authzen icon indicating copy to clipboard operation
authzen copied to clipboard
verified publisher icon openid

incorporated subject identifiers from RFC9493

Open tulshi opened this issue 2 years ago • 2 comments

tulshi avatar Dec 11 '23 23:12 tulshi

question to definition of

"format": "ip_address",

the examples only contain IPv4 adresses. But IPv4 is overaged and new systems must be IPv6 compatible. however, both address formats will remain in the wild for sure a long time.

Question: should the ip address be typed in order to distinguish between multiple versions an formats? like to distinguish between address netmask (a.b.c.d/24) and IPv6?

also, IPv6 address can be formatted ambiguously (see Issue #46 )

tr33 avatar Dec 12 '23 19:12 tr33

I get the value of relying on another established spec for subject identification, but I think there are 2-3 important use-cases missing:

  1. "format": "jwt": a base64 encoded JWT 2."format": "sub": a subject (identity) which is the sub claim from a structured token like a JWT
  2. "format": "string": an opaque string (the PEP passes a string that is meaningful in the context of the policy being evaluated - e.g. it's a key that can be looked up by the policy and resolved into a subject)

In addition, would it make sense to allow something like "format": "anonymous" to be able to enforce policy that isn't subject-specific? For example, time of day or IP address range enforcement?

ogazitt avatar Dec 20 '23 22:12 ogazitt

I am closing this PR as we've since done major rework to the API that voids the work done in this PR.

davidjbrossard avatar Jun 27 '24 17:06 davidjbrossard