OpenID Authorization Exchange (AuthZEN)
On this page
There are many approaches to implement fine-grained authorization and many different types of Entitlement Management Systems in the market. For the most part they all strive to bring the ability to perform fine-grained authorization of access to data beyond what is possible with the traditional Access Control List (ACL) or Role-Based Access Control (RBAC) models.
The challenge is that there is no interoperability between these different authorization standards and frameworks. The implementer of the enforcement point (PEP) needs to decide what approach to use and thus to a great extend gets locked into a specific solution, standard or framework. For example, an enforcement point intended to work with Open Policy Agent (OPA) will not work with a XACML PDP and vice versa. The PDP of one framework does not understand the request that is coming from an enforcement point of another framework.
AuthZEN is a working group within the OpenID Foundation which aims to standardize the way components can communicate authorization relation information. The goal is to increase interoperability between existing approaches and to make it easier for developers to implement fine-grained authorization in their applications.
Standardization
The AuthZEN working group published a draft, the Authorization API 1.0, to standardize the communication pattern between the PEP and PDP. In a common authorization architecture, the client (PEP) asks a centralized PDP for an authorization decision. In doing so the PEP sends an authorization request to the PDP. The format of this request matters because the PDP needs to understand the message. The PDP looks at the values of the incoming request and then evaluates that against the policy. If the PDP cannot understand the format of the incoming request the authorization will fail.
The Authorization API provides a standardized JSON-based format for the request and response between the PEP and the PDP. The request contains subject, resource, action and context entities with some attributes pre-defined and required. For example, a set of actions, can_create, can_read, can_update, and so on are pre-defined but not mandatory to use.
A client calls an access evaluation API to get a boolean decision which optionally also includes context that can be used for step-up authentication, fields to redact, etc.
Interoperability
One of the goals of AuthZEN is to make it so that a PEP can be implemented once to work with any PDP supporting the AuthZEN standard. It enables PEPs to integrate with any PDP that supports the standard no matter the underlying authorization approach or policy language.
There is no interoperability across different solutions today, and applications often rely on vendor-specific solutions to enforce authorization. The Authorization API enables a PEP and a PDP from different vendors to work together. It provides a universal interface that still allows the surrounding components used by the PDP, like the policy, to remain vendor-specific.
This should greatly improve the adoption of fine-grained authorization in commercial, off-the-shelf or SaaS applications. With broader general adoption by application vendors implementing PEP capabilities in their applications, organizations can take control of their fine-grained authorization approach by bringing their own PDP. This allows business to implement their own policies using the tooling for their choice.
Summary
AuthZEN is a working group within the OpenID Foundation that strives for standardizing fine-grained authorization. The goal is to increase interoperability between existing solutions and thus make it easier for developers to implement fine-grained authorization in their applications. The working group designed an Authorization API to standardize the format of the request and response schema between the PEP and the PDP. In this way, applications can integrate with many different PDPs. In some ways AuthZEN can be viewed as the OpenID Connect for authorization that has the potential to revolutionize fine-grained authorization.
Resources
Jonas Iggbom
Director of Sales Engineering at Curity
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial
