Hi Indunil, Please find my concerns on scope registration and binding below (inline).
> > - Scope can be bound with roles or permissions - Uses scope to role > binding in APIM and uses scope to permission binding in IoT. > > > - Both of the above bindings are stored in "IDN_OAUTH2_SCOPE" table > where roles and permissions both are stored as a comma separated string in > same column named "ROLES". AFAIU, there is no indication with a prefix in > scope registration, where to separate the two bindings. > *There can be other bindings which will be added in future, isn't it > better to renamed the field as "BINDINGS"? There can be a situation where > both set of roles and permissions are bound to a scope? * > > +1 for renaming this since it makes sense to store them (permission/role) in a generic field. > > - > > > - In scope validation, currently there are validators for role based > and permission based. The corresponding validator will be selected based on > the prefix (ex: Permission based scope validator only validates the scope > which are having "perm" as the prefix of the scopes) and if scope prefix is > not defined, those will directly go to the default role based scope > validator. *How this prefix has to be considered and validated in > scope registration with the bindings?* > > At the time IoT team developed this, we have implemented a scope validating handler [1] which picks the relevant scope validator based on the scope prefix (ex: if prefix is 'perm', it picks PermissionBasedScopeValidator [2]). This handler is pointed in the identity.xml under ScopeValidator element. The handler maintains a Map <prefix, Oauth2ScopeValidator > in the data holder where scope validator will be stored against its prefix at the service registration time. However, currently prefix of the scope validators are set manually as in [3] and it would be ideal if we can add a prefix attribute to the OAuth2ScopeValidator abstract class [4] so that when implementing the validator, prefix can be defined. So by the time it gets registered, we can easily call a getPrefix() method and have it register. Similar approach is also being used in the APIM for registering multiple scope issuers [5]. > > - In scope registration, AFAIU, scope key and name are the essential > details to be included. *What is the difference of theses and where > these values will be used? scope key is the unique value which need to be > considered in scope binding?* > > AFAIK, scope name is a human understandable name compared to the key and it is used in the publisher at the time of scope assigning to a particular resource. [1] https://github.com/wso2/carbon-device-mgt/blob/master/ components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/ src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/ ScopeValidationHandler.java [2] https://github.com/wso2/carbon-device-mgt/blob/master/ components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/ src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/ PermissionBasedScopeValidator.java [3] https://github.com/wso2/carbon-device-mgt/blob/master/ components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/ src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/internal/ OAuthExtensionServiceComponent.java#L70-L73 [4] https://github.com/wso2-extensions/identity-inbound- auth-oauth/blob/master/components/org.wso2.carbon. identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/ OAuth2ScopeValidator.java [5] https://github.com/wso2/carbon-apimgt/blob/6.1.x/ components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/ java/org/wso2/carbon/apimgt/keymgt/internal/APIKeyMgtServiceComponent. java#L232 Regards, -- *Milan Perera *| Senior Software Engineer WSO2, Inc | lean. enterprise. middleware. #20, Palm Grove, Colombo 03, Sri Lanka Mobile: +94 77 309 7088 | Work: +94 11 214 5345 Email: [email protected] <[email protected]> | Web: www.wso2.com <http://lk.linkedin.com/in/milanharinduperera> <https://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
