Hi Senthalan, On Tue, Jan 30, 2018 at 9:33 AM, Senthalan Kanagalingam <[email protected]> wrote:
> Hi all, > > We had a discussion regarding the state of this project. Please find the > meeting notes below, > > Participants: Dimuthu, Ruwan, Darshana, Nadun, Pamoda, Biruntha > > - Have multiple checkboxes in OAuth UI for all scope validators. Then > users can pick on their wish. > - When calling the scope validation, call the picked validators. > - Store the picked scope validators for each OAuth app against its > "app id" in a new table. > - JDBCScopeValidator has to be picked as default, as we have it in the > current implementation. > - So write one migration script to populate the new table with > JDBCScopeValidator as picked validator for available OAuth apps. > > Will UI be rendered upon the scope validators available in the runtime ? This will be a connector to the product. Therefore, the UI should not directly couple with the existing UI. > Thanks, > Senthalan > > On Mon, Jan 29, 2018 at 11:43 AM, Dimuthu Leelarathne <[email protected]> > wrote: > >> >> >> On Mon, Jan 29, 2018 at 11:38 AM, Ruwan Abeykoon <[email protected]> wrote: >> >>> Hi All, >>> -1 on adding anything to SP Configuration. This needs to be separated >>> from SP object, or table itself. >>> Reason: >>> 1. We need to minimize DB changes adding features. >>> 2. Adding a column per validator (XACML here) is not scalable. (What if >>> another validator is added in future, do we add another column?) >>> >>> >>> a) The DAO layer should do the necessary mapping. >>> b) Can use Database Referential integrity and proper JOIN queries. >>> >> >> >> The configuration is not for the extension. The configuration will answer >> the following concept. >> >> "Do we need to perform authorizations when isssuing access tokens?" >> >> There is no where in the IS object model that answers the above concept. >> >> The way you perform authorizations can be anything - It can be JDBC >> validator, JavaScript validator (in the future). The configuration >> introduced, is for the *concept*. >> >> thanks, >> Dimuthu >> >> >> >> >>> c) Need to add proper extension points in the code so that the >>> data-tables and UI elements can be plugged. >>> >>> Cheers, >>> Ruwan >>> >>> >>> On Sun, Jan 28, 2018 at 8:28 PM, Dimuthu Leelarathne <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Wed, Jan 24, 2018 at 12:41 PM, Johann Nallathamby <[email protected]> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jan 23, 2018 at 9:49 AM, Senthalan Kanagalingam < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I have completed the scope validation implementation. But in this >>>>>> implementation, the entitlement engine has to run for every token >>>>>> validation request even there is no policy defined by the user for a >>>>>> particular service provider. PDP have to go through all existing policies >>>>>> to select the applicable policies. Its an overhead in token validation >>>>>> time. >>>>>> >>>>>> To avoid this we can introduce "Enable XACML based scope validator" >>>>>> checkbox under Local & Outbound Authentication Configuration. >>>>>> >>>>> >>>>> This should be under OAuth2 section because it's OAuth2 specific. We >>>>> can't have "scope" under "Local & Outbound Authentication Configuration". >>>>> >>>> >>>> >>>> +1. It should be under OAuth2 section. And also it should be stored in >>>> the same place as the OAuth2 configuration per service provider is stored. >>>> Where do we store the SP configurations for OAuth2.0? >>>> >>>> thanks, >>>> Dimuthu >>>> >>>> >>>>> Regards, >>>>> Johann. >>>>> >>>>> >>>>>> Then users can enable or disable scope validation for that particular >>>>>> service provider. This will be a simple select query and we can use >>>>>> caching. We can check whether the user has enabled the scope validation >>>>>> or >>>>>> not and continue. >>>>>> >>>>>> Any suggestions or improvements are highly appreciated. >>>>>> >>>>>> Thanks and Regards, >>>>>> Senthalan >>>>>> >>>>>> On Fri, Jan 19, 2018 at 6:42 PM, Senthalan Kanagalingam < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Here is the architecture of the XACML based scope validator. >>>>>>> >>>>>>> >>>>>>> After whether access token has expired, the scope of the token will >>>>>>> be validated using JDBCScopeValidator and XACMLScopeValidator. >>>>>>> The JDBCScopeValidator was already implemented. The XACMLScopeValidator >>>>>>> will create an XACML request from access token and validate using >>>>>>> EntitlementService. >>>>>>> >>>>>>> >>>>>>> Thanks and Regards, >>>>>>> Senthalan >>>>>>> >>>>>>> On Tue, Jan 16, 2018 at 8:59 PM, Dimuthu Leelarathne < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Johann, >>>>>>>> >>>>>>>> On Tue, Jan 16, 2018 at 8:49 PM, Johann Nallathamby < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Senthalan, >>>>>>>>> >>>>>>>>> On Tue, Jan 16, 2018 at 