Introduction
The OpenID AuthZEN working group has defined a set of interop scenarios. These all are layered around a Todo application as a Policy Enforcement Point.
For the fourth AuthZEN interop event at Gartner IAM Summit in London (March 25 2025), we have added various API Gateways as Policy Enforcement Points.
What you'll find here
- Interop scenarios for various drafts of the AuthZEN 1.0 authorization API
- Specifications for the payloads and expected responses
- Interoperability results for the vendors that have participated in the interop testing
Interop video
The following video demonstrates the Todo interop scenario and the structure of the demo application.
Architecture
The latest scenario defines a defense-in-depth architecture, consisting of API gateways as an initial policy enforcement point performing functional / medium-grained authorization at the HTTP route level, and the relying party (Todo app) as another enforcement point, performing fine-grained authorization at the Todo level.
Results summary
Policy Decision Points
| Implementation | Todo PEP 00 | Todo PEP 01 | Todo PEP 02 | Gateway PEP 02 |
|---|---|---|---|---|
| Aserto | ✅ Results | ✅ Results | ✅ Results | ✅ Results |
| Axiomatics | ✅ Results | ✅ Results | ✅ Results | ✅ Results |
| Amazon VP | Did not participate | Did not participate | ✅ Results | ✅ Results |
| Cerbos | ✅ Results | ✅ Results | ✅ Results | ✅ Results |
| EmpowerID | Did not participate | ✅ Results | ✅ Results | |
| Hexa | ✅ Results | ✅ Results | ✅ Results | ✅ Results |
| Indykite | Did not participate | ✅ Results | ✅ Results | |
| Kogito | ✅ Results | ✅ Results | ✅ Results | |
| Open Policy Agent | ✅ Results | ✅ Results | ✅ Results | |
| OpenFGA | Did not participate | Did not participate | ✅ Results | ✅ Results |
| Permit | ✅ Results | ✅ Results | ✅ Results | |
| Ping Authorize | Did not participate | ✅ Results | ✅ Results | ✅ Results |
| PlainID | ✅ Results | ✅ Results | ✅ Results | ✅ Results |
| Real Solid Knowledge | ✅ Results | ✅ Results | ✅ Results | ✅ Results |
| SGNL | ✅ Results | ✅ Results | ✅ Results | ✅ Results |
| Thales | ✅ Results | Did not participate | Did not participate | |
| Topaz | ✅ Results | ✅ Results | ✅ Results | ✅ Results |
| WSO2 | Did not participate | Did not participate | ✅ Results | ✅ Results |
| 3Edges | ✅ Results | Replaced by Indykite | Replaced by Indykite |
API Gateways
API Gateways that support the Gateway scenario.