Re: [Architecture] Trusted Delegation using OAuth2 Tokens
Hi Sumedha,
This needs to be better modeled after A Method of Bearer Token
Redelegation and Chaining for OAuth 2
http://tools.ietf.org/id/draft-richer-oauth-chain-00.txt
The grant type needs to be urn:ietf:params:oauth:grant_type:redelegate
And also - we should not provide a refresh token in the response.
Thanks regards,
-Prabath
On Mon, Sep 9, 2013 at 9:36 PM, Sumedha Rubasinghe sume...@wso2.com wrote:
*Pattern*
There are multiple backend systems having its own authentication and
authorization mechanisms. These sub systems do not trust each other.
In order to fulfill an API invocation from an end user, several of these
back ends need to be accessed. The number of internal systems that need to
be accessed is transparent to application developer and only known to API
publisher and implementor. However for statistical reason access need to
happen as if its coming from the end user + internal backend system.
Thus comes the need for delegating access on behalf of end user.
*Implementation*
Initial API access will happen through an OAuth2 token (obtained on
behalf of end user through standard grant types).
This API call will reach first backend system. When this backend system
needs to access some other system, it will obtain an OAuth2 token on behalf
of the end user. However, at this point only original OAuth2 token is
available to represent end user.
Thus token to second system is obtained by passing,
*consumer key + consumer secret + OAuth2 token passed into access first
system*
This combination is not supported by any of standard grant types defined
in OAuth2. Thus we would support the above pattern using a extended grant
type called trusted_delegation.
The syntax for invoking this grant type is as follows:
*HTTP Header:*
Authorization : Basic 'Base64.encode(consumer key . Consumer secret)'
*Request parameters:*
grant_type=trusted_delegationenduser_token=wsdr23djdedv
Response would be as follows:
{
token_type:bearer
,expires_in:3600
,refresh_token:f592b7403f3225d22f4b8e8510928e47
,access_token:5abbabd324fdcd697591b83c7b6eef3
}
Thanks to Prabath for help on solidifying solution criteria and grant type
name.
I have implemented the first draft and will schedule a code review session.
*Pending:*
1. Revoke - when end user decides to revoke his token, all tokens issued
on behalf of him (and stored on intermediate sub-systems) should be revoked.
--
/sumedha
b : bit.ly/sumedha
--
Thanks Regards,
Prabath
Mobile : +94 71 809 6732
http://blog.facilelogin.com
http://RampartFAQ.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Trusted Delegation using OAuth2 Tokens
Thanks Prabath. Will read the spec come up with necessary changes.
On Wed, Sep 11, 2013 at 4:08 PM, Prabath Siriwardena prab...@wso2.comwrote:
Hi Sumedha,
This needs to be better modeled after A Method of Bearer Token
Redelegation and Chaining for OAuth 2
http://tools.ietf.org/id/draft-richer-oauth-chain-00.txt
The grant type needs to be urn:ietf:params:oauth:grant_type:redelegate
And also - we should not provide a refresh token in the response.
Thanks regards,
-Prabath
On Mon, Sep 9, 2013 at 9:36 PM, Sumedha Rubasinghe sume...@wso2.comwrote:
*Pattern*
There are multiple backend systems having its own authentication and
authorization mechanisms. These sub systems do not trust each other.
In order to fulfill an API invocation from an end user, several of these
back ends need to be accessed. The number of internal systems that need to
be accessed is transparent to application developer and only known to API
publisher and implementor. However for statistical reason access need to
happen as if its coming from the end user + internal backend system.
Thus comes the need for delegating access on behalf of end user.
*Implementation*
Initial API access will happen through an OAuth2 token (obtained on
behalf of end user through standard grant types).
This API call will reach first backend system. When this backend system
needs to access some other system, it will obtain an OAuth2 token on behalf
of the end user. However, at this point only original OAuth2 token is
available to represent end user.
Thus token to second system is obtained by passing,
*consumer key + consumer secret + OAuth2 token passed into access first
system*
This combination is not supported by any of standard grant types defined
in OAuth2. Thus we would support the above pattern using a extended grant
type called trusted_delegation.
