Hi Yaron,
we had various discussions about policy languages over the years and
also drafts in the past, see for example
https://www.ietf.org/archive/id/draft-cecchetti-oauth-rar-cedar-02.html
Unfortunately, there was not enough interest in any of that work.
Would be interesting to hear from the group whether the interest has
increased now due to the AI-related work.
Ciao
Hannes
Am 14.06.2026 um 13:30 schrieb Yaron Sheffer:
Hi,
I came across the recently published draft-liu-oauth-rego-policy-00 [0].
First, apologies to the authors for commenting before they have had a
chance to present the draft on this list.
For many years, the OAuth community kept authorization policy
languages out of scope. I agree with the authors that it may be time
to revisit that position, particularly given the increased focus on
workload authorization and AI agents operating as workloads.
However, once we go there, we should also discuss what properties we
need from such languages. As input to that discussion, I would point
to a recent AWS blog post [1] explaining why Amazon chose Cedar for
agentic workload authorization. Granted that AWS is not a neutral
party, but the post highlights an important consideration: the ability
to perform automated analysis of policies.
Rego is more expressive and more widely deployed than Cedar. On the
other hand, Cedar was designed to support reasoning about questions
such as:
*
Whether policies are unintentionally over-permissive or
over-restrictive.
*
Whether policies overlap or conflict.
*
The impact of a policy change on authorization outcomes.
It is far too early to discuss any specific language choice, but it
would be useful to discuss the requirements, including the tradeoff
between expressiveness and analyzability.
Thanks,
Yaron
[0] https://www.ietf.org/archive/id/draft-liu-oauth-rego-policy-00.html
[1]
https://aws.amazon.com/blogs/security/why-policy-in-amazon-bedrock-agentcore-chose-cedar-for-securing-agentic-workflows/ (discussion
on Analyzability is in the second half of the post)
_______________________________________________
OAuth mailing list [email protected]
To unsubscribe send an email [email protected]
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]