Re: [Architecture] Trusted Delegation using OAuth2 Tokens
Hi Sumedha, This needs to be better modeled after A Method of Bearer Token Redelegation and Chaining for OAuth 2 http://tools.ietf.org/id/draft-richer-oauth-chain-00.txt The grant type needs to be urn:ietf:params:oauth:grant_type:redelegate And also - we should not provide a refresh token in the response. Thanks regards, -Prabath On Mon, Sep 9, 2013 at 9:36 PM, Sumedha Rubasinghe sume...@wso2.com wrote: *Pattern* There are multiple backend systems having its own authentication and authorization mechanisms. These sub systems do not trust each other. In order to fulfill an API invocation from an end user, several of these back ends need to be accessed. The number of internal systems that need to be accessed is transparent to application developer and only known to API publisher and implementor. However for statistical reason access need to happen as if its coming from the end user + internal backend system. Thus comes the need for delegating access on behalf of end user. *Implementation* Initial API access will happen through an OAuth2 token (obtained on behalf of end user through standard grant types). This API call will reach first backend system. When this backend system needs to access some other system, it will obtain an OAuth2 token on behalf of the end user. However, at this point only original OAuth2 token is available to represent end user. Thus token to second system is obtained by passing, *consumer key + consumer secret + OAuth2 token passed into access first system* This combination is not supported by any of standard grant types defined in OAuth2. Thus we would support the above pattern using a extended grant type called trusted_delegation. The syntax for invoking this grant type is as follows: *HTTP Header:* Authorization : Basic 'Base64.encode(consumer key . Consumer secret)' *Request parameters:* grant_type=trusted_delegationenduser_token=wsdr23djdedv Response would be as follows: { token_type:bearer ,expires_in:3600 ,refresh_token:f592b7403f3225d22f4b8e8510928e47 ,access_token:5abbabd324fdcd697591b83c7b6eef3 } Thanks to Prabath for help on solidifying solution criteria and grant type name. I have implemented the first draft and will schedule a code review session. *Pending:* 1. Revoke - when end user decides to revoke his token, all tokens issued on behalf of him (and stored on intermediate sub-systems) should be revoked. -- /sumedha b : bit.ly/sumedha -- Thanks Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Trusted Delegation using OAuth2 Tokens
Thanks Prabath. Will read the spec come up with necessary changes. On Wed, Sep 11, 2013 at 4:08 PM, Prabath Siriwardena prab...@wso2.comwrote: Hi Sumedha, This needs to be better modeled after A Method of Bearer Token Redelegation and Chaining for OAuth 2 http://tools.ietf.org/id/draft-richer-oauth-chain-00.txt The grant type needs to be urn:ietf:params:oauth:grant_type:redelegate And also - we should not provide a refresh token in the response. Thanks regards, -Prabath On Mon, Sep 9, 2013 at 9:36 PM, Sumedha Rubasinghe sume...@wso2.comwrote: *Pattern* There are multiple backend systems having its own authentication and authorization mechanisms. These sub systems do not trust each other. In order to fulfill an API invocation from an end user, several of these back ends need to be accessed. The number of internal systems that need to be accessed is transparent to application developer and only known to API publisher and implementor. However for statistical reason access need to happen as if its coming from the end user + internal backend system. Thus comes the need for delegating access on behalf of end user. *Implementation* Initial API access will happen through an OAuth2 token (obtained on behalf of end user through standard grant types). This API call will reach first backend system. When this backend system needs to access some other system, it will obtain an OAuth2 token on behalf of the end user. However, at this point only original OAuth2 token is available to represent end user. Thus token to second system is obtained by passing, *consumer key + consumer secret + OAuth2 token passed into access first system* This combination is not supported by any of standard grant types defined in OAuth2. Thus we would support the above pattern using a extended grant type called trusted_delegation. The syntax for invoking this grant type is as follows: *HTTP Header:* Authorization : Basic 'Base64.encode(consumer key . Consumer secret)' *Request parameters:* grant_type=trusted_delegationenduser_token=wsdr23djdedv Response