12:05 PM, Senthalan Kanagalingam < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Johann, >>>>>>>>>> >>>>>>>>>> Thanks for the feedback. Currently, I am checking that feature. >>>>>>>>>> >>>>>>>>>> According to my understanding, this feature will be useful to >>>>>>>>>> validate the token scopes against resource scopes. As this >>>>>>>>>> validation is >>>>>>>>>> done by JDBCScopeValidator and my implementation will be parallel to >>>>>>>>>> it (IS >>>>>>>>>> allows multiple scope validators), do I have to implement validation >>>>>>>>>> of the >>>>>>>>>> token scopes against the resource scopes as well? >>>>>>>>>> >>>>>>>>> >>>>>>>>> -1 to have two implementation. There should be only one >>>>>>>>> implementation which is based on XACML. Otherwise it will create >>>>>>>>> overhead >>>>>>>>> in configuring and doesn't work well with tenant model. >>>>>>>>> >>>>>>>> >>>>>>>>> The current scope-role based validation we introduced in IS 5.4.0 >>>>>>>>> will need to be implemented using XACML and be the default policy. The >>>>>>>>> other policies you were planning could be additional template >>>>>>>>> policies we >>>>>>>>> ship with the product. In addition users can have any new policies >>>>>>>>> they >>>>>>>>> want (per tenant). >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Because I have checked with identity-application-authz-xacml[1 >>>>>>>>>> <https://github.com/wso2-extensions/identity-application-authz-xacml>] >>>>>>>>>> and planned to implement validating scopes against the role base and >>>>>>>>>> time >>>>>>>>>> base policies only. >>>>>>>>>> >>>>>>>>> >>>>>>>>> Yes, you can use this code and implement a XACML PEP to send a >>>>>>>>> XACML request. But the validation has to happen on the XACML PDP side. >>>>>>>>> >>>>>>>>> What is the difference between the role based policy you are >>>>>>>>> talking and the role based scope validation we implemented in IS >>>>>>>>> 5.4.0? >>>>>>>>> >>>>>>>> >>>>>>>> XACML based scope validation would give fine-grained control and >>>>>>>> flexilibility. I don't have experience with JDBC scope validator but >>>>>>>> from >>>>>>>> what I know, it is hard to have a generic implementation out of it. >>>>>>>> >>>>>>>> The added avantage is flexibility. You can write your custom XACML >>>>>>>> policies and control how authorization happens. >>>>>>>> >>>>>>>> Let it be XACML or Javascript, we need detailed control to cater >>>>>>>> for different requirements. >>>>>>>> >>>>>>>> thanks, >>>>>>>> Dimuthu >>>>>>>> >>>>>>>> >>>>>>>>> Time based policies can be one of the additional policy templates >>>>>>>>> we ship. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Johann. >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> [1] - https://github.com/wso2-extensions/identity-application-au >>>>>>>>>> thz-xacml >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Senthalan >>>>>>>>>> >>>>>>>>>> On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> *[-IAM, RRT]* >>>>>>>>>>> >>>>>>>>>>> On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Senthalan, >>>>>>>>>>>> >>>>>>>>>>>> Did you check [1]? In this feature *@Isuranga* implement XACML >>>>>>>>>>>> policy to evaluate the permission tree. For this he had to come up >>>>>>>>>>>> with a >>>>>>>>>>>> policy, that defined a custom function. >>>>>>>>>>>> >>>>>>>>>>>> In the above feature if you replace permission with OAuth2 >>>>>>>>>>>> scopes (which is also a representation of permissions in OAuth2 >>>>>>>>>>>> world, and >>>>>>>>>>>> can be assigned to roles from IS 5.4.0 onwards IINM) you will get >>>>>>>>>>>> what you >>>>>>>>>>>> need. Am I right? Do you see any gaps? >>>>>>>>>>>> >>>>>>>>>>>> If my wit is good, this will be the best way to implement this >>>>>>>>>>>> feature. >>>>>>>>>>>> >>>>>>>>>>>> [1] [IAM] Restful API to Evaluate Permission Tree in IS >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Johann. >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Jan 12, 2018 at 2:10 PM, Senthalan Kanagalingam < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi all, >>>>>>>>>>>>> >>>>>>>>>>>>> As the aim of this project is to validate the scope of the >>>>>>>>>>>>> token against XACML policies. I was wrong about the extension >>>>>>>>>>>>> point. There >>>>>>>>>>>>> is no need to implement it from token validation point. There is >>>>>>>>>>>>> an >>>>>>>>>>>>> extension point to extends scope >>>>>>>>>>>>> validation("OAuth2ScopeValidator"). >>>>>>>>>>>>> And IS allows multi-scope validators. So I am going start from >>>>>>>>>>>>> here. