STANDARD
OpenID AuthZEN — Primer
OpenID AuthZEN defines a standard authorization decision API and data model to externalize fine‑grained access control.
Why it matters
Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.
Where it’s enforced
- Gateway: pre‑execution gating (plan/schema pins, params/egress)
- Shield: inline budgets/stream caps/content checks
- PDP: decisions with constraints/obligations/TTL
- IdP: passports, token exchange, consent/DPoP
How it works (high level)
OpenID AuthZEN (OIDF) defines an authorization decision API and common data model to externalize fine‑grained authorization. It complements OAuth/OIDC by standardizing decision requests/responses (subject, action, resource, context) and obligations.
mermaid
sequenceDiagram
participant Client
participant PDP as AuthZ Decision Service
participant RS as Resource Server
Client->>PDP: evaluate(subject, action, resource, context)
PDP-->>Client: { decision, constraints, obligations }
Client->>RS: Enforce decision + constraints