authzen icon indicating copy to clipboard operation
authzen copied to clipboard
verified publisher icon openid

PDP evaluation status

Open tr33 opened this issue 2 years ago • 4 comments

A PDP may involve third party components into policy evaluation as a sub-query, i.e. a Policy Information Point (PIP) which holds additional information about the resource/subjects relationships or other metadata required for the policy.

If one of those sub-queries fail (e.g. because the PIP is down or the query could not be processed correctly), the PDP should communicate this situation to the PEP.

there should be a response scheme by the PDP for the PEP, where the PDP differenciates between "yes, I have understood your decision request and here is your response for enforcement" and "I have trouble to decide on your request, so my response would be neither a 'yes' or 'no'"

Proposal wording for discussion:

If successful, the PDP returns a `200 OK` response code and an evaluation result document in the response body.
A successful response **always** contains the following elements:

* status: indicates whether the request was processed without errors and contains a valid authorization decision, OR if there were any errors. Possible values:
    * "success": authorization request successfully evaluated, no errors.
    * "error": Some errors occurred during the evaluation or the input parameters were faulty. In this case, an element "error" is included.
* allow: <true/false> gives the PDPs policy decision. ```true``` indicates "permission granted", ```false``` indicates "permission denied".

tr33 avatar Nov 06 '23 14:11 tr33

this issue can be postponed to later discussion

tr33 avatar Nov 14 '23 17:11 tr33

This issue will remain open until the group decides on overall structure of API for request and response formats.

ggebel avatar Nov 14 '23 17:11 ggebel