On Fri, Aug 19, 2016 at 2:17 PM, Harsha Thirimanna <hars...@wso2.com> wrote:
> > On Fri, Aug 19, 2016 at 2:11 PM, Rushmin Fernando <rush...@wso2.com> > wrote: > >> >> Thank you for the info Harsha :-) >> >> We have implemented an interceptor for OAuth for AppM ReST API. We can >> adopt the generic component you are implementing, in a future release. >> >> *The issue we currently have is* to exchange an OAuth token for an HTTP >> cookie. The plan is to use this cookie to invoke admin service. >> >> There is a class (an authenticator) which we can use to get a cookie from >> a SAML assertion. >> > > Which one you are talking about ? > > [1] is the one we are using. We call this admis service method ( login() ) with the user's SAML response and get 'set-cookie' header value of the service call response. > >> I'm looking for something similar for OAuth token --> cookie scenario. >> >> Is there a code being implemented for this ? >> > As I explained above, autheticators are handlers in our case and you can > implement it within our generic approach. > > Can you please share the code ? [1] - https://github.com/wso2/carbon-identity/blob/8cd996c1dc6d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticators/saml2-sso-authenticator/org.wso2.carbon.identity.authenticator.saml2.sso/src/main/java/org/wso2/carbon/identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java#L84 > >> On Tue, Aug 9, 2016 at 8:13 AM, Harsha Thirimanna <hars...@wso2.com> >> wrote: >> >>> Hi All, >>> Yes, We were tying to solve this problem in generic manner that can be >>> used across the platform. For that, we have written a component to register >>> authentication handler and the interceptors to intercept rest call. For now >>> we have written Basic and OAuth token base handlers. But anyone can write >>> custom handlers and register as a OSGi to use by the interceptors. As >>> Interceptors , we wrote common tomcat valve and hope to write servlet >>> filter and cxf filter. >>> >>> You also can intercept the request in your own place and authenticate >>> the request using our generic component. It has a manager class to do the >>> authentication. Handler will pick based on can handle method by handler >>> manager. >>> >>> In addition, we have develop another interceptor point to do the >>> authorization and it is also like same authentication component. You can >>> write your own handlers, and intercept by any place. We have written an >>> another valve as interceptor and authorization handler check the permission >>> as configure in identity.xml as follows. >>> >>> <ResourceAccessControl> >>> <Resource context="/api/identity/*" secured="true" >>> http-method="all"> >>> <Permissions>/permission/admin/login</Permissions> >>> </Resource> >>> <Resource context="/api/test" secured="true" >>> http-method="put,post"> >>> <Permissions>/permission/admin/test</Permissions> >>> </Resource> >>> </ResourceAccessControl> >>> >>> We are going to release 1.0.0 M1 with next upcoming milestone in 5.3.0. >>> Your ideas welcome to improve this component in more generic manner. >>> Please let us know anything related to this. >>> >>> >>> >>> >>> >>> *Harsha Thirimanna* >>> Associate Tech Lead | WSO2 >>> >>> Email: hars...@wso2.com >>> Mob: +94715186770 >>> Blog: http://harshathirimanna.blogspot.com/ >>> Twitter: http://twitter.com/harshathirimann >>> Linked-In: linked-in: http://www.linkedin.com/pub/ha >>> rsha-thirimanna/10/ab8/122 >>> <http://wso2.com/signature> >>> >>> On Tue, Aug 9, 2016 at 4:00 AM, Farasath Ahamed <farasa...@wso2.com> >>> wrote: >>> >>>> Hi Rushmin, >>>> >>>> On Mon, Aug 8, 2016 at 4:14 PM, Rushmin Fernando <rush...@wso2.com> >>>> wrote: >>>> >>>>> Thanks Ishara ! >>>>> >>>>> Since our products are adopting OAuth protected ReST APIs, is there an >>>>> OAuth authencator being developed and planed to be developed ? >>>>> >>>> >>>> Harsha has worked on developing a generic component that can be used by >>>> OAuth protected REST APIs[1]. Adding Harsha as he can provide more details >>>> on this. >>>> >>>> [1] https://github.com/wso2-extensions/identity-carbon-auth-rest >>>> >>>> >>>> >>>>> Regards, >>>>> Rushmin >>>>> >>>>> >>>>> >>>>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Dinusha, >>>>>> >>>>>> In this case I think publisher user should be able to