AuthZEN & PDP Integration
Overview
A Professional course on interoperable authorization. It teaches the OpenID AuthZEN Authorization API 1.0, the vendor-neutral request and response contract between a Policy Enforcement Point (PEP) and a Policy Decision Point (PDP), and how to serve that contract from OPA using opa-authzen-plugin. You will learn the AuthZEN request shape (subject, action, resource, context), the single and batch evaluation endpoints (POST /access/v1/evaluation and POST /access/v1/evaluations), the discovery endpoint (GET /.well-known/authzen-configuration), and how to wire a PEP to the PDP in two topologies: a co-located sidecar and a centralized shared PDP. A runnable OPA lab answers an AuthZEN-style evaluation and proves it with tests.
Who this is for
Engineers and architects who already understand the PEP/PDP/PIP split and want a standard, portable interface between them. Both EnforceAuth customers and open-source OPA users. The lab has you author Rego, so you should be comfortable writing and testing it: The AI Security Fabric & the Authorization Gap and OPA & Enterprise OPA Fundamentals are the prerequisites, and the latter is where you learn the Rego you will write here.
Outcomes
By the end of this course you will be able to:
- Describe the AuthZEN 1.0 evaluation contract: the four request objects (
subject,action,resource,context) and the booleandecisionresponse. - Call the single evaluation endpoint and the batch evaluations endpoint, and explain when each fits a PEP.
- Explain what
GET /.well-known/authzen-configurationadvertises and why a PEP reads it. - Serve AuthZEN from OPA with
opa-authzen-pluginby mapping the request body ontoinputand pointing the plugin at a Rego decision. - Choose between a sidecar PDP and a centralized PDP, and state the latency, blast-radius, and consistency trade-offs.
- Author a default-deny AuthZEN policy and predict its allow and deny decisions.
Lessons
- The AuthZEN Authorization API 1.0
- Serving AuthZEN from OPA with opa-authzen-plugin
- PEP wiring: sidecar versus centralized PDP
Hands-on lab
This course includes a graded lab in lab/ that answers an AuthZEN-style evaluation. lab/policy.rego ships as a default-deny starter: you author the decision so a policy that takes an AuthZEN request (subject, action, resource, context) as input returns the right boolean decision. Implement it, then clone the public labs repo and run:
git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/authzen-pdp-integration -v
The untouched starter reports PASS: 5/9; complete the TODO(learner) until you reach PASS: 9/9.
Certification
Counts toward the Professional track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a HIDDEN opa test suite you do not see. This lab is practice for that exam.