On Mon, Jan 29, 2018 at 11:38 AM, Ruwan Abeykoon <[email protected]> wrote:
> Hi All, > -1 on adding anything to SP Configuration. This needs to be separated from > SP object, or table itself. > Reason: > 1. We need to minimize DB changes adding features. > 2. Adding a column per validator (XACML here) is not scalable. (What if > another validator is added in future, do we add another column?) > > > a) The DAO layer should do the necessary mapping. > b) Can use Database Referential integrity and proper JOIN queries. > The configuration is not for the extension. The configuration will answer the following concept. "Do we need to perform authorizations when isssuing access tokens?" There is no where in the IS object model that answers the above concept. The way you perform authorizations can be anything - It can be JDBC validator, JavaScript validator (in the future). The configuration introduced, is for the *concept*. thanks, Dimuthu > c) Need to add proper extension points in the code so that the data-tables > and UI elements can be plugged. > > Cheers, > Ruwan > > > On Sun, Jan 28, 2018 at 8:28 PM, Dimuthu Leelarathne <[email protected]> > wrote: > >> >> >> On Wed, Jan 24, 2018 at 12:41 PM, Johann Nallathamby <[email protected]> >> wrote: >> >>> >>> >>> On Tue, Jan 23, 2018 at 9:49 AM, Senthalan Kanagalingam < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> >>>> I have completed the scope validation implementation. But in this >>>> implementation, the entitlement engine has to run for every token >>>> validation request even there is no policy defined by the user for a >>>> particular service provider. PDP have to go through all existing policies >>>> to select the applicable policies. Its an overhead in token validation >>>> time. >>>> >>>> To avoid this we can introduce "Enable XACML based scope validator" >>>> checkbox under Local & Outbound Authentication Configuration. >>>> >>> >>> This should be under OAuth2 section because it's OAuth2 specific. We >>> can't have "scope" under "Local & Outbound Authentication Configuration". >>> >> >> >> +1. It should be under OAuth2 section. And also it should be stored in >> the same place as the OAuth2 configuration per service provider is stored. >> Where do we store the SP configurations for OAuth2.0? >> >> thanks, >> Dimuthu >> >> >>> Regards, >>> Johann. >>> >>> >>>> Then users can enable or disable scope validation for that particular >>>> service provider. This will be a simple select query and we can use >>>> caching. We can check whether the user has enabled the scope validation or >>>> not and continue. >>>> >>>> Any suggestions or improvements are highly appreciated. >>>> >>>> Thanks and Regards, >>>> Senthalan >>>> >>>> On Fri, Jan 19, 2018 at 6:42 PM, Senthalan Kanagalingam < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> Here is the architecture of the XACML based scope validator. >>>>> >>>>> >>>>> After whether access token has expired, the scope of the token will be >>>>> validated using JDBCScopeValidator and XACMLScopeValidator. >>>>> The JDBCScopeValidator was already implemented. The XACMLScopeValidator >>>>> will create an XACML request from access token and validate using >>>>> EntitlementService. >>>>> >>>>> >>>>> Thanks and Regards, >>>>> Senthalan >>>>> >>>>> On Tue, Jan 16, 2018 at 8:59 PM, Dimuthu Leelarathne < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Johann, >>>>>> >>>>>> On Tue, Jan 16, 2018 at 8:49 PM, Johann Nallathamby <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Senthalan, >>>>>>> >>>>>>> On Tue, Jan 16, 2018 at 12:05 PM, Senthalan Kanagalingam < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Johann, >>>>>>>> >>>>>>>> Thanks for the feedback. Currently, I am checking that feature. >>>>>>>> >>>>>>>> According to my understanding, this feature will be useful to >>>>>>>> validate the token scopes against resource scopes. As this validation >>>>>>>> is >>>>>>>> done by JDBCScopeValidator and my implementation will be parallel to >>>>>>>> it (IS >>>>>>>> allows multiple scope validators), do I have to implement validation >>>>>>>> of the >>>>>>>> token scopes against the resource scopes as well? >>>>>>>> >>>>>>> >>>>>>> -1 to have two implementation. There should be only one >>>>>>> implementation which is based on XACML. Otherwise it will create >>>>>>> overhead >>>>>>> in configuring and doesn't work well with tenant model. >>>>>>> >>>>>> >>>>>>> The current scope-role based validation we introduced in IS 5.4.0 >>>>>>> will need to be implemented using XACML and be the default policy. The >>>>>>> other policies you were planning could be additional template policies >>>>>>> we >>>>>>> ship with the product. In addition users can have any new policies they >>>>>>> want (per tenant). >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Because I have checked with identity-application-authz-xacml[1 >>>>>>>> <https://github.com/wso2-extensions/identity-application-authz-xacml>] >>>>>>>> and planned to implement validating scopes against the role base and >>>>>>>> time >>>>>>>> base policies only. >>>>>>>> >>>>>>> >>>>>>> Yes, you can use this code and implement a XACML PEP to send a XACML >>>>>>> request. But the validation has to happen on the XACML PDP side. >>>>>>> >>>>>>> What is the difference between the role based policy you are talking >>>>>>> and the role based scope validation we implemented in IS 5.4.0? >>>>>>> >>>>>> >>>>>> XACML based scope validation would give fine-grained control and >>>>>> flexilibility. I don't have experience with JDBC scope validator but from >>>>>> what I know, it is hard to have a generic implementation out of it. >>>>>> >>>>>> The added avantage is flexibility. You can write your custom XACML >>>>>> policies and control how authorization happens. >>>>>> >>>>>> Let it be XACML or Javascript, we need detailed control to cater for >>>>>> different requirements. >>>>>> >>>>>> thanks, >>>>>> Dimuthu >>>>>> >>>>>> >>>>>>> Time based policies can be one of the additional policy templates we >>>>>>> ship. >>>>>>> >>>>>>> Regards, >>>>>>> Johann. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> [1] - https://github.com/wso2-extensions/identity-application-au >>>>>>>> thz-xacml >>>>>>>> >>>>>>>> Regards, >>>>>>>> Senthalan >>>>>>>> >>>>>>>> On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> *[-IAM, RRT]* >>>>>>>>> >>>>>>>>> On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Senthalan, >>>>>>>>>> >>>>>>>>>> Did you check [1]? In this feature *@Isuranga* implement XACML >>>>>>>>>> policy to evaluate the permission tree. For this he had to come up >>>>>>>>>> with a >>>>>>>>>> policy, that defined a custom function. >>>>>>>>>> >>>>>>>>>> In the above feature if you replace permission with OAuth2 scopes >>>>>>>>>> (which is also a representation of permissions in OAuth2 world, and >>>>>>>>>> can be >>>>>>>>>> assigned to roles from IS 5.4.0 onwards IINM) you will get what you >>>>>>>>>> need. >>>>>>>>>> Am I right? Do you see any gaps? >>>>>>>>>> >>>>>>>>>> If my wit is good, this will be the best way to implement this >>>>>>>>>> feature. >>>>>>>>>> >>>>>>>>>> [1] [IAM] Restful API to Evaluate Permission Tree in IS >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Johann. >>>>>>>>>> >>>>>>>>>> On Fri, Jan 12, 2018 at 2:10 PM, Senthalan Kanagalingam < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi all, >>>>>>>>>>> >>>>>>>>>>> As the aim of this project is to validate the scope of the token >>>>>>>>>>> against XACML policies. I was wrong about the extension point. >>>>>>>>>>> There is no >>>>>>>>>>> need to implement it from token validation point. There is an >>>>>>>>>>> extension >>>>>>>>>>> point to extends scope validation("OAuth2ScopeValidator"). And >>>>>>>>>>> IS allows multi-scope validators. So I am going start from here. >>>>>>>>>>> >>>>>>>>>>> Thanks and Regards, >>>>>>>>>>> Senthalan >>>>>>>>>>> >>>>>>>>>>> On Thu, Jan 11, 2018 at 5:35 PM, Senthalan Kanagalingam < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi all, >>>>>>>>>>>> >>>>>>>>>>>> I am currently working on implementing XACML based scope >>>>>>>>>>>> validator when the resource server tries to validate the OAuth2 >>>>>>>>>>>> token. Users can publish their token validation XACML policies >>>>>>>>>>>> to the policy store. Here[1 >>>>>>>>>>>> <https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=sharing>] >>>>>>>>>>>> is a sample policy template. >>>>>>>>>>>> >>>>>>>>>>>> The spec implementation of the OAuth2 token validation is >>>>>>>>>>>> already in WSO2 IS. If spec validation passed only this validator >>>>>>>>>>>> will >>>>>>>>>>>> be called. XACML request will be created using the retrieved >>>>>>>>>>>> information of the user. Then that XACML request will be >>>>>>>>>>>> validated using the entitlement engine. >>>>>>>>>>>> >>>>>>>>>>>> There will be a global configuration to enable or disable this >>>>>>>>>>>> validation. But in future, it will be implemented as a configurable >>>>>>>>>>>> option for each service provider. >>>>>>>>>>>> >>>>>>>>>>>> WSO2 IS have an extension point to implement TokenValidator[2 >>>>>>>>>>>> <https://docs.wso2.com/display/IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAuth2TokenValidator>]. >>>>>>>>>>>> I am planning to implement custom validator >>>>>>>>>>>> ("XACMLbasedOAuth2TokenValidator") >>>>>>>>>>>> at the point for validation. >>>>>>>>>>>> >>>>>>>>>>>> I am looking forward to suggestions/comments. >>>>>>>>>>>> >>>>>>>>>>>> [1] - https://docs.google.com/docume >>>>>>>>>>>> nt/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=s >>>>>>>>>>>> haring >>>>>>>>>>>> [2] - https://docs.wso2.com/display/ >>>>>>>>>>>> IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAu >>>>>>>>>>>> th2TokenValidator >>>>>>>>>>>> >>>>>>>>>>>> Thanks and Regards, >>>>>>>>>>>> Senthalan >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> *Senthalan Kanagalingam* >>>>>>>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> *Senthalan Kanagalingam* >>>>>>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>> WSO2, Inc. >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>> WSO2, Inc. >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Senthalan Kanagalingam* >>>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Johann Dilantha Nallathamby* >>>>>>> Senior Lead Solutions Engineer >>>>>>> WSO2, Inc. >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> Mobile: *+94 77 7776950* >>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>> Twitter: *@dj_nallaa* >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Dimuthu Leelarathne >>>>>> Director, Solutions Architecture >>>>>> >>>>>> WSO2, Inc. (http://wso2.com) >>>>>> email: [email protected] >>>>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>>>> Blog: http://muthulee.blogspot.com >>>>>> >>>>>> Lean . Enterprise . Middleware >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Senthalan Kanagalingam* >>>>> *Software Engineer - WSO2 Inc.* >>>>> *Mobile : +94 (0) 77 18 77 466* >>>>> <http://wso2.com/signature> >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> *Senthalan Kanagalingam* >>>> *Software Engineer - WSO2 Inc.* >>>> *Mobile : +94 (0) 77 18 77 466* >>>> <http://wso2.com/signature> >>>> >>> >>> >>> >>> -- >>> >>> *Johann Dilantha Nallathamby* >>> Senior Lead Solutions Engineer >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile: *+94 77 7776950* >>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>> <http://www.linkedin.com/in/johann-nallathamby>* >>> Medium: *https://medium.com/@johann_nallathamby >>> <https://medium.com/@johann_nallathamby>* >>> Twitter: *@dj_nallaa* >>> >> >> >> >> -- >> Dimuthu Leelarathne >> Director, Solutions Architecture >> >> WSO2, Inc. (http://wso2.com) >> email: [email protected] >> Mobile: +94773661935 <+94%2077%20366%201935> >> Blog: http://muthulee.blogspot.com >> >> Lean . Enterprise . Middleware >> > > > -- Dimuthu Leelarathne Director, Solutions Architecture WSO2, Inc. (http://wso2.com) email: [email protected] Mobile: +94773661935 Blog: http://muthulee.blogspot.com Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
