*[-IAM, RRT]* On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby <[email protected]> wrote:
> Hi Senthalan, > > Did you check [1]? In this feature *@Isuranga* implement XACML policy to > evaluate the permission tree. For this he had to come up with a policy, > that defined a custom function. > > In the above feature if you replace permission with OAuth2 scopes (which > is also a representation of permissions in OAuth2 world, and can be > assigned to roles from IS 5.4.0 onwards IINM) you will get what you need. > Am I right? Do you see any gaps? > > If my wit is good, this will be the best way to implement this feature. > > [1] [IAM] Restful API to Evaluate Permission Tree in IS > > Regards, > Johann. > > On Fri, Jan 12, 2018 at 2:10 PM, Senthalan Kanagalingam < > [email protected]> wrote: > >> Hi all, >> >> As the aim of this project is to validate the scope of the token against >> XACML policies. I was wrong about the extension point. There is no need to >> implement it from token validation point. There is an extension point to >> extends scope validation("OAuth2ScopeValidator"). And IS allows >> multi-scope validators. So I am going start from here. >> >> Thanks and Regards, >> Senthalan >> >> On Thu, Jan 11, 2018 at 5:35 PM, Senthalan Kanagalingam < >> [email protected]> wrote: >> >>> Hi all, >>> >>> I am currently working on implementing XACML based scope validator when >>> the resource server tries to validate the OAuth2 token. Users can >>> publish their token validation XACML policies to the policy store. Here[ >>> 1 >>> <https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=sharing>] >>> is a sample policy template. >>> >>> The spec implementation of the OAuth2 token validation is already in >>> WSO2 IS. If spec validation passed only this validator will be called. >>> XACML request will be created using the retrieved information of the >>> user. Then that XACML request will be validated using the entitlement >>> engine. >>> >>> There will be a global configuration to enable or disable this >>> validation. But in future, it will be implemented as a configurable >>> option for each service provider. >>> >>> WSO2 IS have an extension point to implement TokenValidator[2 >>> <https://docs.wso2.com/display/IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAuth2TokenValidator>]. >>> I am planning to implement custom validator >>> ("XACMLbasedOAuth2TokenValidator") >>> at the point for validation. >>> >>> I am looking forward to suggestions/comments. >>> >>> [1] - https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1m >>> KvxphX9VjhRAthHIlQU/edit?usp=sharing >>> [2] - https://docs.wso2.com/display/IS540/Extension+Points+for+OAu >>> th#ExtensionPointsforOAuth-OAuth2TokenValidator >>> >>> Thanks and Regards, >>> Senthalan >>> -- >>> >>> *Senthalan Kanagalingam* >>> *Software Engineer - WSO2 Inc.* >>> *Mobile : +94 (0) 77 18 77 466* >>> <http://wso2.com/signature> >>> >> >> >> >> -- >> >> *Senthalan Kanagalingam* >> *Software Engineer - WSO2 Inc.* >> *Mobile : +94 (0) 77 18 77 466* >> <http://wso2.com/signature> >> > > > > -- > > *Johann Dilantha Nallathamby* > Senior Lead Solutions Engineer > WSO2, Inc. > lean.enterprise.middleware > > Mobile: *+94 77 7776950* > LinkedIn: *http://www.linkedin.com/in/johann-nallathamby > <http://www.linkedin.com/in/johann-nallathamby>* > Medium: *https://medium.com/@johann_nallathamby > <https://medium.com/@johann_nallathamby>* > Twitter: *@dj_nallaa* > -- *Johann Dilantha Nallathamby* Senior Lead Solutions Engineer WSO2, Inc. lean.enterprise.middleware Mobile: *+94 77 7776950* LinkedIn: *http://www.linkedin.com/in/johann-nallathamby <http://www.linkedin.com/in/johann-nallathamby>* Medium: *https://medium.com/@johann_nallathamby <https://medium.com/@johann_nallathamby>* Twitter: *@dj_nallaa*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
