authzen icon indicating copy to clipboard operation
authzen copied to clipboard
verified publisher icon openid

Explain motivation behind the "can_*" naming pattern for common actions

Open randomstuff opened this issue 1 year ago • 1 comments

Common action names follow a can_* naming pattern. It is not clear, why this pattern is chosen. Why is it can_read and not `read?

All the examples in the repository follow this pattern. Are custom actions expected to follow this pattern as well?

Having plain actions names seems better to me as an implementation could directly map authzen action names to OAuth scope.

randomstuff avatar Sep 23 '24 18:09 randomstuff

Following on this thread and Issue #123, I think actions should be defined only as case-insensitive strings. Applications and PDPs use a wide variety of ways to express actions (example: URNs). The PDP/PEP interaction should be agnostic to the value of the action. IMO, the use of can may be common but it also seems stylistic more than useful.

For example: GCP Bind uses forms like roles/iap.httpsResourceAccessor, Cedar uses PhotoApp::Action::"viewPhoto".

I think standardizing formats for subject, actions, and resources would have to come in another specification because it requires the PDP and PEP to agree on a common application information model.

independentid avatar Oct 03 '24 19:10 independentid

We've decided to take out the "common actions" from the 1.0 version of the spec, because it's confusing. This will show up in 1.0.2.

ogazitt avatar Dec 03 '24 21:12 ogazitt

Common actions no longer exist in version 1.0.2: https://openid.github.io/authzen/authorization-api-1_0_02

ogazitt avatar Jan 07 '25 21:01 ogazitt