Skip to content

deny_on_first_deny and permit_on_first_permit examples are cumbersome #250

@identitymonk

Description

@identitymonk

In section 7.1.2.1.1 https://openid.github.io/authzen/#name-example-evaluate-read-actio, if one wants to use deny_on_first_deny or permit_on_first_permit, it means that there are some relations in between the requests: here the subject is the same.

Therefore, one would expect only global decision (true or false) coming from one of the following use case:

  • Request is deny_on_first_deny and one evaluation leads to "decision": false then a global decision should be false
  • Request is permit_on_first_permit and no evaluation leads to "decision": true then a global decision should be false
  • Request is permit_on_first_permit and one evaluation leads to "decision": true then a global decision should be true

Therefore I propose that PEP would be better served with the following proposal that aligns more with the single Access Evaluation part of the specification:

  • In the case of a request is deny_on_first_deny and one evaluation leads to "decision": false
{
    "decision": false,
    "context": {
      "evaluations": [
        {
          "decision": true
        },
        {
          "decision": false,
          "reason": "deny_on_first_deny"
        }
      ]
    }
}
  • In the case of a request is permit_on_first_permit and no evaluation leading to "decision": true
{
    "decision": false,
    "context": {
      "evaluations": [
        {
          "decision": false
        },
        {
          "decision": false
        },
        {
          "decision": false
        }
      ]
    }
}
  • In case of a request is permit_on_first_permit and one evaluation leading to "decision": true as:
{
    "decision": true,
    "context": {
      "evaluations": [
        {
          "decision": false
        },
        {
          "decision": true,
          "reason": "permit_on_first_permit"
        }
      ]
    }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions