On Fri, Aug 19, 2016 at 2:28 PM, Rushmin Fernando <rush...@wso2.com> wrote:

>
>
> On Fri, Aug 19, 2016 at 2:17 PM, Harsha Thirimanna <hars...@wso2.com>
> wrote:
>
>>
>> On Fri, Aug 19, 2016 at 2:11 PM, Rushmin Fernando <rush...@wso2.com>
>> wrote:
>>
>>>
>>> Thank you for the info Harsha :-)
>>>
>>> We have implemented an interceptor for OAuth for AppM ReST API. We can
>>> adopt the generic component you are implementing, in a future release.
>>>
>>> *The issue we currently have is* to exchange an OAuth token for an HTTP
>>> cookie. The plan is to use this cookie to invoke admin service.
>>>
>>> There is a class (an authenticator) which we can use to get a cookie
>>> from a SAML assertion.
>>>
>>
>> ​Which one you are talking about ?​
>>
>>
>
>
> [1] is the one we are using. We call this admis service method ( login() )
> with the user's SAML response and get 'set-cookie' header value of the
> service call response.
>
>
>
>>
>>> I'm looking for something similar for OAuth token --> cookie scenario.
>>>
>>> Is there a code being implemented for this ?
>>>
>> ​As I explained above, autheticators are handlers in our case and you can
>> implement it within our generic approach. ​
>>
>>
>
> Can you please share the code ?
>

​https://github.com/wso2-extensions/identity-inbound-auth-oauth
​


>
>
> [1] - https://github.com/wso2/carbon-identity/blob/
> 8cd996c1dc6d9e7c0df491322af6e9ddf1cf3709/components/carbon-
> authenticators/saml2-sso-authenticator/org.wso2.carbon.
> identity.authenticator.saml2.sso/src/main/java/org/wso2/
> carbon/identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java#L84
>
>
>
>
>>
>>> On Tue, Aug 9, 2016 at 8:13 AM, Harsha Thirimanna <hars...@wso2.com>
>>> wrote:
>>>
>>>> Hi All,
>>>> Yes, We were tying to solve this problem in generic manner that can be
>>>> used across the platform. For that, we have written a component to register
>>>> authentication handler and the interceptors to intercept rest call. For now
>>>> we have written Basic and OAuth token base handlers. But anyone can write
>>>> custom handlers and register as a OSGi to use by the interceptors. As
>>>> Interceptors , we wrote common tomcat valve and hope to write servlet
>>>> filter and cxf filter.
>>>>
>>>> You also can intercept the request in your own place and authenticate
>>>> the request using our generic component. It has a manager class to do the
>>>> authentication. Handler will pick based on can handle method by handler
>>>> manager.
>>>>
>>>> In addition, we have develop another interceptor point to do the
>>>> authorization and it is also like same authentication component. You can
>>>> write your own handlers, and intercept by any place. We have written an
>>>> another valve as interceptor and authorization handler check the permission
>>>> as configure in identity.xml as follows.
>>>>
>>>> <ResourceAccessControl>
>>>>         <Resource context="/api/identity/*" secured="true"
>>>> http-method="all">
>>>>             <Permissions>/permission/admin/login</Permissions>
>>>>         </Resource>
>>>>        <Resource context="/api/test" secured="true"
>>>> http-method="put,post">
>>>>             <Permissions>/permission/admin/test</Permissions>
>>>>         </Resource>
>>>>     </ResourceAccessControl>
>>>>
>>>> We are going to release 1.0.0 M1 with next upcoming milestone in 5.3.0.
>>>> Your ideas welcome to improve this component in more generic manner.
>>>> Please let us know anything related to this.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Harsha Thirimanna*
>>>> Associate Tech Lead | WSO2
>>>>
>>>> Email: hars...@wso2.com
>>>> Mob: +94715186770
>>>> Blog: http://harshathirimanna.blogspot.com/
>>>> Twitter: http://twitter.com/harshathirimann
>>>> Linked-In: linked-in: http://www.linkedin.com/pub/ha
>>>> rsha-thirimanna/10/ab8/122
>>>> <http://wso2.com/signature>
>>>>
>>>> On Tue, Aug 9, 2016 at 4:00 AM, Farasath Ahamed <farasa...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Rushmin,
>>>>>
>>>>> On Mon, Aug 8, 2016 at 4:14 PM, Rushmin Fernando <rush...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Thanks Ishara !
>>>>>>
>>>>>> Since our products are adopting OAuth protected ReST APIs, is there
>>>>>> an OAuth authencator being developed and planed to be developed ?
>>>>>>
>>>>>
>>>>> Harsha has worked on developing a generic component that can be used
>>>>> by OAuth protected REST APIs[1]. Adding Harsha as he can provide more
>>>>> details on this.
>>>>>
>>>>> [1] https://github.com/wso2-extensions/identity-carbon-auth-rest
>>>>>
>>>>>
>>>>>
>>>>>> Regards,
>>>>>> Rushmin
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Hi Dinusha,
>>>>>>>
>>>>>>> In this case I think publisher user should be able to create those
>>>>>>> SP, XACML policies etc.
>>>>>>> Since publisher use is within the publisher role you can assign
>>>>>>> necessary permission to that role.
>>>>>>> Once user login (SSO) to publisher with his credential  he can get a
>>>>>>> cookie for that
>>>>>>> and he can use that  cookie to authenticate to the admin services.
>>>>>>>
>>>>>>> @Rushmin,
>>>>>>> We don't have a authenticator for OAuth token. Better to get a ID
>>>>>>> token using OIDC or after validating OAuth token
>>>>>>> and create a carbon authenticator like saml carbon authenticator.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Ishara
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> In addition to creating these entries from the UI, we need to
>>>>>>>> create the same using our ReST API as well. And the API is OAuth 
>>>>>>>> protected.
>>>>>>>>
>>>>>>>> Is there an authenticator which gives back a cookie for an OAuth
>>>>>>>> token as well ?
>>>>>>>>
>>>>>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <
>>>>>>>> isha...@wso2.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Lahiru.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Its not the admin user.User trying to do this operation should
>>>>>>>>> have enough permission to do this.
>>>>>>>>>
>>>>>>>>> Use
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *entitlement/policy/view*
>>>>>>>>>
>>>>>>>>> Add this permission to the user who is trying to view those policies.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> BR,
>>>>>>>>>
>>>>>>>>> Ishara
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> + [DEV]
>>>>>>>>>>
>>>>>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> *Current behaviour:*
>>>>>>>>>>> Currently in AppM, when we are creating XACML policies/Service
>>>>>>>>>>> Providers via IS admin services, we are providing the super tenant 
>>>>>>>>>>> admin
>>>>>>>>>>> credentials (where the credentials are stored in a config) to get
>>>>>>>>>>> authenticated. Further, XACML policies/Service providers are only 
>>>>>>>>>>> created
>>>>>>>>>>> in super tenant and marked as a SAAS app to be used in tenants.
>>>>>>>>>>>
>>>>>>>>>>> *Problem:*
>>>>>>>>>>> As we are moving for AppM - Cloud integration, we are trying to
>>>>>>>>>>> deploy these in relevant tenant spaces. So as a solution we have 
>>>>>>>>>>> tried to
>>>>>>>>>>> use *SAML2SSOAuthenticator*[1]  (retrieving a cookie passing
>>>>>>>>>>> the SAML response and use the same in subsequent service calls) but 
>>>>>>>>>>> figured
>>>>>>>>>>> that this is not applicable for non admin users.
>>>>>>>>>>> (*eg:* In AppM user story, non admin users should be allowed to
>>>>>>>>>>> create apps with XAML policies)
>>>>>>>>>>>
>>>>>>>>>>> Any suggestions for this would be highly appreciated!
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6
>>>>>>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato
>>>>>>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti
>>>>>>>>>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe
>>>>>>>>>>> nticator/saml2/sso/SAML2SSOAuthenticator.java
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> *Lahiru Cooray*
>>>>>>>>>>> Software Engineer
>>>>>>>>>>> WSO2, Inc.;http://wso2.com/
>>>>>>>>>>> lean.enterprise.middleware
>>>>>>>>>>>
>>>>>>>>>>> Mobile: +94 715 654154
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> *Lahiru Cooray*
>>>>>>>>>> Software Engineer
>>>>>>>>>> WSO2, Inc.;http://wso2.com/
>>>>>>>>>> lean.enterprise.middleware
>>>>>>>>>>
>>>>>>>>>> Mobile: +94 715 654154
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Ishara Karunarathna
>>>>>>>>> Associate Technical Lead
>>>>>>>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>>>>>>>
>>>>>>>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,
>>>>>>>>> mobile: +94717996791
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> *Best Regards*
>>>>>>>>
>>>>>>>> *Rushmin Fernando*
>>>>>>>> *Technical Lead*
>>>>>>>>
>>>>>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>>>>>>>>
>>>>>>>> mobile : +94772891266
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Ishara Karunarathna
>>>>>>> Associate Technical Lead
>>>>>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>>>>>
>>>>>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,
>>>>>>> mobile: +94717996791
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Best Regards*
>>>>>>
>>>>>> *Rushmin Fernando*
>>>>>> *Technical Lead*
>>>>>>
>>>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>>>>>>
>>>>>> mobile : +94772891266
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> *Best Regards*
>>>
>>> *Rushmin Fernando*
>>> *Technical Lead*
>>>
>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>>>
>>> mobile : +94772891266
>>>
>>>
>>>
>>
>
>
> --
> *Best Regards*
>
> *Rushmin Fernando*
> *Technical Lead*
>
> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>
> mobile : +94772891266
>
>
>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to