deny_on_first_deny and permit_on_first_permit examples are cumbersome #250
Description
In section 7.1.2.1.1 https://openid.github.io/authzen/#name-example-evaluate-read-actio, if one wants to use deny_on_first_deny or permit_on_first_permit, it means that there are some relations in between the requests: here the subject is the same.
Therefore, one would expect only global decision (true or false) coming from one of the following use case:
- Request is
deny_on_first_denyand one evaluation leads to"decision": falsethen a global decision should befalse - Request is
permit_on_first_permitand no evaluation leads to"decision": truethen a global decision should befalse - Request is
permit_on_first_permitand one evaluation leads to"decision": truethen a global decision should betrue
Therefore I propose that PEP would be better served with the following proposal that aligns more with the single Access Evaluation part of the specification:
- In the case of a request is
deny_on_first_denyand one evaluation leads to"decision": false
{
"decision": false,
"context": {
"evaluations": [
{
"decision": true
},
{
"decision": false,
"reason": "deny_on_first_deny"
}
]
}
}
- In the case of a request is
permit_on_first_permitand no evaluation leading to"decision": true
{
"decision": false,
"context": {
"evaluations": [
{
"decision": false
},
{
"decision": false
},
{
"decision": false
}
]
}
}
- In case of a request is
permit_on_first_permitand one evaluation leading to"decision": trueas:
{
"decision": true,
"context": {
"evaluations": [
{
"decision": false
},
{
"decision": true,
"reason": "permit_on_first_permit"
}
]
}
}