Hi Johann, Thanks for the feedback. Currently, I am checking that feature.
According to my understanding, this feature will be useful to validate the token scopes against resource scopes. As this validation is done by JDBCScopeValidator and my implementation will be parallel to it (IS allows multiple scope validators), do I have to implement validation of the token scopes against the resource scopes as well? Because I have checked with identity-application-authz-xacml[1 <https://github.com/wso2-extensions/identity-application-authz-xacml>] and planned to implement validating scopes against the role base and time base policies only. [1] - https://github.com/wso2-extensions/identity-application-authz-xacml Regards, Senthalan On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby <joh...@wso2.com> wrote: > *[-IAM, RRT]* > > On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby <joh...@wso2.com> > wrote: > >> Hi Senthalan, >> >> Did you check [1]? In this feature *@Isuranga* implement XACML policy to >> evaluate the permission tree. For this he had to come up with a policy, >> that defined a custom function. >> >> In the above feature if you replace permission with OAuth2 scopes (which >> is also a representation of permissions in OAuth2 world, and can be >> assigned to roles from IS 5.4.0 onwards IINM) you will get what you need. >> Am I right? Do you see any gaps? >> >> If my wit is good, this will be the best way to implement this feature. >> >> [1] [IAM] Restful API to Evaluate Permission Tree in IS >> >> Regards, >> Johann. >> >> On Fri, Jan 12, 2018 at 2:10 PM, Senthalan Kanagalingam < >> sentha...@wso2.com> wrote: >> >>> Hi all, >>> >>> As the aim of this project is to validate the scope of the token against >>> XACML policies. I was wrong about the extension point. There is no need to >>> implement it from token validation point. There is an extension point to >>> extends scope validation("OAuth2ScopeValidator"). And IS allows >>> multi-scope validators. So I am going start from here. >>> >>> Thanks and Regards, >>> Senthalan >>> >>> On Thu, Jan 11, 2018 at 5:35 PM, Senthalan Kanagalingam < >>> sentha...@wso2.com> wrote: >>> >>>> Hi all, >>>> >>>> I am currently working on implementing XACML based scope validator >>>> when the resource server tries to validate the OAuth2 token. Users can >>>> publish their token validation XACML policies to the policy store. Here[ >>>> 1 >>>> <https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=sharing>] >>>> is a sample policy template. >>>> >>>> The spec implementation of the OAuth2 token validation is already in >>>> WSO2 IS. If spec validation passed only this validator will be called. >>>> XACML request will be created using the retrieved information of the >>>> user. Then that XACML request will be validated using the entitlement >>>> engine. >>>> >>>> There will be a global configuration to enable or disable this >>>> validation. But in future, it will be implemented as a configurable >>>> option for each service provider. >>>> >>>> WSO2 IS have an extension point to implement TokenValidator[2 >>>> <https://docs.wso2.com/display/IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAuth2TokenValidator>]. >>>> I am planning to implement custom validator >>>> ("XACMLbasedOAuth2TokenValidator") >>>> at the point for validation. >>>> >>>> I am looking forward to suggestions/comments. >>>> >>>> [1] - https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1m >>>> KvxphX9VjhRAthHIlQU/edit?usp=sharing >>>> [2] - https://docs.wso2.com/display/IS540/Extension+Points+for+OAu >>>> th#ExtensionPointsforOAuth-OAuth2TokenValidator >>>> >>>> Thanks and Regards, >>>> Senthalan >>>> -- >>>> >>>> *Senthalan Kanagalingam* >>>> *Software Engineer - WSO2 Inc.* >>>> *Mobile : +94 (0) 77 18 77 466* >>>> <http://wso2.com/signature> >>>> >>> >>> >>> >>> -- >>> >>> *Senthalan Kanagalingam* >>> *Software Engineer - WSO2 Inc.* >>> *Mobile : +94 (0) 77 18 77 466* >>> <http://wso2.com/signature> >>> >> >> >> >> -- >> >> *Johann Dilantha Nallathamby* >> Senior Lead Solutions Engineer >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile: *+94 77 7776950* >> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >> <http://www.linkedin.com/in/johann-nallathamby>* >> Medium: *https://medium.com/@johann_nallathamby >> <https://medium.com/@johann_nallathamby>* >> Twitter: *@dj_nallaa* >> > > > > -- > > *Johann Dilantha Nallathamby* > Senior Lead Solutions Engineer > WSO2, Inc. > lean.enterprise.middleware > > Mobile: *+94 77 7776950* > LinkedIn: *http://www.linkedin.com/in/johann-nallathamby > <http://www.linkedin.com/in/johann-nallathamby>* > Medium: *https://medium.com/@johann_nallathamby > <https://medium.com/@johann_nallathamby>* > Twitter: *@dj_nallaa* > -- *Senthalan Kanagalingam* *Software Engineer - WSO2 Inc.* *Mobile : +94 (0) 77 18 77 466* <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
