I think we need not to worry about it as we have the PDP decision caching - we can just talk to the PDP each time...
Thanks & regards, -Prabath On Wed, Oct 19, 2016 at 12:15 AM, Harsha Thirimanna <hars...@wso2.com> wrote: > So, can't we keep the status 'authorized' with the SP name as well. > > *Harsha Thirimanna* > Associate Tech Lead | WSO2 > > Email: hars...@wso2.com > Mob: +94715186770 > Blog: http://harshathirimanna.blogspot.com/ > Twitter: http://twitter.com/harshathirimann > Linked-In: linked-in: http://www.linkedin.com/pub/ > harsha-thirimanna/10/ab8/122 > <http://wso2.com/signature> > > On Wed, Oct 19, 2016 at 9:40 AM, Prabath Siriwardana <prab...@wso2.com> > wrote: > >> It can change - you can authenticate a user with foo SP and then you will >> be authenticated automatically for bar SP - but they may have different >> authorization policies... >> >> Thanks & regards, >> -Prabath >> >> >> On Wed, Oct 19, 2016 at 12:01 AM, Harsha Thirimanna <hars...@wso2.com> >> wrote: >> >>> I think , it doesn't matter to hit the authorization handler each time, >>> if we can keep the status as user 'authorized' as same as we keep user >>> 'authenticated' in each steps. >>> >>> *Harsha Thirimanna* >>> Associate Tech Lead | WSO2 >>> >>> Email: hars...@wso2.com >>> Mob: +94715186770 >>> Blog: http://harshathirimanna.blogspot.com/ >>> Twitter: http://twitter.com/harshathirimann >>> Linked-In: linked-in: http://www.linkedin.com/pub/ha >>> rsha-thirimanna/10/ab8/122 >>> <http://wso2.com/signature> >>> >>> On Wed, Oct 19, 2016 at 9:26 AM, Prabath Siriwardana <prab...@wso2.com> >>> wrote: >>> >>>> Do we execute the authorization handler for each request...? even the >>>> user is authenticated...? >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> On Tue, Oct 18, 2016 at 3:50 PM, Pulasthi Mahawithana < >>>> pulast...@wso2.com> wrote: >>>> >>>>> Hi All, >>>>> >>>>> As per the current implementation of the Identity Server's >>>>> authentication framework, it does not provide any OOTB authorization >>>>> mechanism for the service providers. We are going to provide this >>>>> capability to Identity server so that the users can be authorized to >>>>> service providers using rules based on user attributes, userstore, time of >>>>> the day, etc. >>>>> >>>>> Following is the proposed sequence for the implementation. >>>>> >>>>> >>>>> [image: Inline image 1] >>>>> >>>>> >>>>> The existing authentication flow is kept as is until the >>>>> authentication steps are completed and authentication result decided. At >>>>> the AuthenticationRequestHandler (after authentication) if the >>>>> authentication is success, we will be calling an AuthorizationHandler with >>>>> the authentication context. AuthenticationHandler is responsible for >>>>> evaluating the configured policies and responding back whether the user is >>>>> authorized or not. If the authorization is not required or handled by the >>>>> SP itself, we'll be providing the capability of bypassing the >>>>> authorization >>>>> step per service provider . >>>>> >>>>> The default implementation of the AuthorizationHandler will be using >>>>> the IS's XACML engine for authorization. It will send a XACML request to >>>>> the PDP and the request will be evaluated against the policies published >>>>> to >>>>> the PDP. Admins can write XACML policies and publish them to allow/deny >>>>> the >>>>> users logging into SPs based on those policies. >>>>> >>>>> Also, to retrieve the basic authentication context values (such as SP >>>>> Name, authenticated user's username/userstore/tenant) we will provide a >>>>> default PIP. In case any complex or derived attributes are needed we can >>>>> retrieve them by writing a custom PIP and use them in the policies. >>>>> >>>>> Please share your thoughts and suggestions. >>>>> >>>>> -- >>>>> *Pulasthi Mahawithana* >>>>> Senior Software Engineer >>>>> WSO2 Inc., http://wso2.com/ >>>>> Mobile: +94-71-5179022 >>>>> Blog: http://blog.pulasthi.org >>>>> >>>>> <https://wso2.com/signature> >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Twitter : @prabath >>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>>> >>>> Mobile : +1 650 625 7950 >>>> >>>> http://facilelogin.com >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://facilelogin.com >> > > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
