STANDARD
OpenID AuthZEN-draft04 — Primer
OpenID AuthZEN Draft‑04 consolidates models and endpoints: evaluation (single/batch) and query (search) with obligations/advice.
Why it matters
Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.
Where it’s enforced
- Gateway: pre‑execution gating (plan/schema pins, params/egress)
- Shield: inline budgets/stream caps/content checks
- PDP: decisions with constraints/obligations/TTL
- IdP: passports, token exchange, consent/DPoP
How it works (high level)
Draft‑04 consolidates endpoints and models: /access/v1/evaluation (single), /access/v1/evaluations (batch), /access/v1/query (search). Requests use AuthorizationRequest; responses carry decision, obligations, advice, and optional status.
mermaid
sequenceDiagram
autonumber
participant Client
participant PDP
participant RS as Resource Server
Client->>PDP: POST /access/v1/evaluation (AuthorizationRequest)
PDP-->>Client: AuthorizationResponse { decision, obligations }
Client->>RS: Enforce constraints/obligations