Hi all, As the continuation of my project I have completed the first step of introducing a generalized OPA function called "invokeOPA" as I have mentioned above and I've already sent its PR.Now I am working on writing a unit test for the invokeOpa function. As my next step, I'm going to define the authentication policies in OPA which we can pass the set of authenticators of an authentication step to OPA, and based on the OPA policy result, construct the authentication step dynamically.I'll update it's state soon.
Thank you Kind regards NImasha. On Fri, Mar 13, 2020 at 9:40 AM Nimasha Fernando <[email protected]> wrote: > [email protected] [email protected] > > > > > On Thu, Mar 12, 2020 at 5:20 PM Nimasha Fernando <[email protected]> wrote: > >> Hi all, >> >> Open Policy Agent (OPA) is a policy engine that can be used to implement >> fine-grained access control for your application and It provides greater >> flexibility and expressiveness than hard-coded service logic or ad-hoc >> domain-specific languages and comes with powerful tooling to help anyone >> get started and also expresses policies in a high-level, declarative >> language called Rego which promotes safe and fine-grained controls. In >> Identity Server, currently we are using XACML to write authorization >> policies. We are planning to integrate OPA as well, because it is a highly >> practical solution for the critical security and policy challenges of the >> cloud-native ecosystems. >> >> Based on our findings we have two ways of integrating OPA with IS, >> >> 1. Using Script Based Adaptive Authentication >> 2. Using an Authorization Handler >> >> >> Mainly we can use OPA with WSO2 IS to achieve following use-cases. >> >> 1. To define authorization policies (e.g role based authorization, >> user-attribute based authorization). >> 2. To define authentication policies in OPA. I.e pass the set of >> authenticators of an authentication step to OPA, and based on the OPA >> policy result, construct the authentication step dynamically. >> 3. To completely delegate authentication sequence generation to OPA. >> E.g. pass cookies, ip-address to OPA and OPA can evaluate the policies >> based on the data that we send and send us back the authentication >> sequence. >> >> >> As the first step to implement above use-cases, I have introduced a >> generalized OPA function called "invokeOPA" in adaptive scripts to be able >> to pass any JSON object as the payload, and from OPA it is possible to >> process the data object and extract the required information. Then OPA >> engine will execute the defined policies and will send back a JSON response >> to WSO2 IS. Then the final authentication or authorization decision will be >> made by OPA according to the policies that have defined. Following diagram >> illustrates the information flow. >> >> [image: Untitled Document(1).png] >> >> *Following is a sample OPA policy for role based authorization.* >> >> package play.policy >> >> import input >> >> default permit = false >> permit{ >> role = ["manager" , "admin"] >> user := input.userDetails.roles[_] >> user == role[_] >> } >> >> *Sample adaptive authentication script to execute the above policy using >> WSO2 IS.* >> >> var onLoginRequest = function(context) { >> executeStep(1, { >> onSuccess: function (context) { >> >> invokeOPA('http://localhost:8181/v1/data/play/policy', >> {"context" :context,"ip_address": "111.222.333.333"},{"sendClaims" : >> "false", "sendRoles": "true"}, { >> onSuccess : function(context, data) { >> >> >> var permit = data.result.permit; >> Log.info('permit '+ permit); >> >> Log.info("Successfully posted data."); >> >> if (permit) { >> executeStep(2); >> } >> }, onFail : function(context) { >> Log.info("Failed to post data"); >> } >> }); >> } >> }); >> }; >> >> As the next steps, I am going to >> >> - Introduce a new function to construct the authentication sequence >> based on the response from OPA >> - Evaluate the possibility to construct the authentication sequence >> by directly invoking OPA without utilizing Nashorn >> - Introduce a cache for OPA response. >> >> Appreciate your suggestions/concerns on this. >> >> [1]https://www.openpolicyagent.org/docs/latest/ >> [2] >> https://is.docs.wso2.com/en/next/learn/configuring-a-service-provider-for-adaptive-authentication/ >> [3] >> https://is.docs.wso2.com/en/next/learn/configuring-role-based-adaptive-authentication/ >> > > > -- > *W.Nimasha Fernando*| Intern Engineering | WSO2 Inc. <http://wso2.com/> > (M)+94 711886714 | (E) [email protected][image: https://wso2.com/signature] > <https://wso2.com/signature> > -- *W.Nimasha Fernando*| Intern Engineering | WSO2 Inc. <http://wso2.com/> (M)+94 711886714 | (E) [email protected][image: https://wso2.com/signature] <https://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