The syntax for invoking this grant type is as follows:
*HTTP Header:*
Authorization : Basic 'Base64.encode(consumer key . Consumer secret)'
*Request parameters:*
grant_type=trusted_delegationenduser_token=wsdr23djdedv
Response would be as follows:
{
token_type:bearer
,expires_in:3600
,refresh_token:f592b7403f3225d22f4b8e8510928e47
,access_token:5abbabd324fdcd697591b83c7b6eef3
}
Thanks to Prabath for help on solidifying solution criteria and grant
type name.
I have implemented the first draft and will schedule a code review
session.
*Pending:*
1. Revoke - when end user decides to revoke his token, all tokens issued
on behalf of him (and stored on intermediate sub-systems) should be revoked.
--
/sumedha
b : bit.ly/sumedha
--
Thanks Regards,
Prabath
Mobile : +94 71 809 6732
http://blog.facilelogin.com
http://RampartFAQ.com
--
/sumedha
b : bit.ly/sumedha
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] [Appfactory] Managing permissions in Appfactory at different levels
Hi all, Can someone explain how we are going to manage AF level permissions bound by roles like Developer, QA, DevOps and application level permissions required to build the application? For example, as the application developer, I need to manage set of roles(GeneralUser, AdvancedUser) to control the access to my application. And are we using a single LDAP to manage development and production users, applications? thank you. -- Manjula Rathnayaka Software Engineer WSO2, Inc. Mobile:+94 77 743 1987 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] Building a Multi-Tenant, Tenant-Aware SaaS App with the WSO2 Carbon Framework
Hi WSO2 Community, I have posted code on GitHub [1] illustrating how to create a multi-tenant, tenant-aware SaaS application with the WSO2 Carbon Framework. Your comments, recommendations, and pull requests are welcome. An introductory Blog Post [2] and Step One of the getting started instructions [3] are posted. --- Introduction summary: Multi-tenant SaaS applications deliver a personalized client experience while maximizing performance and efficiency. Many teams are challenged by the specialized knowledge required to create a SaaS application on a legacy Java platform. Creating SaaS applications requires detailed knowledge of multi-tenancy, contextual personalization, declarative programming, and infrastructure scaling. The WSO2 Carbon platform contains unique Cloud-Native frameworks that decrease development challenges when building multi-tenant SaaS applications. Step 1 Overview Getting Started #1 – Defining a Tenancy Dimension Model Task 0: Deploy the WSO2 Application Server and start server Task 1: Log into the Carbon administration console as the super-administrator Getting Started #2 – Provisioning SaaS Applications Task 0: Compile the SaaSTest Application Task 1: Provision a Global Tenant Scope SaaS Application Getting Started #3 - Acquire Tenant Context More blog tutorial instructions will be posted soon... -- [1] https://github.com/karux/CarbonSaaSTest [2] http://blog.cobia.net/cobiacomm/2013/08/28/building-multi-tenant-saas-applications/ [3] http://blog.cobia.net/cobiacomm/2013/09/10/creating-a-saas-app-with-the-multi-tenant-carbon-framework-step-1/ -- mailto:ch...@wso2.com twitter @cobiacomm http://blog.cobia.net/cobiacomm (blog) ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Appfactory] Managing permissions in Appfactory at different levels
Hi, Now we don't have Application level roles.We have tenant level roles (for the WSO2 Con). So once a user is added as a developer of the tenant .He belongs to every application inside the tenant. So basically it's like this. Users can be imported to tenant using bulk import and at the moment they are added, only default user role is assigned. Developer,QA,Dev ops becomes tenant level roles.Tenant admin can invite users (from the added users to the tenant) for these roles. And the same permissions as previous will be allowed at the tenant level. On Wed, Sep 11, 2013 at 9:59 PM, Manjula Rathnayake manju...@wso2.comwrote: Hi all, Can someone explain how we are going to manage AF level permissions bound by roles like Developer, QA, DevOps and application level permissions required to build the application? For example, as the application developer, I need to manage set of roles(GeneralUser, AdvancedUser) to control the access to my application. And are we using a single LDAP to manage development and production users, applications? thank you. -- Manjula Rathnayaka Software Engineer WSO2, Inc. Mobile:+94 77 743 1987 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture -- *Asanka Dissanayake Software Engineer* *WSO2 Inc. - lean . enterprise . middleware | wso2.com* * email: asan...@wso2.com ruch...@wso2.com, blog: cyberwaadiya.blogspot.com, asankastechtalks.wordpress.com mobile: +94 71 8373821* ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