would be as follows: { token_type:bearer ,expires_in:3600 ,refresh_token:f592b7403f3225d22f4b8e8510928e47 ,access_token:5abbabd324fdcd697591b83c7b6eef3 } Thanks to Prabath for help on solidifying solution criteria and grant type name. I have implemented the first draft and will schedule a code review session. *Pending:* 1. Revoke - when end user decides to revoke his token, all tokens issued on behalf of him (and stored on intermediate sub-systems) should be revoked. -- /sumedha b : bit.ly/sumedha -- Thanks Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com -- /sumedha b : bit.ly/sumedha ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] [Appfactory] Managing permissions in Appfactory at different levels
Hi all, Can someone explain how we are going to manage AF level permissions bound by roles like Developer, QA, DevOps and application level permissions required to build the application? For example, as the application developer, I need to manage set of roles(GeneralUser, AdvancedUser) to control the access to my application. And are we using a single LDAP to manage development and production users, applications? thank you. -- Manjula Rathnayaka Software Engineer WSO2, Inc. Mobile:+94 77 743 1987 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] Building a Multi-Tenant, Tenant-Aware SaaS App with the WSO2 Carbon Framework
Hi WSO2 Community, I have posted code on GitHub [1] illustrating how to create a multi-tenant, tenant-aware SaaS application with the WSO2 Carbon Framework. Your comments, recommendations, and pull requests are welcome. An introductory Blog Post [2] and Step One of the getting started instructions [3] are posted. --- Introduction summary: Multi-tenant SaaS applications deliver a personalized client experience while maximizing performance and efficiency. Many teams are challenged by the specialized knowledge required to create a SaaS application on a legacy Java platform. Creating SaaS applications requires detailed knowledge of multi-tenancy, contextual personalization, declarative programming, and infrastructure scaling. The WSO2 Carbon platform contains unique Cloud-Native frameworks that decrease development challenges when building multi-tenant SaaS applications. Step 1 Overview Getting Started #1 – Defining a Tenancy Dimension Model Task 0: Deploy the WSO2 Application Server and start server Task 1: Log into the Carbon administration console as the super-administrator Getting Started #2 – Provisioning SaaS Applications Task 0: Compile the SaaSTest Application Task 1: Provision a Global Tenant Scope SaaS Application Getting Started #3 - Acquire Tenant Context More blog tutorial instructions will be posted soon... -- [1] https://github.com/karux/CarbonSaaSTest [2] http://blog.cobia.net/cobiacomm/2013/08/28/building-multi-tenant-saas-applications/ [3] http://blog.cobia.net/cobiacomm/2013/09/10/creating-a-saas-app-with-the-multi-tenant-carbon-framework-step-1/ -- mailto:ch...@wso2.com twitter @cobiacomm http://blog.cobia.net/cobiacomm (blog) ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Appfactory] Managing permissions in Appfactory at different levels
Hi, Now we don't have Application level roles.We have tenant level roles (for the WSO2 Con). So once a user is added as a developer of the tenant .He belongs to every application inside the tenant. So basically it's like this. Users can be imported to tenant using bulk import and at the moment they are added, only default user role is assigned. Developer,QA,Dev ops becomes tenant level roles.Tenant admin can invite users (from the added users to the tenant) for these roles. And the same permissions as previous will be allowed at the tenant level. On Wed, Sep 11, 2013 at 9:59 PM, Manjula Rathnayake manju...@wso2.comwrote: Hi all, Can someone explain how we are going to manage AF level permissions bound by roles like Developer, QA, DevOps and application level permissions required to build the application? For example, as the application developer, I need to manage set of roles(GeneralUser, AdvancedUser) to control the access to my application. And are we using a single LDAP to manage development and production users, applications? thank you. -- Manjula Rathnayaka Software Engineer WSO2, Inc. Mobile:+94 77 743 1987 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture -- *Asanka Dissanayake Software Engineer* *WSO2 Inc. - lean . enterprise . middleware | wso2.com* * email: asan...@wso2.com ruch...@wso2.com, blog: cyberwaadiya.blogspot.com, asankastechtalks.wordpress.com mobile: +94 71 8373821* ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture