opa-authzen-plugin.
Current Status (as of April 5, 2026)
Based on the opa-authzen-interop README:
-
authorization-api-1_0-01 (single evaluation): 40/40 PASS
-
POST /access/v1/evaluations (batch): not implemented yet, returns 404
So there is still a clear gap.
At the same time, the official OPA interop results page for Todo 1.1 already shows authorization-api-1_0-02 runs.
That makes the next goal straightforward: stabilize 1_0-02 support in my own repo as well.
Next Action
The next three steps are clear:
- Implement
POST /access/v1/evaluations in opa-authzen-plugin
- Make
opa-authzen-interop green for authorization-api-1_0-02
- Add interop tests to CI so regressions are caught at PR time
Longer-term, as interop scenarios evolve, Search/IdP paths (/access/v1/search/*) should also become tracking targets.
Authorization Model In The Todo Scenario
The Todo scenario is "5 users Γγ°γ€ 5 actions".
| Action |
admin (Rick) |
editor (Morty, Summer) |
viewer (Beth, Jerry) |
can_read_user |
allow |
allow |
allow |
can_read_todos |
allow |
allow |
allow |
can_create_todo |
allow |
allow |
deny |
can_update_todo |
allow (any) |
allow (own only) |
deny |
can_delete_todo |
allow (any) |
allow (own only) |
deny |
In Rego, input.subject.id is mapped through data.users, roles are evaluated, and ownership-scoped actions check ownerID.
# can_create_todo: allow for admin or editor roles
allow if {
input.action.name == "can_create_todo"
some role in user.roles
role in {"admin", "editor"}
}
# can_update_todo: editor can update only their own todos
allow if {
input.action.name == "can_update_todo"
"editor" in user.roles
input.resource.properties.ownerID == user.email
}
How To Run
Shortest path:
make test
If you want to run the official harness directly:
make up
git clone https://github.com/openid/authzen.git
cd authzen/interop/authzen-todo-backend
yarn install && yarn build
yarn test http://localhost:8181 authorization-api-1_0-01 console
make test flow:
make test
Final Note (Issue / PR)
There are still many parts I need to improve. If you spot anything, feedback would really help.
- Bug reports: Issue with reproducible steps
- Spec mismatches: Issue with the relevant scenario URL
- Improvements / implementation changes: Pull Request
evaluations support is still in progress, so suggestions and fixes are both very welcome.
Links