On Tue, Jan 16, 2018 at 12:05 PM, Senthalan Kanagalingam <[email protected] > wrote:
> Hi Johann, > > Thanks for the feedback. Currently, I am checking that feature. > You can find the sample implementation for XACML based scope validator from here [1] . It would help. [1] http://xacmlinfo.org/2014/10/24/authorization-for-apis-with-xacml-and-oauth-2-0/ Thanks, Asela. > > According to my understanding, this feature will be useful to validate the > token scopes against resource scopes. As this validation is done by > JDBCScopeValidator and my implementation will be parallel to it (IS allows > multiple scope validators), do I have to implement validation of the token > scopes against the resource scopes as well? > > Because I have checked with identity-application-authz-xacml[1 > <https://github.com/wso2-extensions/identity-application-authz-xacml>] > and planned to implement validating scopes against the role base and time > base policies only. > > [1] - https://github.com/wso2-extensions/identity-application-authz-xacml > > Regards, > Senthalan > > On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby <[email protected]> > wrote: > >> *[-IAM, RRT]* >> >> On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby <[email protected]> >> wrote: >> >>> Hi Senthalan, >>> >>> Did you check [1]? In this feature *@Isuranga* implement XACML policy >>> to evaluate the permission tree. For this he had to come up with a policy, >>> that defined a custom function. >>> >>> In the above feature if you replace permission with OAuth2 scopes (which >>> is also a representation of permissions in OAuth2 world, and can be >>> assigned to roles from IS 5.4.0 onwards IINM) you will get what you need. >>> Am I right? Do you see any gaps? >>> >>> If my wit is good, this will be the best way to implement this feature. >>> >>> [1] [IAM] Restful API to Evaluate Permission Tree in IS >>> >>> Regards, >>> Johann. >>> >>> On Fri, Jan 12, 2018 at 2:10 PM, Senthalan Kanagalingam < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> >>>> As the aim of this project is to validate the scope of the token >>>> against XACML policies. I was wrong about the extension point. There is no >>>> need to implement it from token validation point. There is an extension >>>> point to extends scope validation("OAuth2ScopeValidator"). And IS >>>> allows multi-scope validators. So I am going start from here. >>>> >>>> Thanks and Regards, >>>> Senthalan >>>> >>>> On Thu, Jan 11, 2018 at 5:35 PM, Senthalan Kanagalingam < >>>> [email protected]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I am currently working on implementing XACML based scope validator >>>>> when the resource server tries to validate the OAuth2 token. Users >>>>> can publish their token validation XACML policies to the policy store. >>>>> Here[ >>>>> 1 >>>>> <https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=sharing>] >>>>> is a sample policy template. >>>>> >>>>> The spec implementation of the OAuth2 token validation is already in >>>>> WSO2 IS. If spec validation passed only this validator will be called. >>>>> XACML request will be created using the retrieved information of the >>>>> user. Then that XACML request will be validated using the entitlement >>>>> engine. >>>>> >>>>> There will be a global configuration to enable or disable this >>>>> validation. But in future, it will be implemented as a configurable >>>>> option for each service provider. >>>>> >>>>> WSO2 IS have an extension point to implement TokenValidator[2 >>>>> <https://docs.wso2.com/display/IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAuth2TokenValidator>]. >>>>> I am planning to implement custom validator >>>>> ("XACMLbasedOAuth2TokenValidator") >>>>> at the point for validation. >>>>> >>>>> I am looking forward to suggestions/comments. >>>>> >>>>> [1] - https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1m >>>>> KvxphX9VjhRAthHIlQU/edit?usp=sharing >>>>> [2] - https://docs.wso2.com/display/IS540/Extension+Points+for+OAu >>>>> th#ExtensionPointsforOAuth-OAuth2TokenValidator >>>>> >>>>> Thanks and Regards, >>>>> Senthalan >>>>> -- >>>>> >>>>> *Senthalan Kanagalingam* >>>>> *Software Engineer - WSO2 Inc.* >>>>> *Mobile : +94 (0) 77 18 77 466* >>>>> <http://wso2.com/signature> >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> *Senthalan Kanagalingam* >>>> *Software Engineer - WSO2 Inc.* >>>> *Mobile : +94 (0) 77 18 77 466* >>>> <http://wso2.com/signature> >>>> >>> >>> >>> >>> -- >>> >>> *Johann Dilantha Nallathamby* >>> Senior Lead Solutions Engineer >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile: *+94 77 7776950* >>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>> <http://www.linkedin.com/in/johann-nallathamby>* >>> Medium: *https://medium.com/@johann_nallathamby >>> <https://medium.com/@johann_nallathamby>* >>> Twitter: *@dj_nallaa* >>> >> >> >> >> -- >> >> *Johann Dilantha Nallathamby* >> Senior Lead Solutions Engineer >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile: *+94 77 7776950* >> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >> <http://www.linkedin.com/in/johann-nallathamby>* >> Medium: *https://medium.com/@johann_nallathamby >> <https://medium.com/@johann_nallathamby>* >> Twitter: *@dj_nallaa* >> > > > > -- > > *Senthalan Kanagalingam* > *Software Engineer - WSO2 Inc.* > *Mobile : +94 (0) 77 18 77 466* > <http://wso2.com/signature> > -- Thanks & Regards, Asela ATL Mobile : +94 777 625 933 +358 449 228 979 http://soasecurity.org/ http://xacmlinfo.org/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
