From 786a3510c09ecf8beecc022096e4a579dfeceb08 Mon Sep 17 00:00:00 2001
From: Gert Drapers <1533850+gertd@users.noreply.github.com>
Date: Mon, 24 Feb 2025 10:11:34 -0800
Subject: [PATCH 1/7] =?UTF-8?q?Authorization=20API=201.0=20=E2=80=93=20dra?=
 =?UTF-8?q?ft=2003?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 proto/access/v1/access.proto | 59 ++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/proto/access/v1/access.proto b/proto/access/v1/access.proto
index 88a998f..051a62e 100644
--- a/proto/access/v1/access.proto
+++ b/proto/access/v1/access.proto
@@ -81,6 +81,37 @@ service Access {
       deprecated: false
     };
   }
+
+  // subject search
+  rpc SubjectSearch(SubjectSearchRequest) returns (SubjectSearchResponse) {
+    option (google.api.http) = {
+      post: "/access/v1/subjectsearch"
+      body: "*"
+    };
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "authzen"
+      summary: "Subject Search API"
+      description: "TBD."
+      operation_id: "openid.authzen.access.v1.subjectsearch.post"
+      deprecated: false
+    };
+  }
+
+
+  // resource search
+  rpc ResourceSearch(ResourceSearchRequest) returns (ResourceSearchResponse) {
+    option (google.api.http) = {
+      post: "/access/v1/resourcesearch"
+      body: "*"
+    };
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "authzen"
+      summary: "Resource Search API"
+      description: "TBD."
+      operation_id: "openid.authzen.access.v1.resourcesearch.post"
+      deprecated: false
+    };
+  }
 }
 
 message EvaluationRequest {
@@ -108,6 +139,30 @@ message EvaluationsResponse {
   repeated EvaluationResponse decisions = 1;
 }
 
+message SubjectSearchRequest {
+  Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
+  Action action = 2 [(google.api.field_behavior) = REQUIRED];
+  Resource resource = 3 [(google.api.field_behavior) = REQUIRED];
+  Page page = 4;
+}
+
+message SubjectSearchResponse {
+  repeated Subject results = 1;
+  Page page = 2;
+}
+
+message ResourceSearchRequest {
+  Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
+  Action action = 2 [(google.api.field_behavior) = REQUIRED];
+  Resource resource = 3 [(google.api.field_behavior) = REQUIRED];
+  Page page = 4;
+}
+
+message ResourceSearchResponse {
+  repeated Resource results = 1;
+  Page page = 2;
+}
+
 message Subject {
   string type = 1 [(google.api.field_behavior) = REQUIRED];
   string id = 2 [(google.api.field_behavior) = REQUIRED];
@@ -124,3 +179,7 @@ message Resource {
   string id = 2 [(google.api.field_behavior) = REQUIRED];
   google.protobuf.Struct properties = 3;
 }
+
+message Page {
+  string next_token = 1;
+}
\ No newline at end of file

From bea2a442007326043ac3967e802a31f5fcd38f54 Mon Sep 17 00:00:00 2001
From: Gert Drapers <1533850+gertd@users.noreply.github.com>
Date: Mon, 24 Feb 2025 10:27:57 -0800
Subject: [PATCH 2/7] fix buf-lint errors

---
 proto/access/v1/access.proto | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/proto/access/v1/access.proto b/proto/access/v1/access.proto
index 051a62e..5ae2456 100644
--- a/proto/access/v1/access.proto
+++ b/proto/access/v1/access.proto
@@ -97,7 +97,6 @@ service Access {
     };
   }
 
-
   // resource search
   rpc ResourceSearch(ResourceSearchRequest) returns (ResourceSearchResponse) {
     option (google.api.http) = {
@@ -182,4 +181,4 @@ message Resource {
 
 message Page {
   string next_token = 1;
-}
\ No newline at end of file
+}

From 9259871a57d27c3c3f3819913a5fb27381221b8e Mon Sep 17 00:00:00 2001
From: Gert Drapers <1533850+gertd@users.noreply.github.com>
Date: Tue, 25 Feb 2025 11:15:09 -0800
Subject: [PATCH 3/7] add buf-format cmd

---
 makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/makefile b/makefile
index d814c84..2491a09 100644
--- a/makefile
+++ b/makefile
@@ -50,6 +50,11 @@ buf-lint:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
 	@${EXT_BIN_DIR}/buf lint
 
+.PHONY: buf-format
+buf-format:
+	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
+	@${EXT_BIN_DIR}/buf format --write
+
 .PHONY: buf-breaking
 buf-breaking: 
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"

From d1f2f636cede1425853381a588ba7677f08b43ec Mon Sep 17 00:00:00 2001
From: Gert Drapers <1533850+gertd@users.noreply.github.com>
Date: Tue, 25 Feb 2025 11:15:26 -0800
Subject: [PATCH 4/7] add action search

---
 proto/access/v1/access.proto | 51 +++++++++++++++++++++++++++++++++---
 1 file changed, 47 insertions(+), 4 deletions(-)

diff --git a/proto/access/v1/access.proto b/proto/access/v1/access.proto
index 5ae2456..7189215 100644
--- a/proto/access/v1/access.proto
+++ b/proto/access/v1/access.proto
@@ -11,7 +11,7 @@ option go_package = "github.com/authzen/access/v1;access";
 option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
   info: {
     title: "OpenID AuthZen Access Service"
-    version: "1.0.0-2"
+    version: "1.0.0-3"
     contact: {
       name: ""
       url: ""
@@ -25,7 +25,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
 
   external_docs: {
     url: "https://openid.github.io/authzen/"
-    description: "Authorization API 1.0 - draft 02"
+    description: "Authorization API 1.0 - draft 03"
   }
 
   schemes: HTTP
@@ -111,8 +111,24 @@ service Access {
       deprecated: false
     };
   }
+
+  // action search
+  rpc ActionSearch(ActionSearchRequest) returns (ActionSearchResponse) {
+    option (google.api.http) = {
+      post: "/access/v1/actionsearch"
+      body: "*"
+    };
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      tags: "authzen"
+      summary: "Action Search API"
+      description: "TBD."
+      operation_id: "openid.authzen.access.v1.actionsearch.post"
+      deprecated: false
+    };
+  }
 }
 
+// https://openid.github.io/authzen/#name-the-access-evaluation-api-r
 message EvaluationRequest {
   Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
   Action action = 2 [(google.api.field_behavior) = REQUIRED];
@@ -120,11 +136,13 @@ message EvaluationRequest {
   google.protobuf.Struct context = 4;
 }
 
+// https://openid.github.io/authzen/#name-the-access-evaluation-api-re
 message EvaluationResponse {
   bool decision = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
   google.protobuf.Struct context = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
+// https://openid.github.io/authzen/#name-the-access-evaluations-api-
 message EvaluationsRequest {
   Subject subject = 1;
   Action action = 2;
@@ -134,45 +152,70 @@ message EvaluationsRequest {
   google.protobuf.Struct options = 6;
 }
 
+// https://openid.github.io/authzen/#name-access-evaluations-api-resp
 message EvaluationsResponse {
   repeated EvaluationResponse decisions = 1;
 }
 
+// https://openid.github.io/authzen/#name-the-subject-search-api-requ
 message SubjectSearchRequest {
   Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
   Action action = 2 [(google.api.field_behavior) = REQUIRED];
   Resource resource = 3 [(google.api.field_behavior) = REQUIRED];
-  Page page = 4;
+  google.protobuf.Struct context = 4;
+  Page page = 5;
 }
 
+// https://openid.github.io/authzen/#name-the-subject-search-api-resp
 message SubjectSearchResponse {
   repeated Subject results = 1;
   Page page = 2;
 }
 
+// https://openid.github.io/authzen/#name-the-resource-search-api-req
 message ResourceSearchRequest {
   Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
   Action action = 2 [(google.api.field_behavior) = REQUIRED];
   Resource resource = 3 [(google.api.field_behavior) = REQUIRED];
-  Page page = 4;
+  google.protobuf.Struct context = 4;
+  Page page = 5;
 }
 
+// https://openid.github.io/authzen/#name-the-resource-search-api-res
 message ResourceSearchResponse {
   repeated Resource results = 1;
   Page page = 2;
 }
 
+// https://openid.github.io/authzen/#name-the-action-search-api-reque
+message ActionSearchRequest {
+  Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
+  Action action = 2 [(google.api.field_behavior) = REQUIRED];
+  Resource resource = 3 [(google.api.field_behavior) = REQUIRED];
+  google.protobuf.Struct context = 4;
+  Page page = 5;
+}
+
+// https://openid.github.io/authzen/#name-the-action-search-api-respo
+message ActionSearchResponse {
+  repeated Action results = 1;
+  Page page = 2;
+}
+
+// https://openid.github.io/authzen/#name-subject
 message Subject {
   string type = 1 [(google.api.field_behavior) = REQUIRED];
   string id = 2 [(google.api.field_behavior) = REQUIRED];
   google.protobuf.Struct properties = 3;
 }
 
+// https://openid.github.io/authzen/#name-action
 message Action {
   string name = 1 [(google.api.field_behavior) = REQUIRED];
   google.protobuf.Struct properties = 2;
 }
 
+// https://openid.github.io/authzen/#name-resource
 message Resource {
   string type = 1 [(google.api.field_behavior) = REQUIRED];
   string id = 2 [(google.api.field_behavior) = REQUIRED];

From 1b0d1b4821f7eb81c0239a0cd5558977875777ef Mon Sep 17 00:00:00 2001
From: Gert Drapers <1533850+gertd@users.noreply.github.com>
Date: Tue, 25 Feb 2025 11:16:14 -0800
Subject: [PATCH 5/7] update README

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index aff0e92..9468145 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,6 @@
 
 ## Access Service
 
-This repo contains protobuf definitions for the OpenID AuthZEN Access Service. The current implementation reflects the [Authorization API 1.0 – draft 02](https://openid.github.io/authzen/) specification.
+This repo contains protobuf definitions for the OpenID AuthZEN Access Service. The current implementation reflects the [Authorization API 1.0 – draft 03](https://openid.github.io/authzen/) specification.
 
-All builds are published to the [buf.build/auzthzen/access](https://buf.build/authzen/access) registry, where one can [browse](https://buf.build/authzen/access/docs/v0.1.0-02:authzen.access.v1) the definitions or [generate](https://buf.build/authzen/access/sdks/v0.1.0-02:protobuf) server and client language bindings.
+All builds are published to the [buf.build/auzthzen/access](https://buf.build/authzen/access) registry, where one can [browse](https://buf.build/authzen/access/docs/v0.1.0-02:authzen.access.v1) the definitions or [generate](https://buf.build/authzen/access/sdks/v0.1.0-03:protobuf) server and client language bindings.

From 27f33940e36ee8a7ca5731d0febd7c0c74a41632 Mon Sep 17 00:00:00 2001
From: Gert Drapers <1533850+gertd@users.noreply.github.com>
Date: Tue, 25 Feb 2025 23:00:17 -0800
Subject: [PATCH 6/7] upd search APIs

---
 proto/access/v1/access.proto | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/proto/access/v1/access.proto b/proto/access/v1/access.proto
index 7189215..f87f84b 100644
--- a/proto/access/v1/access.proto
+++ b/proto/access/v1/access.proto
@@ -85,14 +85,14 @@ service Access {
   // subject search
   rpc SubjectSearch(SubjectSearchRequest) returns (SubjectSearchResponse) {
     option (google.api.http) = {
-      post: "/access/v1/subjectsearch"
+      post: "/access/v1/search/subject"
       body: "*"
     };
     option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
       tags: "authzen"
       summary: "Subject Search API"
       description: "TBD."
-      operation_id: "openid.authzen.access.v1.subjectsearch.post"
+      operation_id: "openid.authzen.access.v1.search.subject.post"
       deprecated: false
     };
   }
@@ -100,14 +100,14 @@ service Access {
   // resource search
   rpc ResourceSearch(ResourceSearchRequest) returns (ResourceSearchResponse) {
     option (google.api.http) = {
-      post: "/access/v1/resourcesearch"
+      post: "/access/v1/search/resource"
       body: "*"
     };
     option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
       tags: "authzen"
       summary: "Resource Search API"
       description: "TBD."
-      operation_id: "openid.authzen.access.v1.resourcesearch.post"
+      operation_id: "openid.authzen.access.v1.search.post"
       deprecated: false
     };
   }
@@ -115,14 +115,14 @@ service Access {
   // action search
   rpc ActionSearch(ActionSearchRequest) returns (ActionSearchResponse) {
     option (google.api.http) = {
-      post: "/access/v1/actionsearch"
+      post: "/access/v1/search/action"
       body: "*"
     };
     option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
       tags: "authzen"
       summary: "Action Search API"
       description: "TBD."
-      operation_id: "openid.authzen.access.v1.actionsearch.post"
+      operation_id: "openid.authzen.access.v1.search.action.post"
       deprecated: false
     };
   }

From 5ff3d0156468a491fa9cc113a2ae2f4662abb1a8 Mon Sep 17 00:00:00 2001
From: Gert Drapers <1533850+gertd@users.noreply.github.com>
Date: Wed, 26 Feb 2025 15:11:03 -0800
Subject: [PATCH 7/7] remove all field_behavior annotations

---
 buf.lock                     |  4 ++--
 proto/access/v1/access.proto | 39 ++++++++++++++++++------------------
 2 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/buf.lock b/buf.lock
index f9d4024..95ba90a 100644
--- a/buf.lock
+++ b/buf.lock
@@ -2,8 +2,8 @@
 version: v2
 deps:
   - name: buf.build/googleapis/googleapis
-    commit: e93e34f48be043dab55be31b4b47f458
-    digest: b5:cebe5dfac5f7d67c55296f37ad9d368dba8d9862777e69d5d99eb1d72dc95fa68cd6323b483ca42cf70e66060002c1bc36e1f5f754b217a5c771c108eb243dbf
+    commit: 546238c53f7340c6a2a6099fb863bc1b
+    digest: b5:e017bbf31a3f912e2b969c03c3aa711f466cfe104f510865d1a8ede1be490240aabd4cca5865459a0f15222747284395f98afc094b0fd086e8917a5a7bdd9db0
   - name: buf.build/grpc-ecosystem/grpc-gateway
     commit: 4c5ba75caaf84e928b7137ae5c18c26a
     digest: b5:c113e62fb3b29289af785866cae062b55ec8ae19ab3f08f3004098928fbca657730a06810b2012951294326b95669547194fa84476b9e9b688d4f8bf77a0691d
diff --git a/proto/access/v1/access.proto b/proto/access/v1/access.proto
index f87f84b..9909a07 100644
--- a/proto/access/v1/access.proto
+++ b/proto/access/v1/access.proto
@@ -3,7 +3,6 @@ syntax = "proto3";
 package authzen.access.v1;
 
 import "google/api/annotations.proto";
-import "google/api/field_behavior.proto";
 import "google/protobuf/struct.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
 
@@ -130,16 +129,16 @@ service Access {
 
 // https://openid.github.io/authzen/#name-the-access-evaluation-api-r
 message EvaluationRequest {
-  Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
-  Action action = 2 [(google.api.field_behavior) = REQUIRED];
-  Resource resource = 3 [(google.api.field_behavior) = REQUIRED];
+  Subject subject = 1;
+  Action action = 2;
+  Resource resource = 3;
   google.protobuf.Struct context = 4;
 }
 
 // https://openid.github.io/authzen/#name-the-access-evaluation-api-re
 message EvaluationResponse {
-  bool decision = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
-  google.protobuf.Struct context = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
+  bool decision = 1;
+  google.protobuf.Struct context = 2;
 }
 
 // https://openid.github.io/authzen/#name-the-access-evaluations-api-
@@ -159,9 +158,9 @@ message EvaluationsResponse {
 
 // https://openid.github.io/authzen/#name-the-subject-search-api-requ
 message SubjectSearchRequest {
-  Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
-  Action action = 2 [(google.api.field_behavior) = REQUIRED];
-  Resource resource = 3 [(google.api.field_behavior) = REQUIRED];
+  Subject subject = 1;
+  Action action = 2;
+  Resource resource = 3;
   google.protobuf.Struct context = 4;
   Page page = 5;
 }
@@ -174,9 +173,9 @@ message SubjectSearchResponse {
 
 // https://openid.github.io/authzen/#name-the-resource-search-api-req
 message ResourceSearchRequest {
-  Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
-  Action action = 2 [(google.api.field_behavior) = REQUIRED];
-  Resource resource = 3 [(google.api.field_behavior) = REQUIRED];
+  Subject subject = 1;
+  Action action = 2;
+  Resource resource = 3;
   google.protobuf.Struct context = 4;
   Page page = 5;
 }
@@ -189,9 +188,9 @@ message ResourceSearchResponse {
 
 // https://openid.github.io/authzen/#name-the-action-search-api-reque
 message ActionSearchRequest {
-  Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
-  Action action = 2 [(google.api.field_behavior) = REQUIRED];
-  Resource resource = 3 [(google.api.field_behavior) = REQUIRED];
+  Subject subject = 1;
+  Action action = 2;
+  Resource resource = 3;
   google.protobuf.Struct context = 4;
   Page page = 5;
 }
@@ -204,21 +203,21 @@ message ActionSearchResponse {
 
 // https://openid.github.io/authzen/#name-subject
 message Subject {
-  string type = 1 [(google.api.field_behavior) = REQUIRED];
-  string id = 2 [(google.api.field_behavior) = REQUIRED];
+  string type = 1;
+  string id = 2;
   google.protobuf.Struct properties = 3;
 }
 
 // https://openid.github.io/authzen/#name-action
 message Action {
-  string name = 1 [(google.api.field_behavior) = REQUIRED];
+  string name = 1;
   google.protobuf.Struct properties = 2;
 }
 
 // https://openid.github.io/authzen/#name-resource
 message Resource {
-  string type = 1 [(google.api.field_behavior) = REQUIRED];
-  string id = 2 [(google.api.field_behavior) = REQUIRED];
+  string type = 1;
+  string id = 2;
   google.protobuf.Struct properties = 3;
 }