&color=rgb(100%2C100%2C100)&link=https%3A%2F%2Fgithub.com%2Faserto-dev%2Ftopaz)
AuthZEN, Gartner IAM, and native support in Topaz
Feb 28th, 2025
Omri Gazitt
AuthZEN |
Topaz
In a pair of posts last year, we described why OpenID AuthZEN matters, and celebrated AuthZEN’s one-year anniversary with a retrospective.
And in 2025 the momentum keeps building. The working group has published draft 02, which formalizes a way to evaluate multiple decisions in a single payload, and draft 03, which defines search capabilities for subjects, resources, and actions.
Next interop: Gartner IAM
Industry support for AuthZEN also continues to rise. Our next big interop showcase is at the Gartner IAM Summit in London this March. Our initial todo-based interop scenario has been expanded to include two enforcement points - route authorization at the API gateway, and fine-grained authorization by the application itself.
We had enough room for a total of 15 implementations at the show, and we’re excited that the demand for spots exceeded that number. A total of 8 PDP vendors and 7 API gateway vendors will be showing off their AuthZEN integration live at Gartner, and many more are expected to be compliant with the interop scenario by then.
Native support in Topaz
And as for Aserto, we’re proud to announce that as of Topaz 0.32.54, we support the native AuthZEN endpoints, across both the HTTP REST and gRPC bindings.
Let’s explore this in the context of the gdrive template in Topaz.
If you don’t have Topaz installed, first brew install topaz
brew tap aserto-dev/tap && brew install topazThen install the gdrive template:
topaz templates install gdriveThis will install a model that emulates Google Drive, with a set of users modeled after the Rick & Morty cartoon, and a set of folders and files with relationships to the various users.
Evaluation requests
Let’s use the AuthZEN API to determine whether Morty can delete his own journal.
To issue an AuthZEN evaluation call to Topaz, simply execute the following curl:
curl -X POST https://localhost:9393/access/v1/evaluation -d '{
"subject": {
"type": "user",
"id": "morty@the-citadel.com"
},
"action": {
"name": "can_delete"
},
"resource": {
"type": "doc",
"id": "morty.journal"
}
}'
Topaz response with a positive decision:
{
"decision": true,
"context": {}
}
Topaz also makes use of the AuthZEN context field in the response to provide a reason why an evaluation failed. For example, if a subject, resource, or action was not found, Topaz will respond in the following way:
curl -X POST https://localhost:9393/access/v1/evaluation -d '{
"subject": {
"type": "user",
"id": "jerry@the-smiths.com"
},
"action": {
"name": "can_remove"
},
"resource": {
"type": "doc",
"id": "morty.journal"
}
}'
{
"decision": false,
"context": {
"reason": "E20035 relation not found: relation: doc#can_remove"
}
}
Search requests
Topaz also supports the “search” capabilities introduced in draft 03, which were introduced to answer questions like “which users can perform an action on this resource?”, or “which resources can this user perform an action on?”.
For example, to find out which users can read Morty’s journal, issue the following curl:
curl -X POST https://localhost:9393/access/v1/search/subject -d '{
"subject": {
"type": "user"
},
"action": {
"name": "can_read"
},
"resource": {
"type": "doc",
"id": "morty.journal"
}
}'
Topaz responds with the following results:
{
"results": [
{
"type": "user",
"id": "morty@the-citadel.com",
"properties": null
},
{
"type": "user",
"id": "beth@the-smiths.com",
"properties": null
}
],
"page": {
"next_token": ""
}
}
Searching in the opposite direction also works. To find out which documents Morty can delete, issue the following curl:
curl -X POST https://localhost:9393/access/v1/search/resource -d '{
"subject": {
"type": "user",
"id": "morty@the-citadel.com"
},
"action": {
"name": "can_delete"
},
"resource": {
"type": "doc"
}
}'
Topaz will respond with the following results:
{
"results": [
{
"type": "doc",
"id": "morty.shared.notes",
"properties": null
},
{
"type": "doc",
"id": "morty.journal",
"properties": null
}
],
"page": {
"next_token": ""
}
}
Developer artifacts
For developers that want to target AuthZEN, the community has started contributing some standard artifacts, including JSON schema, OpenAPI definition, and protobuf definition for the protocol.
We also have executable documentation for the Topaz AuthZEN implementation here.
Next steps
We can’t wait until Gartner IAM London in March, where we will announce a number of new AuthZEN-compliant implementations, and demonstrate interoperability.
We also look forward to AuthZEN becoming a Final Specification later in 2025.
Happy hacking!
Omri Gazitt
CEO, Aserto
Related Content
OpenID AuthZEN, One Year In: A Retrospective
A retrospective of what the OpenID AuthZEN WG has able to accomplish in one short year.
Oct 21st, 2024
Aserto at Authenticate 2024
Come chat with Aserto at Authenticate 2024, and check out our three sessions about AuthZEN!
Oct 9th, 2024
OpenID AuthZEN Implementer's Draft and Why it Matters
Aiming to become the "OpenID Connect" of the authorization world, AuthZEN just released the first candidate Implementer's Draft for review, getting one step closer to that goal.
Sep 19th, 2024