XX Years of Catalyzing Community @ IIW! [#57]

Conferences are hard, community organizing is even harder… Huzzah!

and

Apr 08, 2025

There’s magic going on right now at the Internet Identity Workshop, “the worlds leading forum for User-Centric ID.“ It’s sleight-of-hand in plain view here at the Opening Circle, where they introduce the “Open Space Technology” that enables participants to create a world-class conference on-the-fly, and on-their-own. It’s where our own nascent efforts to organize a conference and newsletter emerged in late 2023.

If the classic *New Yorker* cartoon celebrated canines cosplaying cats on the Internet, now we need new ways to tell computers and humans apart to authorize AI agents…

Welcome to the latest issue of the AuthZ newsletter which, more than ever, depends on your input so please provide us with your suggestions (blog posts, videos, podcasts, events, etc) and fill out the subscriber survey!

🇺🇸 IIW XL in Mountain View [April 8-10]

In such an ephemeral and accelerating industry, it’s impressive that IIW has kept chugging along twice-a-year for two decades now. And not for the sake of meeting alone… nor as some fancy junket on the conference circuit… IIW has made a real impact performing its Open Space magic trick again and again, which has been key to convening this ever-changing, consistently-influential coven of technologists who conceived of OpenID, UMA, SSI, DID, among many other innovations…

Indeed, without IIW we might not have “solved” AuthN over the years, to the point that we can even ask that question — congrats to everyone who made this milestone!

(And if you can come, subscribers can still save 25% off of passes this week!)

🇮🇸 OSW in Reykjavík [Feb 26-28]

A little over a month ago, the masterminds behind OAuth and its flurry of profiles descended upon the Icelandic capital to share the latest in IAM. For those of you unfamiliar with OAuth Security Workshop, here’s Dean Saxe’s definition:

OSW is an intimate conference (~120 participants) with a distinct format: mornings are dedicated to pre-planned presentations (much like Identiverse or the European Identity & Cloud Conference but with a sharper focus on OAuth and related standards), while afternoons are structured as an “unconference,” similar to the Internet Identity Workshop.

One of the key presentations that stood out was Mike Jones’ Cambrian Explosion of OAuth and OpenID Specifications, repubilshed on his own website. His message boiled down to “we’re creating too many specs.” so how can we navigate the increasingly complex identity landscape?

Another presentation close to my heart and directly relevant to authorization was the where Jeff Lombardo of AWS and Alex Babeanu of Indykite proposes tying the OAuth model with the OpenID AuthZEN model as follows:

OAuth Authorization Servers (AS) should make direct AuthZEN calls to compliant PDPs as part of their usual token-minting ceremonies.

This will supply the PDPs with the additional client claims described above to help in decision-making. (We are thinking in particular about RAR requests, which can be complex authorization requests).
The authors also proposed a new Step-Up Authorization Protocol as an extension to RFC 9470, Step-Up Authentication Protocol.

In this new flow, a Resource Server can request an Authorization Step-Up and require a new set of client claims from the client. The client is then responsible for obtaining these claims by, for example, authenticating using a stronger method (such as mTLS or signed assertions) and ensuring certain extensions (such as DPoP) are presented.

For a deeper dive into OSW, check out Alex’s recap on IDPro’s blog. Do you want to speak at or attend an OSW? Check out their upcoming events.

🇬🇧 Gartner IAM in London [March 24-25]

A mere 2,000km away as the 🐦‍⬛ flies, and some 30 days later, my fellow identerati and I congregated in London (insofar as the O2 is in London) for Gartner IAM EMEA 2025. With over a thousand attendees, this year proved to be another success for Gartner and a key indicator companies are taking IAM more seriously than ever before.

OpenID Standards at the forefront - Keynote

Ant Allan, Rebecca Archambault, and Felix Gaehtgens delivered a strong keynote focusing on three key trends:

Machine IAM
Artificial Intelligence (AI anyone?)
IAM standards

I was particularly pleased to see these IAM standards mentioned in the keynote:

CAEP: a part of the OpenID Shared Signals Framework, CAEP is a mechanism by which security information can be conveyed just-in-time to subscribers. It opens up a world of possibilities in terms of ZSP and authorization.
AuthZEN: also a part of the OpenID family of standards, AuthZEN standardizes APIs and flows for fine-grained authorization (beyond what one can achieve with identity-centric approaches e.g. OAuth)
SPIFFE and WIMSE: these ties back to non-human identities and machine identities
Verifiable credentials: as someone who’s moved around and has had to prove one claim or another (university degree, credit worthiness), I’m a huge fan of VCs. I cannot wait for mass adoption.

OpenID Shines at Standard Interop Sessions

We were fortunate that Gartner gave OpenID 2 executive sessions and a dedicated room to spread the word about upcoming standards. The spotlight was on the OpenID Shared Signals Framework (SSF) and OpenID AuthZEN. Atul Tulshibagwale of SGNL delivered a presentation on the benefits of SSF while Omri Gazitt of Aserto, Homan Farahmand of Gartner and I spoke to the standardization efforts in the world of fine-grained authorization (aka the P*P architecture). You can browse the slides here.

David Brossard of Axiomatics on stage at Gartner IAM EMEA 2025 talking about OpenID AuthZEN

Both AuthZEN and Shared Signals were able to showcase their work during six sessions throughout Monday and Tuesday:

Interop Session during Gartner IAM EMEA 2025

Acronyms from the future: TBAC

In what may become a standing section, we’ll close with a teaser of things to come?

Authorization Clipping Service

Discussion about this post