Skip to content
Big ACL Docs

OpenID AuthZEN

OpenID AuthZEN is an emerging specification from the OpenID Foundation designed to standardize fine-grained, real-time authorization across heterogeneous systems.

AuthZEN provides a consistent, interoperable framework for describing authorization requests, responses, and decision metadata, enabling organizations to integrate Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) without relying on proprietary schemas or vendor-specific APIs.

This page is part of the broader Authorization Landscape documentation, which describes the main standards, technologies, and patterns shaping modern authorization architectures.

1. Overview

Section titled “1. Overview”

Traditional authorization systems rely on bespoke integrations between applications and external decision engines (e.g., OPA, Amazon Verified Permissions, home-grown PDPs).
These integrations typically lack standardization:

  • Each PDP exposes its own API.
  • Each application must implement its own request/response schema.
  • There is no shared vocabulary for authorization context, resource attributes, or policy results.

OpenID AuthZEN addresses this problem by proposing:

  • A standard request and response format for authorization decisions
  • A common model for subject, action, and resource representation
  • A specification for decision metadata, including explanations, rule evaluation traces, and obligations
  • A foundation for interoperable PDP ecosystems

AuthZEN allows applications to delegate authorization to any compliant PDP without redesigning their integration for each vendor.

2. Design Objectives

Section titled “2. Design Objectives”

AuthZEN focuses on the following objectives:

Interoperability

Section titled “Interoperability”

A unified schema that allows a PEP (e.g., an application, API gateway, or service mesh) to query multiple PDPs interchangeably.

Expressiveness

Section titled “Expressiveness”

Support for rich authorization contexts, including:

  • Attribute-based access control (ABAC)
  • Relationship-based models
  • Contextual signals (risk scores, session properties)
  • Multi-resource authorization evaluations

Transparency

Section titled “Transparency”

Structured metadata such as:

  • Which rules were evaluated
  • Why a decision was issued
  • Obligations or advice to the PEP
  • Debugging information for developers and auditors

Performance and Scalability

Section titled “Performance and Scalability”

Request/response patterns designed for real-time, high-volume, service-to-service authorization checks.

3. Core Concepts

Section titled “3. Core Concepts”

AuthZEN formalizes several foundational constructs:

Subject

Section titled “Subject”

The principal requesting the operation.
Represented with attributes such as id, type, and organizational attributes.

Action

Section titled “Action”

The requested operation, such as "read", "write", "approve", or an application-specific action.

Resource

Section titled “Resource”

The entity the action is performed on.
AuthZEN supports hierarchical and typed resource identifiers.

Context

Section titled “Context”

Optional environmental and contextual attributes:

  • IP address
  • Device characteristics
  • Time of request
  • Session metadata
  • Risk signal inputs

Decision

Section titled “Decision”

The structured response from the PDP, including:

  • Effect: Permit / Deny
  • Obligations: instructions the PEP must enforce (masking, redaction, MFA requirement, etc.)
  • Reasons: explanations suitable for logging, auditing, or debugging
  • Evaluation trace: optional detailed rule evaluation report

4. Authorization Flow

Section titled “4. Authorization Flow”

AuthZEN defines a standard authorization request and authorization response.

Example Request (simplified)

Section titled “Example Request (simplified)”
{
  "subject": {
    "id": "user-123",
    "type": "User",
    "attributes": {
      "team": "Engineering"
    }
  },
  "action": "read",
  "resource": {
    "type": "Document",
    "id": "doc-456",
    "attributes": {
      "owner": "user-789",
      "classification": "internal"
    }
  },
  "context": {
    "ip": "203.0.113.4"
  }
}

Example Response (simplified)

Section titled “Example Response (simplified)”
{
  "decision": "Permit",
  "obligations": [
    { "type": "masking", "fields": ["ssn"] }
  ],
  "reasons": [
    "User and document belong to the same department"
  ],
  "metadata": {
    "evaluation_time_ms": 3
  }
}
Section titled “5. Comparison with Related Standards”

XACML

  • XACML also defines a PDP/PEP model but is considered heavy and complex.
  • AuthZEN focuses on a lightweight, JSON-friendly, developer-friendly specification.

OAuth 2.0 / OpenID Connect

  • These protocols focus on authentication and delegated authorization for API access, not fine-grained business authorization.
  • AuthZEN complements them by providing the model for resource-level decisions within applications.

Cedar, Rego, and proprietary policy languages

  • These languages define how policies are written internally.
  • AuthZEN defines how decisions are requested and returned externally.
  • Any policy language can power an AuthZEN-compliant PDP.

6. Use Cases

Section titled “6. Use Cases”

AuthZEN is designed for modern distributed systems including:

  • Microservices and service meshes requiring consistent authorization
  • API gateways enforcing centralized policy decisions
  • Enterprise applications integrating multiple authorization providers
  • CIAM and workforce IAM platforms offering standardized PDP access

AuthZEN is particularly relevant in environments where multiple PDP technologies (OPA, AVP, custom engines) coexist.