authzen icon indicating copy to clipboard operation
authzen copied to clipboard
verified publisher icon openid

normativeness of "Common Actions"

Open tr33 opened this issue 2 years ago • 3 comments

"Common Actions" currently defines 4 CRUD and one generice "access" action.

are those normative and mandatory for PDP/PEP spec compliance? How should a PDP response, in cases a common action is not implemented or does not make sense for a Subject/Resource combination or policy?

tr33 avatar Nov 06 '23 13:11 tr33

There are also "Custom Actions". https://github.com/openid/authzen/blob/main/authorization-api-1_0.md#custom-actions

baboulebou avatar Nov 07 '23 01:11 baboulebou

See section 3.7.2

ggebel avatar Nov 14 '23 20:11 ggebel

Section 3.7.2 only states that custom actions can be any other arbitrary string. But there are use cases where an action represents an actual function with parameters and values that are subject to a policy decision. Example use cases for such actions:

  • transfer_money (amount = 100, currency = XY)
  • set_credit_amount (value = 20000)

A policy might not only want to check if a subject has to permission to perform an action on a resource, but also check complex parameters value of that action at runtime.

Suggestion: make a clear statement that the "action" can be represented either as a) a string value, referring to an arbitrary action in the context of the policy or b) a JSON representation of a complex object that represents an action with attributes and/or parameters. example representation:

"action": {
   "name": "transfer_money",
   "amount": 100.00,
   "currency": "EUR",
 }

to be clear: both forms should be legitimate and supported representations for "actions". Thats up to the PEP/PDP/Policy.

tr33 avatar Nov 14 '23 20:11 tr33