create those >>>>>> SP, XACML policies etc. >>>>>> Since publisher use is within the publisher role you can assign >>>>>> necessary permission to that role. >>>>>> Once user login (SSO) to publisher with his credential he can get a >>>>>> cookie for that >>>>>> and he can use that cookie to authenticate to the admin services. >>>>>> >>>>>> @Rushmin, >>>>>> We don't have a authenticator for OAuth token. Better to get a ID >>>>>> token using OIDC or after validating OAuth token >>>>>> and create a carbon authenticator like saml carbon authenticator. >>>>>> >>>>>> Thanks, >>>>>> Ishara >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> In addition to creating these entries from the UI, we need to create >>>>>>> the same using our ReST API as well. And the API is OAuth protected. >>>>>>> >>>>>>> Is there an authenticator which gives back a cookie for an OAuth >>>>>>> token as well ? >>>>>>> >>>>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna < >>>>>>> isha...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi Lahiru. >>>>>>>> >>>>>>>> >>>>>>>> Its not the admin user.User trying to do this operation should have >>>>>>>> enough permission to do this. >>>>>>>> >>>>>>>> Use >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *entitlement/policy/view* >>>>>>>> >>>>>>>> Add this permission to the user who is trying to view those policies. >>>>>>>> >>>>>>>> >>>>>>>> BR, >>>>>>>> >>>>>>>> Ishara >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> + [DEV] >>>>>>>>> >>>>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> *Current behaviour:* >>>>>>>>>> Currently in AppM, when we are creating XACML policies/Service >>>>>>>>>> Providers via IS admin services, we are providing the super tenant >>>>>>>>>> admin >>>>>>>>>> credentials (where the credentials are stored in a config) to get >>>>>>>>>> authenticated. Further, XACML policies/Service providers are only >>>>>>>>>> created >>>>>>>>>> in super tenant and marked as a SAAS app to be used in tenants. >>>>>>>>>> >>>>>>>>>> *Problem:* >>>>>>>>>> As we are moving for AppM - Cloud integration, we are trying to >>>>>>>>>> deploy these in relevant tenant spaces. So as a solution we have >>>>>>>>>> tried to >>>>>>>>>> use *SAML2SSOAuthenticator*[1] (retrieving a cookie passing the >>>>>>>>>> SAML response and use the same in subsequent service calls) but >>>>>>>>>> figured >>>>>>>>>> that this is not applicable for non admin users. >>>>>>>>>> (*eg:* In AppM user story, non admin users should be allowed to >>>>>>>>>> create apps with XAML policies) >>>>>>>>>> >>>>>>>>>> Any suggestions for this would be highly appreciated! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6 >>>>>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato >>>>>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti >>>>>>>>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe >>>>>>>>>> nticator/saml2/sso/SAML2SSOAuthenticator.java >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Lahiru Cooray* >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> Mobile: +94 715 654154 >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Lahiru Cooray* >>>>>>>>> Software Engineer >>>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> Mobile: +94 715 654154 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Ishara Karunarathna >>>>>>>> Associate Technical Lead >>>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>>> >>>>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, >>>>>>>> mobile: +94717996791 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Best Regards* >>>>>>> >>>>>>> *Rushmin Fernando* >>>>>>> *Technical Lead* >>>>>>> >>>>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>>>> >>>>>>> mobile : +94772891266 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Associate Technical Lead >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Best Regards* >>>>> >>>>> *Rushmin Fernando* >>>>> *Technical Lead* >>>>> >>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>> >>>>> mobile : +94772891266 >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>> >> >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94772891266 >> >> >> > -- *Best Regards* *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware mobile : +94772891266
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev