Skip to content

Authorization API 1.0 – draft 05 #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gertd merged 1 commit into from
Nov 13, 2025
Merged

Authorization API 1.0 – draft 05 #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/buf-ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
-
name: Install buf
uses: bufbuild/buf-action@v1
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.

Copyright 2023 Aserto AuthZEN WG
Copyright (c) 2025 The OpenID Foundation (https://openid.github.io/authzen/#appendix-D)

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
4 changes: 2 additions & 2 deletions buf.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
version: v2
deps:
- name: buf.build/googleapis/googleapis
commit: 546238c53f7340c6a2a6099fb863bc1b
digest: b5:e017bbf31a3f912e2b969c03c3aa711f466cfe104f510865d1a8ede1be490240aabd4cca5865459a0f15222747284395f98afc094b0fd086e8917a5a7bdd9db0
commit: 72c8614f3bd0466ea67931ef2c43d608
digest: b5:13efeea24e633fd45327390bdee941207a8727e96cf01affb84c1e4100fd8f48a42bbd508df11930cd2884629bafad685df1ac3111bc78cdaefcd38c9371c6b1
- name: buf.build/grpc-ecosystem/grpc-gateway
commit: 4c5ba75caaf84e928b7137ae5c18c26a
digest: b5:c113e62fb3b29289af785866cae062b55ec8ae19ab3f08f3004098928fbca657730a06810b2012951294326b95669547194fa84476b9e9b688d4f8bf77a0691d
30 changes: 16 additions & 14 deletions makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,12 @@ ATTN_COLOR := \033[33;01m
OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
ARCH := $(shell uname -m | tr '[:upper:]' '[:lower:]')

EXT_DIR := ./.ext
EXT_DIR := ${PWD}/.ext
EXT_BIN_DIR := ${EXT_DIR}/bin
EXT_TMP_DIR := ${EXT_DIR}/tmp

SVU_VER := 3.2.3
BUF_VER := 1.54.0
SVU_VER := 3.3.0
BUF_VER := 1.59.0

PROJECT := access

Expand All @@ -27,7 +27,7 @@ BUF_LATEST := $(shell ${EXT_BIN_DIR}/buf registry module label list ${BU
BUF_BIN_DIR := ./bin
BUF_BIN_IMAGE := "${PROJECT}.bin"

RELEASE_TAG := $$(${EXT_BIN_DIR}/svu)
RELEASE_TAG := $$(${EXT_BIN_DIR}/svu current)

.DEFAULT_GOAL := buf-build

Expand Down Expand Up @@ -93,20 +93,22 @@ ${EXT_BIN_DIR}/buf: ${EXT_BIN_DIR}
@chmod +x ${EXT_BIN_DIR}/buf
@${EXT_BIN_DIR}/buf --version

${EXT_BIN_DIR}/svu: install-svu-${OS}
@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
@chmod +x ${EXT_BIN_DIR}/svu
@${EXT_BIN_DIR}/svu --version
${EXT_BIN_DIR}/buf: install-buf

install-svu-darwin: ${EXT_TMP_DIR} ${EXT_BIN_DIR}
.PHONY: install-buf
install-buf: ${EXT_BIN_DIR}
@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
@gh release download v${SVU_VER} --repo https://github.com/caarlos0/svu --pattern "svu_${SVU_VER}_${OS}_all.tar.gz" --output "${EXT_TMP_DIR}/svu.tar.gz" --clobber
@tar -xvf ${EXT_TMP_DIR}/svu.tar.gz --directory ${EXT_BIN_DIR} svu &> /dev/null
@gh release download v${BUF_VER} --repo https://github.com/bufbuild/buf --pattern "buf-$$(uname -s)-$$(uname -m)" --output "${EXT_BIN_DIR}/buf" --clobber
@chmod +x ${EXT_BIN_DIR}/buf
@${EXT_BIN_DIR}/buf --version

${EXT_BIN_DIR}/svu: install-svu

install-svu-linux: ${EXT_TMP_DIR} ${EXT_BIN_DIR}
.PHONY: install-svu
install-svu: ${EXT_BIN_DIR} ${EXT_TMP_DIR}
@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
@gh release download v${SVU_VER} --repo https://github.com/caarlos0/svu --pattern "svu_${SVU_VER}_${OS}_${ARCH}.tar.gz" --output "${EXT_TMP_DIR}/svu.tar.gz" --clobber
@tar -xvf ${EXT_TMP_DIR}/svu.tar.gz --directory ${EXT_BIN_DIR} svu &> /dev/null
@GOBIN=${EXT_BIN_DIR} go install github.com/caarlos0/svu/v3@v${SVU_VER}
@${EXT_BIN_DIR}/svu --version

.PHONY: clean
clean:
Expand Down
49 changes: 30 additions & 19 deletions proto/access/v1/access.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
syntax = "proto3";

Check failure on line 1 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present message "Page" was deleted from package "authzen.access.v1".