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks and Regards, >>>>>>>>>>>>> Senthalan >>>>>>>>>>>>> >>>>>>>>>>>>> On Thu, Jan 11, 2018 at 5:35 PM, Senthalan Kanagalingam < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I am currently working on implementing XACML based scope >>>>>>>>>>>>>> validator when the resource server tries to validate the OAuth2 >>>>>>>>>>>>>> token. Users can publish their token validation XACML >>>>>>>>>>>>>> policies to the policy store. Here[1 >>>>>>>>>>>>>> <https://docs.google.com/document/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=sharing>] >>>>>>>>>>>>>> is a sample policy template. >>>>>>>>>>>>>> >>>>>>>>>>>>>> The spec implementation of the OAuth2 token validation is >>>>>>>>>>>>>> already in WSO2 IS. If spec validation passed only this >>>>>>>>>>>>>> validator will >>>>>>>>>>>>>> be called. XACML request will be created using the retrieved >>>>>>>>>>>>>> information of the user. Then that XACML request will be >>>>>>>>>>>>>> validated using the entitlement engine. >>>>>>>>>>>>>> >>>>>>>>>>>>>> There will be a global configuration to enable or disable >>>>>>>>>>>>>> this validation. But in future, it will be implemented as a >>>>>>>>>>>>>> configurable >>>>>>>>>>>>>> option for each service provider. >>>>>>>>>>>>>> >>>>>>>>>>>>>> WSO2 IS have an extension point to implement TokenValidator[2 >>>>>>>>>>>>>> <https://docs.wso2.com/display/IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAuth2TokenValidator>]. >>>>>>>>>>>>>> I am planning to implement custom validator >>>>>>>>>>>>>> ("XACMLbasedOAuth2TokenValidator") >>>>>>>>>>>>>> at the point for validation. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I am looking forward to suggestions/comments. >>>>>>>>>>>>>> >>>>>>>>>>>>>> [1] - https://docs.google.com/docume >>>>>>>>>>>>>> nt/d/1unh9QsDXMXxwbr3SPYLgRG1mKvxphX9VjhRAthHIlQU/edit?usp=s >>>>>>>>>>>>>> haring >>>>>>>>>>>>>> [2] - https://docs.wso2.com/display/ >>>>>>>>>>>>>> IS540/Extension+Points+for+OAuth#ExtensionPointsforOAuth-OAu >>>>>>>>>>>>>> th2TokenValidator >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks and Regards, >>>>>>>>>>>>>> Senthalan >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Senthalan Kanagalingam* >>>>>>>>>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>>>>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> *Senthalan Kanagalingam* >>>>>>>>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>>>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>>>> WSO2, Inc. >>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>> >>>>>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>>>> WSO2, Inc. >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Senthalan Kanagalingam* >>>>>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> *Johann Dilantha Nallathamby* >>>>>>>>> Senior Lead Solutions Engineer >>>>>>>>> WSO2, Inc. >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> Mobile: *+94 77 7776950* >>>>>>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>>>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>>>>>> Medium: *https://medium.com/@johann_nallathamby >>>>>>>>> <https://medium.com/@johann_nallathamby>* >>>>>>>>> Twitter: *@dj_nallaa* >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Dimuthu Leelarathne >>>>>>>> Director, Solutions Architecture >>>>>>>> >>>>>>>> WSO2, Inc. (http://wso2.com) >>>>>>>> email: [email protected] >>>>>>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>>>>>> Blog: http://muthulee.blogspot.com >>>>>>>> >>>>>>>> Lean . Enterprise . Middleware >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Senthalan Kanagalingam* >>>>>>> *Software Engineer - WSO2 Inc.* >>>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>>> <http://wso2.com/signature> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Senthalan Kanagalingam* >>>>>> *Software Engineer - WSO2 Inc.* >>>>>> *Mobile : +94 (0) 77 18 77 466* >>>>>> <http://wso2.com/signature> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Johann Dilantha Nallathamby* >>>>> Senior Lead Solutions Engineer >>>>> WSO2, Inc. >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile: *+94 77 7776950* >>>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby >>>>> <http://www.linkedin.com/in/johann-nallathamby>* >>>>> Medium: *https://medium.com/@johann_nallathamby >>>>> <https://medium.com/@johann_nallathamby>* >>>>> Twitter: *@dj_nallaa* >>>>> >>>> >>>> >>>> >>>> -- >>>> Dimuthu Leelarathne >>>> Director, Solutions Architecture >>>> >>>> WSO2, Inc. (http://wso2.com) >>>> email: [email protected] >>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>> Blog: http://muthulee.blogspot.com >>>> >>>> Lean . Enterprise . Middleware >>>> >>> >>> >>> >> >> >> -- >> Dimuthu Leelarathne >> Director, Solutions Architecture >> >> WSO2, Inc. (http://wso2.com) >> email: [email protected] >> Mobile: +94773661935 <+94%2077%20366%201935> >> Blog: http://muthulee.blogspot.com >> >> Lean . Enterprise . Middleware >> > > > > -- > > *Senthalan Kanagalingam* > *Software Engineer - WSO2 Inc.* > *Mobile : +94 (0) 77 18 77 466* > <http://wso2.com/signature> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Malithi Edirisinghe* Associate Technical Lead WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
