Hi, Scope validation for OAuth tokens will be applied during the token validation time. The XACML policies with the action-name "token_validation" will be applied at token validation time. In "scope_based_token_validation_policy_template", you need to update the "sp-name" and "scope-name" according to your need.
- If you registered the SP name "playground2", then change sp-name to "playground2". - If you are going to validate the scope "openId", change the scope-name to "openId". - Publish the policy to PDP. - You have to request with scope name in the 2nd step. curl -u <client>:<passwd> -k -d "grant_type=password&username= user&password=user1*&scope=openId*" -H "Content-Type:application/x-ww w-form-urlencoded"https://localhost:9443/oauth2/token - Then try to validate the access token, curl -k -u <USERNAME>:<PASSWORD> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://localhost:9443/oauth2/introspect Now only the published policy will be applied. Thanks, Senthalan. On Sat, May 5, 2018 at 10:39 AM Farasath Ahamed <[email protected]> wrote: > > > On Friday, May 4, 2018, Vadim Kimlaychuk <[email protected]> > wrote: > >> Dear architects, >> >> I am trying to implement validation for OAuth tokens described here >> : >> https://docs.wso2.com/display/IS560/Validating+the+Scope+of+OAuth+Access+Tokens+using+XACML+Policies. >> Since this example failed for me I have tried to do similar with role >> validation described here: >> https://docs.wso2.com/display/IS560/Configuring+Access+Control+Policy+for+a+Service+Provider. >> When none of them worked I started to investigate logs of the server and >> saw that none of validation seems to happen. Should I write down some >> module/class and register it to make it work or configuration through UI >> should be enough? >> >> My test scenario with IS 5.5.0 and curl is following: >> >> 1. Registered SP Playground2 with OAuth2/OpenID connect >> configuration. "Authorization", "SaaS", "Role based scope validator" and >> "XACML Scope Validator" options are enabled >> 2. curl -u <client>:<passwd> -k -d >> "grant_type=password&username=user&password=user1" -H >> "Content-Type:application/x-www-form-urlencoded" >> https://localhost:9443/oauth2/token works and I got access token >> 3. Created PAP from auth_role_based_policy where user "user" is >> "denied" because he is not in a role. Checked it with "Try" -- works >> 4. Published to PDP >> 5. tried curl to issue new token -- token issued as before. No >> restriction for the user >> >> May be I am using it in a wrong way? >> >> Thanks in advance, >> >> Vadim >> > > > -- > Farasath Ahamed > Senior Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > > -- *Senthalan Kanagalingam* *Software Engineer - WSO2 Inc.* *Mobile : +94 (0) 77 18 77 466* <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
