baboulebou
commented
11 months ago There are also "Custom Actions". https://github.com/openid/authzen/blob/main/authorization-api-1_0.md#custom-actions
Open tr33 opened 11 months ago
baboulebou
commented
11 months ago There are also "Custom Actions". https://github.com/openid/authzen/blob/main/authorization-api-1_0.md#custom-actions
ggebel
commented
11 months ago See section 3.7.2
tr33
commented
11 months ago Section 3.7.2 only states that custom actions can be any other arbitrary string. But there are use cases where an action represents an actual function with parameters and values that are subject to a policy decision. Example use cases for such actions:
A policy might not only want to check if a subject has to permission to perform an action on a resource, but also check complex parameters value of that action at runtime.
Suggestion: make a clear statement that the "action" can be represented either as a) a string value, referring to an arbitrary action in the context of the policy or b) a JSON representation of a complex object that represents an action with attributes and/or parameters. example representation:
"action": {
"name": "transfer_money",
"amount": 100.00,
"currency": "EUR",
}to be clear: both forms should be legitimate and supported representations for "actions". Thats up to the PEP/PDP/Policy.
"Common Actions" currently defines 4 CRUD and one generice "access" action.
are those normative and mandatory for PDP/PEP spec compliance? How should a PDP response, in cases a common action is not implemented or does not make sense for a Subject/Resource combination or policy?