+1 Currently IS and API-M use two different services for token validation. So - lets get rid-of this code duplication first and then work on the improvements...
Thanks & regards, -Prabath On Wed, Oct 2, 2013 at 11:05 AM, Johann Nallathamby <[email protected]> wrote: > Currently the OAuth2 scopes and resource owner are not verified during the > time of access token validation. We simply look at the validity of the > access token by checking the expiry time. The validation response however > contains the approved scopes and authorized user (resource owner), and its > verification is assumed to be handled by the caller (e.g. gateway). > > This approach does not allow us to centrally manage the authorization. > E.g. after receiving the approved scopes and authorized user the caller > should make another call to a authorization server (e.g. XACML PDP) to do > the authorization based on the received response from the OAuth2 server and > the resource the client is trying to access. This adds the overhead of > another call from the gateway to an entity in the internal network as well. > > A much more better approach would be to send the required parameters that > are needed to make the authorization decision in the request for access > token validation itself. The OAuth server in addition to what it does now, > i.e. checking access token validity can do the authorization (scope > validation and resource owner validation). E.g. if we have the WSO2 XACML > engine installed in the same box and exposed as an OSGi service its going > to make lives much better in terms of performance. > > For this the current OAuth2TokenValdationService API needs to be changed. > Currently besides other inputs to identify the token, the only input it > receives from the caller which identifies the resource trying to be > accessed is the context (String) parameter. However I don't think a single > String input is good enough. The authorization for the resource could > require other parameter like parameters which are part of the HTTP body. So > therefore we need to change the API to accept a key-value pair data > structure. > > For the clients that we have in our platform which calls this service, we > should allow the users to implement what needs to be sent over by providing > a hook, rather than sending the context alone. > > Suggestions are welcome. > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Senior Software Engineer > Integration Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com* > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
