AuthZEN Working Group - Overview

AuthZEN will focus on specific areas of interoperability by documenting common authorization patterns, define standard mechanisms, protocols and formats for communication between authorization components, and recommend best practices for developing secure applications.

AuthZEN Working Group

AuthZEN Working Group

AuthZEN Working Group

AuthZEN Working Group

What is theAuthZEN Working Group?

The purpose of the AuthZEN WG is to provide standard mechanisms, protocols and formats to communicate authorization related information between components within one organization or across organizations, which may have been developed or sourced from different entities.

Centralized authentication services have revolutionized identity management and security best practices by removing the burden of repeatedly implementing identity lifecycle management within individual applications and by giving users a more seamless and consistent authentication experience. Protocols such as SAML and OIDC facilitate this approach to single sign-on and federated environments.

Authorization capabilities are in need of a similar paradigm shift to enable applications to better support more fine-grained, dynamic authorization than what is afforded by today’s commonly used pattern of embedding entitlements into OAuth2 bearer tokens after user authentication. This is not a new idea and we already have various approaches to implementing externalized authorization – commonly called “P*P” architectures (PIP, PDP, PEP, etc.). Examples include architectures based on IDQL, OPA/Rego, XACML and Zanzibar. Deploying any of these authorization architectures can be challenging from implementation complexity, granularity, and scalability perspectives; interoperability between different architectures and between different implementations are particularly challenging.

 The purpose of this WG is to explore how to improve the deployability, scalability and interoperability of dynamic, fine-grained authorization schemes to better meet the needs of modern information security best practices. In particular, we need to make authorization easy for an organization to deploy and operate authorization capabilities across their entire application estate, including both SaaS services and internally developed applications (whether they be on-prem or in the Cloud).

Note that this is not necessarily an effort to define yet another authorization architecture or runtime policy language. Instead, the WG will develop OpenID Foundation Final Specifications which leverage existing architectures and protocols as much as possible. Where appropriate, the WG intends to collaborate with international standards development organizations, such as ISO/IEC JTC 1, ITU-T, and IETF, for recognition of these OpenID Foundation specifications.

Working Group Chairs

  • David Brossard (Axiomatics)
  • Allan Foster
  • Omri Gazitt (Aserto)
  • Gerry Gebel (Strata Identity)
  • Sean O’Dell (Disney)


The chairs can be reached at


To monitor progress and connect with working group members, join the mailing list.

To participate in or contribute to a specification within the working group requires the submission of an Intellectual Property Rights (IPR) contribution agreement.  You can complete this electronically or by paper at
Be sure to specify, in the working groups box, the exact name:

Meeting Schedule

Regular Meetings