Check failure on line 1 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present message "Page" was deleted from file.

package authzen.access.v1;

Expand All @@ -10,7 +10,7 @@
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "OpenID AuthZen Access Service"
version: "1.0.0-3"
version: "1.0.0-5"
contact: {
name: ""
url: ""
Expand All @@ -24,7 +24,7 @@

external_docs: {
url: "https://openid.github.io/authzen/"
description: "Authorization API 1.0 - draft 03"
description: "Authorization API 1.0 - draft 05"
}

schemes: HTTP
Expand All @@ -51,7 +51,7 @@
};

service Access {
// evaluation
// evaluation (https://openid.github.io/authzen/#name-access-evaluation-api)
rpc Evaluation(EvaluationRequest) returns (EvaluationResponse) {
option (google.api.http) = {
post: "/access/v1/evaluation"
Expand All @@ -66,7 +66,7 @@
};
}

// evaluations
// evaluations (https://openid.github.io/authzen/#name-access-evaluations-api)
rpc Evaluations(EvaluationsRequest) returns (EvaluationsResponse) {
option (google.api.http) = {
post: "/access/v1/evaluations"
Expand All @@ -81,7 +81,7 @@
};
}

// subject search
// subject search (https://openid.github.io/authzen/#name-subject-search-api)
rpc SubjectSearch(SubjectSearchRequest) returns (SubjectSearchResponse) {
option (google.api.http) = {
post: "/access/v1/search/subject"
Expand All @@ -96,7 +96,7 @@
};
}

// resource search
// resource search (https://openid.github.io/authzen/#name-resource-search-api)
rpc ResourceSearch(ResourceSearchRequest) returns (ResourceSearchResponse) {
option (google.api.http) = {
post: "/access/v1/search/resource"
Expand All @@ -111,7 +111,7 @@
};
}

// action search
// action search (https://openid.github.io/authzen/#name-action-search-api)
rpc ActionSearch(ActionSearchRequest) returns (ActionSearchResponse) {
option (google.api.http) = {
post: "/access/v1/search/action"
Expand All @@ -132,7 +132,7 @@
Subject subject = 1;
Action action = 2;
Resource resource = 3;
google.protobuf.Struct context = 4;
optional google.protobuf.Struct context = 4;
}

// https://openid.github.io/authzen/#name-the-access-evaluation-api-re
Expand All @@ -146,7 +146,7 @@
Subject subject = 1;
Action action = 2;
Resource resource = 3;
google.protobuf.Struct context = 4;
optional google.protobuf.Struct context = 4;
repeated EvaluationRequest evaluations = 5;
google.protobuf.Struct options = 6;
}
Expand All @@ -157,33 +157,33 @@
}

// https://openid.github.io/authzen/#name-the-subject-search-api-requ
message SubjectSearchRequest {
Subject subject = 1;
Action action = 2;
Resource resource = 3;
google.protobuf.Struct context = 4;
Page page = 5;
PaginationRequest page = 10;
}

Check failure on line 166 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present field "5" with name "page" on message "SubjectSearchRequest" was deleted without reserving the number "5".

Check failure on line 166 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present field "5" with name "page" on message "SubjectSearchRequest" was deleted without reserving the name "page".

Check failure on line 166 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present field "5" with name "page" on message "SubjectSearchRequest" was deleted.

// https://openid.github.io/authzen/#name-the-subject-search-api-resp
message SubjectSearchResponse {
repeated Subject results = 1;
Page page = 2;
PaginationResponse page = 10;
}

Check failure on line 172 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present field "2" with name "page" on message "SubjectSearchResponse" was deleted without reserving the number "2".

Check failure on line 172 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present field "2" with name "page" on message "SubjectSearchResponse" was deleted without reserving the name "page".

Check failure on line 172 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present field "2" with name "page" on message "SubjectSearchResponse" was deleted.

// https://openid.github.io/authzen/#name-the-resource-search-api-req
message ResourceSearchRequest {
Subject subject = 1;
Action action = 2;
Resource resource = 3;
google.protobuf.Struct context = 4;
Page page = 5;
PaginationRequest page = 10;
}

Check failure on line 181 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present field "5" with name "page" on message "ResourceSearchRequest" was deleted without reserving the name "page".

Check failure on line 181 in proto/access/v1/access.proto

View workflow job for this annotation

GitHub Actions / buf 

Previously present field "5" with name "page" on message "ResourceSearchRequest" was deleted.

// https://openid.github.io/authzen/#name-the-resource-search-api-res
message ResourceSearchResponse {
repeated Resource results = 1;
Page page = 2;
PaginationResponse page = 10;
}

// https://openid.github.io/authzen/#name-the-action-search-api-reque
Expand All @@ -192,35 +192,46 @@
Action action = 2;
Resource resource = 3;
google.protobuf.Struct context = 4;
Page page = 5;
PaginationRequest page = 10;
}

// https://openid.github.io/authzen/#name-the-action-search-api-respo
message ActionSearchResponse {
repeated Action results = 1;
Page page = 2;
PaginationResponse page = 10;
}

// https://openid.github.io/authzen/#name-subject
message Subject {
string type = 1;
string id = 2;
google.protobuf.Struct properties = 3;
optional google.protobuf.Struct properties = 3;
}

// https://openid.github.io/authzen/#name-action
message Action {
string name = 1;
google.protobuf.Struct properties = 2;
optional google.protobuf.Struct properties = 2;
}

// https://openid.github.io/authzen/#name-resource
message Resource {
string type = 1;
string id = 2;
google.protobuf.Struct properties = 3;
optional google.protobuf.Struct properties = 3;
}

// https://openid.github.io/authzen/#name-paginated-requests
message PaginationRequest {
optional string token = 1;
optional int32 limit = 2;
optional google.protobuf.Struct properties = 3;
}

message Page {
// https://openid.github.io/authzen/#name-paginated-responses
message PaginationResponse {
string next_token = 1;
optional int64 count = 2;
optional int64 total = 3;
optional google.protobuf.Struct properties = 4;
}