The purpose of the AuthZEN WG is to provide standard mechanisms, protocols and formats to communicate authorization related information between components within one organization or across organizations, which may have been developed or sourced from different entities.

Centralized authentication services have revolutionized identity management and security best practices by removing the burden of repeatedly implementing identity lifecycle management within individual applications and by giving users a more seamless and consistent authentication experience. Protocols such as SAML and OIDC facilitate this approach to single sign-on and federated environments.

Authorization capabilities are in need of a similar paradigm shift to enable applications to better support more fine-grained, dynamic authorization than what is afforded by today’s commonly used pattern of embedding entitlements into OAuth2 bearer tokens after user authentication. This is not a new idea and we already have various approaches to implementing externalized authorization – commonly called “P*P” architectures (PIP, PDP, PEP, etc.). Examples include architectures based on IDQL, OPA/Rego, XACML and Zanzibar. Deploying any of these authorization architectures can be challenging from implementation complexity, granularity, and scalability perspectives; interoperability between different architectures and between different implementations are particularly challenging.

 The purpose of this WG is to explore how to improve the deployability, scalability and interoperability of dynamic, fine-grained authorization schemes to better meet the needs of modern information security best practices. In particular, we need to make authorization easy for an organization to deploy and operate authorization capabilities across their entire application estate, including both SaaS services and internally developed applications (whether they be on-prem or in the Cloud).

Note that this is not necessarily an effort to define yet another authorization architecture or runtime policy language. Instead, the WG will develop OpenID Foundation Final Specifications which leverage existing architectures and protocols as much as possible. Where appropriate, the WG intends to collaborate with international standards development organizations, such as ISO/IEC JTC 1, ITU-T, and IETF, for recognition of these OpenID Foundation specifications.