Skip to main content

Introduction

The OpenID AuthZEN working group has defined a set of interop scenarios. These all are layered around a Todo application as a Policy Enforcement Point.

New in December 2025!

For the seventh AuthZEN interop event at Gartner IAM Summit in Grapevine (Dec 8 2025), we have added various Identity Providers as Policy Enforcement Points.

What you'll find here

  • Interop scenarios for various drafts of the AuthZEN 1.0 authorization API
  • Specifications for the payloads and expected responses
  • Interoperability results for the vendors that have participated in the interop testing

Interop video

The following video demonstrates the Todo interop scenario and the structure of the demo application.

Architecture

AuthZEN is built around a defense-in-depth approach to IAM:

  • coarse-grained authorization can be performed during authentication, with the IdP functioning as a policy enforcement point
  • medium-grained authorization can be enforced by API gateways, performing functional authorization at the HTTP route level
  • the relying party (in our case, a Todo app) is the final enforcement point, performing fine-grained authorization at the Todo level

enforcement points

Interoperability events

The AuthZEN working group sponsored seven formal interoperability events since June 2024, focusing on various scenarios:

ScenarioEventDraftEndpoints
App CodeIdentiverse 202400/evaluation
App CodeEIC 202401/evaluation
App CodeAuthenticate 202402+ /evaluations
App CodeGartner IAM US 202402+ /evaluations
API GatewayGartner IAM London 202502+ /evaluations
SearchIdentiverse 202503/search, /.well-known
Identity ProviderGartner IAM US 202504/search

Results summary

Policy Decision Points

Todo (App Code & API Gateway evaluation / evaluations API) scenarios

Policy Decision Points that participated in the various App Code and API Gateway scenarios.

ImplementationTodo PEP 00Todo PEP 01Todo PEP 02Gateway PEP 02
AsertoResultsResultsResultsResults
AxiomaticsResultsResultsResultsResults
Amazon VPDid not participateDid not participateResultsResults
CerbosResultsResultsResultsResults
EmpowerIDDid not participateResultsResultsDid not participate
HexaResultsResultsResultsResults
IndykiteDid not participateResultsResultsDid not participate
KogitoResultsResultsResultsDid not participate
Open Policy AgentResultsResultsResultsDid not participate
OpenFGADid not participateDid not participateResultsResults
PermitResultsResultsResultsDid not participate
Ping AuthorizeDid not participateResultsResultsResults
PlainIDResultsResultsResultsResults
Real Solid KnowledgeResultsResultsResultsResults
SGNLResultsResultsResultsResults
ThalesResultsDid not participateDid not participateDid not participate
TopazResultsResultsResultsResults
WSO2Did not participateDid not participateResultsResults
3EdgesResultsReplaced by IndykiteReplaced by IndykiteDid not participate

Search API scenario

Policy Decision Points that participated in the Search scenario.

ImplementationSearch PEP 03
Apache KIEResults
AxiomaticsResults
CerbosResults
EmpowerIDResults
IndykiteResults
PingAuthorize (ID Partners)Results
PlainIDResults
TopazResults
WSO2Results

Identity Provider interop scenario (search API)

Policy Decision Points that participated in the IdP scenario.

ImplementationIdP PEP 04
Apache KIEResults
AxiomaticsResults
CerbosResults
EmpowerIDResults
IndykiteResults
PermitResults
PingAuthorize (ID Partners)Results
PlainIDResults
SGNLResults
TopazResults
WSO2Results

API Gateways

API Gateways that participated in the Gateway scenario.

ImplementationHosted at
AWS API Gatewayhttps://aws-gateway.authzen-interop.net
Envoyhttps://authzen-envoy-proxy-demo.cerbos.dev
Konghttps://plainid-kong-gw.se-plainid.com
Tykhttps://tyk-authzen-interop.do.poc.tyk.technology
Layer7https://authzen-interop-gw.layer7.broadcom.com
WSO2https://authzen-interop-demo.wso2.com/api/identity
Zuplohttps://authzen-todo-main-4df5ceb.d2.zuplo.dev

Identity Providers

Identity Providers that support the IdP scenario.

ImplementationHosted at
Auth0https://authzen-idp-demo.eu.auth0.com
Curityhttps://login-demo.curity.io/
Duendehttps://demo-authzen-idsrv.duendesoftware.com
EmpowerIDhttps://idp.authzen-demo.eidlabs.net
Gluu / Janssenhttps://test-jans5.gluu.info/
Keycloakhttps://kc-interop-authzen.happyisland-d2af5d5e.westus2.azurecontainerapps.io/
Ping Federate (ID Partners)https://pingfed.idpartners.au/
PingOne (ID Partners)https://apps.pingone.asia/709b8f55-bc83-48ae-b965-89f616b7d124
Thaleshttps://productpod-bfsi-deployment.in.tryciam.onewelcome.net/