Closed tulshi closed 2 months ago
I get the value of relying on another established spec for subject identification, but I think there are 2-3 important use-cases missing:
"format": "jwt"
: a base64 encoded JWT
2."format": "sub"
: a subject (identity) which is the sub
claim from a structured token like a JWT"format": "string"
: an opaque string (the PEP passes a string that is meaningful in the context of the policy being evaluated - e.g. it's a key that can be looked up by the policy and resolved into a subject)In addition, would it make sense to allow something like "format": "anonymous"
to be able to enforce policy that isn't subject-specific? For example, time of day or IP address range enforcement?
I am closing this PR as we've since done major rework to the API that voids the work done in this PR.
question to definition of
the examples only contain IPv4 adresses. But IPv4 is overaged and new systems must be IPv6 compatible. however, both address formats will remain in the wild for sure a long time.
Question: should the ip address be typed in order to distinguish between multiple versions an formats? like to distinguish between address netmask (a.b.c.d/24) and IPv6?
also, IPv6 address can be formatted ambiguously (see Issue #46 )