Contents of a Principal ("Subject")

[baboulebou]

An ID should likely suffice in most cases. Now it's probably a good idea to also optionally add some Subject claims here that the PDP can use (thinking JWT claims coming into the PEP, or environmental values for example). But in that case it should not be just "IP" and "DeviceID", but rather an array of "key"="Value" claim pairs, or map or similar structure, which may be completely custom and use-case-specific.

Additionally, It would be good to also have a Subject Type - make it optional if not needed (but we would need it for example).

[ogazitt]

Agree that a Subject identifier should include at the minimum two things:

• type (string) - required
• identity (string) - required
• properties (JSON object) - optional

type: a caller may want to pass in a JWT (or other token) which encodes a subject plus a set of claims. Or they may want to pass in the subject directly (for example, a PID or an email that functions as an identity, which can be looked up).

It may be helpful to define at least those two as common types ("type": "JWT" and "type": "subject"), but also make the set of type values open-ended.

Adding an optional, generic properties bag is very helpful for ABAC systems that may need to pass in additional claims/attributes. This would cover your use-case of deviceId and ipAddress but make the mechanism more generic.

[tulshi]

Converted to issue #33

[tr33]

General question:
What distinguishes a subject from an object, other than the fact that it is in a different position in the equation "Subject-permission-resource"?
Both, subject and resource, are arbitrary objects which become a "subject" or "resource" in the context of a policy decision.

long story short:
why should attributes like "deviceId" or "ipAddress" only be specified for the subject role of an object - which already bounds the PDPs request message into a certain context by its pure wording?

I'd suggest to declare the same representation format for both, subject and resource, and don't stick to special attributes for one or the other: An object becomes a "subject" (resp. "resource") when its in the "subject" part (resp. "resource" part) of the request.
apart from that, both follow the TBD representation rules of an "object".