Allowing a PDP to specify Application id in a multi-Application/PEP to PDP environment

[independentid]

The current specification (1.1-01) defines resources but does not define the applications that may be providing the actions against the resources.

Should "application" be a separate thing? For example, you could have a todo app and a projectMgmt app that work against the same resources (todos). Having an application parameters allows for different permissions in the context of different applications against the same resource.

As an example, in Hexa Policy, the resource is mapped to the condition while the application is the target of the policy.

  {
      "meta": {
        "version": "0.7",
        "description": "Delete a todo if admin or owner of todo",
        "policyId": "DeleteTodo"
      },
      "subjects": [
        "role:admin",
        "role:editor"
      ],
      "actions": [
        "can_delete_todo"
      ],
      "condition": {
        "rule": "subject.roles co admin or (subject.roles co editor and resource.properties.ownerID eq subject.claims.email)",
        "action": "allow"
      },
      "object": "todo"
    }

In the current Authzen implementation, we have to associate the requesting PEP client with the application "todo" in the event of a PDP supporting multiple applications.

--> Having the application in the Authzen request would be useful.