Open tr33 opened 10 months ago
My only concerns about these Subject attributes is that they are geared towards human Subjects. A smart IoT device or a Web Service could also be Subjects. Seems to me that Subject could be a JSON object with whatever attributes make sense to the implementer. Just enforce an id
and leave the rest open...
IP addresses belong to the network layer and may not be available to the PEP or may not affect many AuthZ decision requests. If the subject is identified through its IP address, then it should be the subjects "id" attribute.
Also, IPv6 addressing schemes can be rather complex and error-prone, due to multiple variations in syntax: eg. those are different variants of THE SAME ip address:
Its horrid to implement a unification/syntax check on PDPs/PEP side.
recommendation: