Hi Senthalan, Did you check [1]? In this feature *@Isuranga* implement XACML policy to evaluate the permission tree. For this he had to come up with a policy, that defined a custom function.
In the above feature if you replace permission with OAuth2 scopes (which is also a representation of permissions in OAuth2 world, and can be assigned to roles from IS 5.4.0 onwards IINM) you will get what you need. Am I right? Do you see any gaps? If my wit is good, this will be the best way to implement this feature. [1] [IAM] Restful API to Evaluate Permission Tree in IS Regards, Johann. On Fri, Jan 12, 2018 at 2:10 PM, Senthalan Kanagalingam <[email protected]> wrote: > Hi all, > > As the aim of this project is to validate the scope of the token against > XACML policies. I was wrong about the extension point. There is no need to > implement it from token validation point. There is an extension point to > extends scope validation("OAuth2ScopeValidator"). And IS allows > multi-scope validators. So I am going start from here. > > Thanks and Regards, > Senthalan > > On Thu, Jan 11, 2018 at 5:35 PM, Senthalan Kanagalingam < > [email protected]> wrote: > >> Hi all, >> >> I am currently working on implementing XACML based scope validator when >> the resource server tries to validate the OAuth2 token. Users can >> publish their token validation XACML policies to the policy store. Here[1 >> <https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=sharing>] >> is a sample policy template. >> >> The spec implementation of the OAuth2 token validation is already in WSO2 >> IS. If spec validation passed only this validator will be called. XACML >> request will be created using the retrieved information of the user. >> Then that XACML request will be validated using the entitlement engine. >> >> There will be a global configuration to enable or disable this >> validation. But in future, it will be implemented as a configurable >> option for each service provider. >> >> WSO2 IS have an extension point to implement TokenValidator[2 >> <https://docs.wso2.com/display/IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAuth2TokenValidator>]. >> I am planning to implement custom validator >> ("XACMLbasedOAuth2TokenValidator") >> at the point for validation. >> >> I am looking forward to suggestions/comments. >> >> [1] - https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1m >> KvxphX9VjhRAthHIlQU/edit?usp=sharing >> [2] - https://docs.wso2.com/display/IS540/Extension+Points+for+OAu >> th#ExtensionPointsforOAuth-OAuth2TokenValidator >> >> Thanks and Regards, >> Senthalan >> -- >> >> *Senthalan Kanagalingam* >> *Software Engineer - WSO2 Inc.* >> *Mobile : +94 (0) 77 18 77 466* >> <http://wso2.com/signature> >> > > > > -- > > *Senthalan Kanagalingam* > *Software Engineer - WSO2 Inc.* > *Mobile : +94 (0) 77 18 77 466* > <http://wso2.com/signature> > -- *Johann Dilantha Nallathamby* Senior Lead Solutions Engineer WSO2, Inc. lean.enterprise.middleware Mobile: *+94 77 7776950* LinkedIn: *http://www.linkedin.com/in/johann-nallathamby <http://www.linkedin.com/in/johann-nallathamby>* Medium: *https://medium.com/@johann_nallathamby <https://medium.com/@johann_nallathamby>* Twitter: *@dj_nallaa*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
