Supporting browser redirections in authzen

[amonika230995]

Would this authorization API also work as a browser redirect? Incase the PDP/PEP endpoints requires some interactions before making a decision.

[baboulebou]

Hi, AuthZEN is "just" a Request/Response protocol between PEP and PDP. Any redirects would likely involve other protocols (e.g., HTTP, OAuth / OpenID / SAML /...? ), which are out of scope here. If the PDP requires additional information, it MAY respond with additional details. It is then up to the PEP or Client to decide on next steps or trigger different flows. Note: I'm currently refactoring the AuthZEN evaluation Response context payload, it should enable more expressive PDP responses... Regards, ./\.

…

On Thu, Jun 26, 2025 at 8:22 AM amonika230995 ***@***.***> wrote: Would this authorization API also work as a browser redirect? Incase the PDP/PEP endpoints requires some interactions before making a decision. — Reply to this email directly, view it on GitHub <#340>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABCDAWQPHVCANFDNGNPT5PT3FQF2FAVCNFSM6AAAAACAGRVL5KVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZYGQ4TQOJYGQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Alex Babeanu Lead Product Manager, AI Control Suite t. +1 604 728 8130 e. ***@***.*** w. www.indykite.com

[amonika230995]

Hi,

I understand. But I am currently having a similar use case where we want to implement privilege controls when user launches an application from an IDP. Currently we are using OIDC PKCE flow for this. Conditional access is configured for application launch on the IDP end and this conditional access has a logic to trigger the authorization request to our service where we check certain privilege controls based on user interaction and either block the app launch or allow the user to continue.

This is similar to the PDP -> PEP communication. Where PEP is the IDP and PDP is any service that enforces policies on app launch. The problem in using OIDC flow here is passing info two and fro. In this communication the IDP must send user info, role info and app info and passing this information dynamically for different apps from IDP is a challenge via OIDC. And sending this entire data as part of authorization request is not standardized and also safe (unless the data is encrypted E2E).

So I was looking at this spec and AuthZen definitely helps here. But in my use case the PDP enforces policies based on user's inputs. So hence I was checking if this can also be a browser redirect.

[amonika230995]

Hi @baboulebou ,

Any thoughts about the above use case?

To simplify the use case a PDP can only take a decision after a step-up auth/user consent or any sort of user interaction. So in this case the response from PDP can also be a redirection page to take a user consent or do a step-up auth and later convey the PEP about the decision.

[baboulebou]

Hi Monika, I recently created a PR with some changes to the AuthZEN Response context object, which includes an optional but normative "Obligations" response context field. In that Obligations field, a PDP could indicate that the user MUST undergo step-up authentication; and in that case the PEP MUST enforce this flow with the AS. This is basically how obligations have been working for some time... In other words, the flow is: 1) the PDP demands a step-up in the Authzen response, 2) the PEP complies. Note: we also implemented this flow at Indykite as it's a use-case we have with a customer, so it's nothing new or exotic. The word I think is flexible enough for the response to contain any additional information, such as a page to redirect to. Please have a look at the PR and see if the wording suits your needs... Thanks, ./\.

…

On Wed, Jul 2, 2025 at 12:02 PM amonika230995 ***@***.***> wrote: Hi @baboulebou <https://github.com/baboulebou> , Any thoughts about the above use case? To simplify the use case a PDP can only take a decision after a step-up auth/user consent or any sort of user interaction. So in this case the response from PDP can also be a redirection page to take a user consent or do a step-up auth and later convey the PEP about the decision. — Reply to this email directly, view it on GitHub <#340 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABCDAWWDSIH5UI6QZTT74ED3GQUFLAVCNFSM6AAAAACAGRVL5KVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNRUGQ3DOMA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Alex Babeanu Lead Product Manager, AI Control Suite t. +1 604 728 8130 e. ***@***.*** w. www.indykite.com