Currently the OAuth2 scopes and resource owner are not verified during the time of access token validation. We simply look at the validity of the access token by checking the expiry time. The validation response however contains the approved scopes and authorized user (resource owner), and its verification is assumed to be handled by the caller (e.g. gateway).
This approach does not allow us to centrally manage the authorization. E.g. after receiving the approved scopes and authorized user the caller should make another call to a authorization server (e.g. XACML PDP) to do the authorization based on the received response from the OAuth2 server and the resource the client is trying to access. This adds the overhead of another call from the gateway to an entity in the internal network as well. A much more better approach would be to send the required parameters that are needed to make the authorization decision in the request for access token validation itself. The OAuth server in addition to what it does now, i.e. checking access token validity can do the authorization (scope validation and resource owner validation). E.g. if we have the WSO2 XACML engine installed in the same box and exposed as an OSGi service its going to make lives much better in terms of performance. For this the current OAuth2TokenValdationService API needs to be changed. Currently besides other inputs to identify the token, the only input it receives from the caller which identifies the resource trying to be accessed is the context (String) parameter. However I don't think a single String input is good enough. The authorization for the resource could require other parameter like parameters which are part of the HTTP body. So therefore we need to change the API to accept a key-value pair data structure. For the clients that we have in our platform which calls this service, we should allow the users to implement what needs to be sent over by providing a hook, rather than sending the context alone. Suggestions are welcome. -- Thanks & Regards, *Johann Dilantha Nallathamby* Senior Software Engineer Integration Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
