Skip to main content

AuthZEN & PDP Integration

Overview

A Professional course on interoperable authorization. It teaches the OpenID AuthZEN Authorization API 1.0, the vendor-neutral request and response contract between a Policy Enforcement Point (PEP) and a Policy Decision Point (PDP), and how to serve that contract from OPA using opa-authzen-plugin. You will learn the AuthZEN request shape (subject, action, resource, context), the single and batch evaluation endpoints (POST /access/v1/evaluation and POST /access/v1/evaluations), the discovery endpoint (GET /.well-known/authzen-configuration), and how to wire a PEP to the PDP in two topologies: a co-located sidecar and a centralized shared PDP. A runnable OPA lab answers an AuthZEN-style evaluation and proves it with tests.

Who this is for

Engineers and architects who already understand the PEP/PDP/PIP split and want a standard, portable interface between them. Both EnforceAuth customers and open-source OPA users. The lab has you author Rego, so you should be comfortable writing and testing it: The AI Security Fabric & the Authorization Gap and OPA & Enterprise OPA Fundamentals are the prerequisites, and the latter is where you learn the Rego you will write here.

Outcomes

By the end of this course you will be able to:

  • Describe the AuthZEN 1.0 evaluation contract: the four request objects (subject, action, resource, context) and the boolean decision response.
  • Call the single evaluation endpoint and the batch evaluations endpoint, and explain when each fits a PEP.
  • Explain what GET /.well-known/authzen-configuration advertises and why a PEP reads it.
  • Serve AuthZEN from OPA with opa-authzen-plugin by mapping the request body onto input and pointing the plugin at a Rego decision.
  • Choose between a sidecar PDP and a centralized PDP, and state the latency, blast-radius, and consistency trade-offs.
  • Author a default-deny AuthZEN policy and predict its allow and deny decisions.

Lessons

  1. The AuthZEN Authorization API 1.0
  2. Serving AuthZEN from OPA with opa-authzen-plugin
  3. PEP wiring: sidecar versus centralized PDP

Hands-on lab

This course includes a graded lab in lab/ that answers an AuthZEN-style evaluation. lab/policy.rego ships as a default-deny starter: you author the decision so a policy that takes an AuthZEN request (subject, action, resource, context) as input returns the right boolean decision. Implement it, then clone the public labs repo and run:

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/authzen-pdp-integration -v

The untouched starter reports PASS: 5/9; complete the TODO(learner) until you reach PASS: 9/9.

Certification

Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam.