlled mechanisms to secure sensitive data.

These factors drive the evolution of authorization systems toward dynamic, fine-grained capabilities based on standardized mechanisms, protocols, and formats for exchanging authorization-related information.

This is where the AuthZen Working Group from the OpenID Foundation steps in.

AuthZen Working Group

AuthZen (short for Authorization Exchange) is a relatively new working group by the OpenID Foundation, officially announced in October 2023.

The goal of the AuthZen Working Group is to establish standardized mechanisms, protocols, and formats for exchanging authorization-related information across components within an organization or between organizations, even if these components are developed by different entities.

True to its name, the group focuses on addressing challenges in authorization exchange: how to securely and efficiently exchange authorization information between components.

Authorization Exchange in Action

Let’s examine where these exchanges occur using the XACML Authorization Model.

XACML Authorization Model

The XACML (eXtensible Access Control Markup Language) model, introduced over two decades ago, provides a standard for describing authorization policies and a request/response protocol for exchanging authorization decisions.

Core Components of XACML

  1. Policy Enforcement Point (PEP): Intercepts requests and determines access based on decisions made by the PDP.
  2. Policy Decision Point (PDP): Evaluates access requests against policies to make authorization decisions.
  3. Policy Information Point (PIP): Supplies PDP with additional attributes needed for decision-making.
  4. Policy Administration Point (PAP): Manages and administers authorization policies.

XACML Data Flow

  1. A user sends a request to access a resource, intercepted by the PEP.
  2. The PEP translates this request into an XACML authorization request and forwards it to the PDP.
  3. The PDP evaluates the request based on attributes, policies (managed by PAP), and additional data (from PIP).
  4. The PDP sends an authorization decision (permit/deny) back to the PEP.
  5. The PEP enforces the decision, allowing or denying access.

This separation of responsibilities allows for flexible and scalable access control mechanisms. The PEP’s role can vary depending on deployment needs, such as acting as a sidecar, an SDK, or a library.

AuthZen’s Primary Goal

In multi-vendor, multi-technology ecosystems, the interoperability between PEP and PDP is a recurring challenge. AuthZen’s primary goal is to resolve this by standardizing the interactions between these components.

Interoperability

Interoperability ensures seamless collaboration between heterogeneous components, regardless of their underlying technologies, programming languages, or protocols. APIs serve as the bridge for interoperability, defining clear interfaces for standardized communication and abstracting implementation complexities.

To achieve this, AuthZen is developing a standardized API specification.

Authorization API

The Authorization API 1.0 (currently a draft) facilitates communication between PEP and PDP, enabling interoperability. The PDP acts as the provider of decision services, while the PEP is the consumer.

Key Details

  • Version: The current version is 1.0, with APIs accessible via the /v1/ endpoint. Extensions are supported through additional methods, parameters, or headers.
  • Communication Protocol: All communications must use HTTPS.

Information Model

The API defines the following core entities:

  • Subject: The entity initiating the API call, such as a user, device, or service.
  • Resource: The target of the access request, such as a file, database, or API.
  • Action: The operation the subject wants to perform on the resource, such as read, write, or delete. Common actions include can_access, can_create, can_read, can_update, and can_delete.
  • Context: Additional environmental data relevant to the request, such as time, location, device, or network conditions.

Evaluation Request

An evaluation request must include subject, action, and resource, with context as optional.

Example Request:

{
  "subject": {
    "type": "user",
    "id": "alice@acmecorp.com",
    "properties": {
      "department": "Sales",
      "ip_address": "172.217.22.14",
      "device_id": "8:65:ee:17:7e:0b"
    }
  },
  "resource": {
    "type": "book",
    "id": "123",
    "properties": {
      "library_record": {
        "title": "AuthZEN in Action",
        "isbn": "978-0593383322"
      }
    }
  },
  "action": {
    "name": "can_read",
    "properties": {
      "method": "GET"
    }
  },
  "context": {
    "time": "1985-10-26T01:22-07:00"
  }
}

Evaluation Response

The evaluation response includes:

  • Decision: A boolean (true or false) indicating whether the request is permitted.
  • Context (optional): Additional details, such as reasons for denial.

Example Response:

{
  "decision": true,
  "context": {
    "id": "0",
    "reason_admin": {
      "en": "Request failed policy C076E82F"
    },
    "reason_user": {
      "en-403": "Insufficient privileges. Contact your administrator",
      "es-403": "Privilegios insuficientes. Póngase en contacto con su administrador"
    }
  }
}

Future Plans

Based on discussions at KubeCon 2024 NA, AuthZen’s roadmap focuses on API improvements and ecosystem collaboration.

API Enhancements

  • Authorization API 1.1: Support multi-resource authorization requests in a single call.
  • Resource Search API: Discover all resources accessible to a subject.
  • Subject Search API: Identify all subjects authorized to access a resource.

Ecosystem Collaboration

  • Collaborating with adopters like Workday and Salesforce to externalize authorization.
  • Partnering with API gateway providers to integrate AuthZen into their products.
  • Expanding interoperability scenarios.
  • Adding more implementations, particularly for Relationship-Based Access Control (ReBAC) systems.
  • Addressing policy discovery/management and event delegation to PDP/PIP.

Conclusion

The AuthZen Working Group aims to provide standardized mechanisms, protocols, and formats for exchanging authorization-related information across diverse components within or across organizations. Its primary focus is on ensuring interoperability between PEP and PDP.

To achieve this, AuthZen has developed the Authorization API 1.0, which standardizes communication between PEP and PDP. This article highlighted key features of the API, including its information model, evaluation request/response structure, and communication standards.

References

Authz

--

--

Addo Zhang
Addo Zhang

Written by Addo Zhang

559 Followers
7 Following

CNCF Ambassador | LF APAC OpenSource Evangelist | Microsoft MVP | SA and Evangelist at https://flomesh.io | Programmer | Blogger | Mazda Lover | Ex-BBer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams