Hi all, We had a discussion regarding the state of this project. Please find the meeting notes below,
Participants: Dimuthu, Ruwan, Darshana, Nadun, Pamoda, Biruntha - Have multiple checkboxes in OAuth UI for all scope validators. Then users can pick on their wish. - When calling the scope validation, call the picked validators. - Store the picked scope validators for each OAuth app against its "app id" in a new table. - JDBCScopeValidator has to be picked as default, as we have it in the current implementation. - So write one migration script to populate the new table with JDBCScopeValidator as picked validator for available OAuth apps. Thanks, Senthalan On Mon, Jan 29, 2018 at 11:43 AM, Dimuthu Leelarathne <[email protected]> wrote: > > > On Mon, Jan 29, 2018 at 11:38 AM, Ruwan Abeykoon <[email protected]> wrote: > >> Hi All, >> -1 on adding anything to SP Configuration. This needs to be separated >> from SP object, or table itself. >> Reason: >> 1. We need to minimize DB changes adding features. >> 2. Adding a column per validator (XACML here) is not scalable. (What if >> another validator is added in future, do we add another column?) >> >> >> a) The DAO layer should do the necessary mapping. >> b) Can use Database Referential integrity and proper JOIN queries. >> > > > The configuration is not for the extension. The configuration will answer > the following concept. > > "Do we need to perform authorizations when isssuing access tokens?" > > There is no where in the IS object model that answers the above concept. > > The way you perform authorizations can be anything - It can be JDBC > validator, JavaScript validator (in the future). The configuration > introduced, is for the *concept*. > > thanks, > Dimuthu > > > > >> c) Need to add proper extension points in the code so that the >> data-tables and UI elements can be plugged. >> >> Cheers, >> Ruwan >> >> >> On Sun, Jan 28, 2018 at 8:28 PM, Dimuthu Leelarathne <[email protected]> >> wrote: >> >>> >>> >>> On Wed, Jan 24, 2018 at 12:41 PM, Johann Nallathamby <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Tue, Jan 23, 2018 at 9:49 AM, Senthalan Kanagalingam < >>>> [email protected]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I have completed the scope validation implementation. But in this >>>>> implementation, the entitlement engine has to run for every token >>>>> validation request even there is no policy defined by the user for a >>>>> particular service provider. PDP have to go through all existing policies >>>>> to select the applicable policies. Its an overhead in token validation >>>>> time. >>>>> >>>>> To avoid this we can introduce "Enable XACML based scope validator" >>>>> checkbox under Local & Outbound Authentication Configuration. >>>>> >>>> >>>> This should be under OAuth2 section because it's OAuth2 specific. We >>>> can't have "scope" under "Local & Outbound Authentication Configuration". >>>> >>> >>> >>> +1. It should be under OAuth2 section. And also it should be stored in >>> the same place as the OAuth2 configuration per service provider is stored. >>> Where do we store the SP configurations for OAuth2.0? >>> >>> thanks, >>> Dimuthu >>> >>> >>>> Regards, >>>> Johann. >>>> >>>> >>>>> Then users can enable or disable scope validation for that particular >>>>> service provider. This will be a simple select query and we can use >>>>> caching. We can check whether the user has enabled the scope validation or >>>>> not and continue. >>>>> >>>>> Any suggestions or improvements are highly appreciated. >>>>> >>>>> Thanks and Regards, >>>>> Senthalan >>>>> >>>>> On Fri, Jan 19, 2018 at 6:42 PM, Senthalan Kanagalingam < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Here is the architecture of the XACML based scope validator. >>>>>> >>>>>> >>>>>> After whether access token has expired, the scope of the token will >>>>>> be validated using JDBCScopeValidator and XACMLScopeValidator. >>>>>> The JDBCScopeValidator was already implemented. The XACMLScopeValidator >>>>>> will create an XACML request from access token and validate using >>>>>> EntitlementService. >>>>>> >>>>>> >>>>>> Thanks and Regards, >>>>>> Senthalan >>>>>> >>>>>> On Tue, Jan 16, 2018 at 8:59 PM, Dimuthu Leelarathne < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Johann, >>>>>>> >>>>>>> On Tue, Jan 16, 2018 at 8:49 PM, Johann Nallathamby <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> Hi Senthalan, >>>>>>>> >>>>>>>> On Tue, Jan 16, 2018 at 12:05 PM, Senthalan Kanagalingam < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Johann, >>>>>>>>> >>>>>>>>> Thanks for the feedback. Currently, I am checking that feature. >>>>>>>>> >>>>>>>>> According to my understanding, this feature will be useful to >>>>>>>>> validate the token scopes against resource scopes. As this validation >>>>>>>>> is >>>>>>>>> done by JDBCScopeValidator and my implementation will be parallel to >>>>>>>>> it (IS >>>>>>>>> allows multiple scope validators), do I have to implement validation >>>>>>>>> of the >>>>>>>>> token scopes against the resource scopes as well? >>>>>>>>> >>>>>>>> >>>>>>>> -1 to have two implementation. There should be only one >>>>>>>> implementation which is based on XACML. Otherwise it will create >>>>>>>> overhead >>>>>>>> in configuring and doesn't work well with tenant model. >>>>>>>> >>>>>>> >>>>>>>> The current scope-role based validation we introduced in IS 5.4.0 >>>>>>>> will need to be implemented using XACML and be the default policy. The >>>>>>>> other policies you were planning could be additional template policies >>>>>>>> we >>>>>>>> ship with the product. In addition users can have any new policies they >>>>>>>> want (per tenant). >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Because I have checked with identity-application-authz-xacml[1 >>>>>>>>> <https://github.com/wso2-extensions/identity-application-authz-xacml>] >>>>>>>>> and planned to implement validating scopes against the role base and >>>>>>>>> time >>>>>>>>> base policies only. >>>>>>>>> >>>>>>>> >>>>>>>> Yes, you can use this code and implement a XACML PEP to send a >>>>>>>> XACML request. But the validation has to happen on the XACML PDP side. >>>>>>>> >>>>>>>> What is the difference between the role based policy you are >>>>>>>> talking and the role based scope validation we implemented in IS 5.4.0? >>>>>>>> >>>>>>> >>>>>>> XACML based scope validation would give fine-grained control and >>>>>>> flexilibility. I don't have experience with JDBC scope validator but >>>>>>> from >>>>>>> what I know, it is hard to have a generic implementation out of it. >>>>>>> >>>>>>> The added avantage is flexibility. You can write your custom XACML >>>>>>> policies and control how authorization happens. >>>>>>> >>>>>>> Let it be XACML or Javascript, we need detailed control to cater for >>>>>>> different requirements. >>>>>>> >>>>>>> thanks, >>>>>>> Dimuthu >>>>>>> >>>>>>> >>>>>>>> Time based policies can be one of the additional policy templates >>>>>>>> we ship. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Johann. >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> [1] - https://github.com/wso2-extensions/identity-application-au >>>>>>>>> thz-xacml >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Senthalan >>>>>>>>> >>>>>>>>> On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> *[-IAM, RRT]* >>>>>>>>>> >>>>>>>>>> On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Senthalan, >>>>>>>>>>> >>>>>>>>>>> Did you check [1]? In this feature *@Isuranga* implement XACML >>>>>>>>>>> policy to evaluate the permission tree. For this he had to come up >>>>>>>>>>> with a >>>>>>>>>>> policy, that defined a custom function. >>>>>>>>>>> >>>>>>>>>>> In the above feature if you replace permission with OAuth2 >>>>>>>>>>> scopes (which is also a representation of permissions in OAuth2 >>>>>>>>>>> world, and >>>>>>>>>>> can be assigned to roles from IS 5.4.0 onwards IINM) you will get >>>>>>>>>>> what you >>>>>>>>>>> need. Am I right? Do you see any gaps? >>>>>>>>>>> >>>>>>>>>>> If my wit is good, this will be the best way to implement this >>>>>>>>>>> feature. >>>>>>>>>>> >>>>>>>>>>> [1] [IAM] Restful API to Evaluate Permission Tree in IS >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Johann. >>>>>>>>>>> >>>>>>>>>>> On Fri, Jan 12, 2018 at 2:10 PM, Senthalan Kanagalingam < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi all, >>>>>>>>>>>> >>>>>>>>>>>> As the aim of this project is to validate the scope of the >>>>>>>>>>>> token against XACML policies. I was wrong about the extension >>>>>>>>>>>> point. There >>>>>>>>>>>> is no need to implement it from token validation point. There is an >>>>>>>>>>>> extension point to extends scope >>>>>>>>>>>> validation("OAuth2ScopeValidator"). >>>>>>>>>>>> And IS allows multi-scope validators. So I am going start from >>>>>>>>>>>> here. >>>>>>>>>>>> >>>>>>>>>>>> Thanks and Regards, >>>>>>>>>>>> Senthalan >>>>>>>>>>>> >>>>>>>>>>>> On Thu, Jan 11, 2018 at 5:35 PM, Senthalan Kanagalingam < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi all, >>>>>>>>>>>>> >>>>>>>>>>>>> I am currently working on implementing XACML based scope >>>>>>>>>>>>> validator when the resource server tries to validate the OAuth2 >>>>>>>>>>>>> token. Users can publish their token validation XACML >>>>>>>>>>>>> policies to the policy store. Here[1 >>>>>>>>>>>>> <https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=sharing>] >>>>>>>>>>>>> is a sample policy template. >>>>>>>>>>>>> >>>>>>>>>>>>> The spec implementation of the OAuth2 token validation is >>>>>>>>>>>>> already in WSO2 IS. If spec validation passed only this validator >>>>>>>>>>>>> will >>>>>>>>>>>>> be called. XACML request will be created using the retrieved >>>>>>>>>>>>> information of the user. Then that XACML request will be >>>>>>>>>>>>> validated using the entitlement engine. >>>>>>>>>>>>> >>>>>>>>>>>>> There will be a global configuration to enable or disable this >>>>>>>>>>>>> validation. But in future, it will be implemented as a >>>>>>>>>>>>> configurable >>>>>>>>>>>>> option for each service provider. >>>>>>>>>>>>> >>>>>>>>>>>>> WSO2 IS have an extension point to implement TokenValidator[2 >>>>>>>>>>>>> <https://docs.wso2.com/display/IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAuth2TokenValidator>]. >>>>>>>>>>>>> I am planning to implement custom validator >>>>>>>>>>>>> ("XACMLbasedOAuth2TokenValidator") >>>>>>>>>>>>> at the point for validation. >>>>>>>>>>>>> >>>>>>>>>>>>> I am looking forward to suggestions/comments. >>>>>>>>>>>>> >>>>>>>>>>>>> [1] - https://docs.google.com/docume >>>>>>>>>>>>> nt/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=s >>>>>>>>>>>>> haring >>>>>>>>>>>>> [2] - https://docs.wso2.com/display/ >>>>>>>>>>>>> IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAu >>>>>>>>>>>>> th2TokenValidator >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks and Regards, >>>>>>>>>>>>> Senthalan >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> *Senthalan Kanagalingam* >>>>>>>>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>>>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> *Senthalan Kanagalingam* >>>>>>>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>>> WSO2, Inc. >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>> WSO2, Inc. >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> *Senthalan Kanagalingam* >>>>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>>>> <http://wso2.com/signature> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>> Senior Lead Solutions Engineer >>>>>>>> WSO2, Inc. >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> Mobile: *+94 77 7776950* >>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>> Twitter: *@dj_nallaa* >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Dimuthu Leelarathne >>>>>>> Director, Solutions Architecture >>>>>>> >>>>>>> WSO2, Inc. (http://wso2.com) >>>>>>> email: [email protected] >>>>>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>>>>> Blog: http://muthulee.blogspot.com >>>>>>> >>>>>>> Lean . Enterprise . Middleware >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Senthalan Kanagalingam* >>>>>> *Software Engineer - WSO2 Inc.* >>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>> <http://wso2.com/signature> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Senthalan Kanagalingam* >>>>> *Software Engineer - WSO2 Inc.* >>>>> *Mobile : +94 (0) 77 18 77 466* >>>>> <http://wso2.com/signature> >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> *Johann Dilantha Nallathamby* >>>> Senior Lead Solutions Engineer >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile: *+94 77 7776950* >>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>> Medium: *https://medium.com/@johann_nallathamby >>>> <https://medium.com/@johann_nallathamby>* >>>> Twitter: *@dj_nallaa* >>>> >>> >>> >>> >>> -- >>> Dimuthu Leelarathne >>> Director, Solutions Architecture >>> >>> WSO2, Inc. (http://wso2.com) >>> email: [email protected] >>> Mobile: +94773661935 <+94%2077%20366%201935> >>> Blog: http://muthulee.blogspot.com >>> >>> Lean . Enterprise . Middleware >>> >> >> >> > > > -- > Dimuthu Leelarathne > Director, Solutions Architecture > > WSO2, Inc. (http://wso2.com) > email: [email protected] > Mobile: +94773661935 <+94%2077%20366%201935> > Blog: http://muthulee.blogspot.com > > Lean . Enterprise . Middleware > -- *Senthalan Kanagalingam* *Software Engineer - WSO2 Inc.* *Mobile : +94 (0) 77 18 77 466* <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
