|
Hi,
I came across the recently published draft-liu-oauth-rego-policy-00 [0].
First, apologies to the authors for commenting before they have had a chance to present the draft on this list.
For many years, the OAuth community kept authorization policy languages out of scope. I agree with the authors that it may be time to revisit that position, particularly given the increased focus on workload authorization and AI agents operating as workloads.
However, once we go there, we should also discuss what properties we need from such languages. As input to that discussion, I would point to a recent AWS blog post [1] explaining why Amazon chose Cedar for agentic workload authorization. Granted that AWS is not a neutral party, but the post highlights an important consideration: the ability to perform automated analysis of policies.
Rego is more expressive and more widely deployed than Cedar. On the other hand, Cedar was designed to support reasoning about questions such as:
It is far too early to discuss any specific language choice, but it would be useful to discuss the requirements, including the tradeoff between expressiveness and analyzability. Thanks,
Yaron
[0] https://www.ietf.org/archive/id/draft-liu-oauth-rego-policy-00.html [1] https://aws.amazon.com/blogs/security/why-policy-in-amazon-bedrock-agentcore-chose-cedar-for-securing-agentic-workflows/ (discussion on Analyzability is in the second half of the post) |
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
