A simple demonstration of the OpenID AuthZEN Authorization API 1.0 specification.
This project contains two services:
- PDP (Policy Decision Point) - Makes authorization decisions
- PEP (Policy Enforcement Point) - Web application that enforces decisions
┌────────────┐ ┌────────────────────┐ ┌────────────────────┐
│ │ │ │ │ │
│ User │──────▶│ PEP (:3000) │──────▶│ PDP (:8080) │
│ │ │ Document Manager │ │ Authorization │
│ │◀──────│ │◀──────│ API │
│ │ │ │ │ │
└────────────┘ └────────────────────┘ └────────────────────┘
- User opens the Document Manager web app
- PEP asks PDP: "Which documents can this user view?"
- PDP returns access decisions for each document
- PEP shows only the documents the user can access
Databases:
- PEP uses documents.db (stores document content)
- PDP uses authz.db (stores users, roles, permissions)
authzen-python-sample/
├── pdp/ # PDP - Authorization API
│ ├── main.py
│ ├── config.py
│ ├── database.py
│ ├── models/
│ ├── routers/
│ └── pdp_core/
│
└── pep/ # PEP - Document Manager Web Application
├── main.py
├── database.py
└── pep.py
├── templates/
|-- base.html
|-- index.html
|-- document.html
+-- access.html
⚠️ This project is intended for demonstration purposes only and is not meant for production use.⚠️
- Python 3.10 or higher
- pip
Step 1: Install dependencies
pip install -r requirements.txt
Terminal 1 - Start the PDP:
cd pdp
python main.py
Runs at http://localhost:8080
Terminal 2 - Start the PEP:
cd pep
python main.py
Runs at http://localhost:3000
- Open http://localhost:3000 in your browser
- Use the dropdown in the navbar to switch users
- The document list shows only documents you can access
- Click "View" to see document content
- Click "Access Info" to see who can access a document
Available Users: - Alice - Engineer in engineering department - Bob - Manager in engineering department - Carol - HR Admin in hr department - Guest - Visitor with no department
Available Documents: - doc-public - Public document (everyone can access) - doc-internal - Internal document (employees only) - doc-confidential - Confidential document (HR only)
Document List (Home Page):
- Shows only documents the current user can access
- Uses batch evaluation endpoint for efficiency
Document View:
- Shows document content if access is granted
- Shows access denied message if not authorized
- Displays the reason for the decision
Access Info:
- Shows which users can access a document
- Uses the search endpoint to find all authorized users
- Shows your own access status
PDP (http://localhost:8080):
POST /access/v1/evaluation - Check authorization
POST /access/v1/evaluations - Batch check
POST /access/v1/search - Find who has access
GET /health - Health check
PEP (http://localhost:3000):
GET /documents - Document list (filtered by access)
GET /documents/{id} - View a document
GET /documents/{id}/access - See who can access
GET /health - Health check
- PDP Swagger UI: http://localhost:8080/docs
- PEP Swagger UI: http://localhost:3000/docs
- OpenID AuthZEN Authorization API 1.0: https://openid.net/specs/authorization-api-1_0.html
Copyright 2026 Okta, Inc.
This project is licensed under the Apache License 2.0. See the LICENSE file for more info.