On Fri, Aug 19, 2016 at 2:28 PM, Rushmin Fernando <rush...@wso2.com> wrote:
> > > On Fri, Aug 19, 2016 at 2:17 PM, Harsha Thirimanna <hars...@wso2.com> > wrote: > >> >> On Fri, Aug 19, 2016 at 2:11 PM, Rushmin Fernando <rush...@wso2.com> >> wrote: >> >>> >>> Thank you for the info Harsha :-) >>> >>> We have implemented an interceptor for OAuth for AppM ReST API. We can >>> adopt the generic component you are implementing, in a future release. >>> >>> *The issue we currently have is* to exchange an OAuth token for an HTTP >>> cookie. The plan is to use this cookie to invoke admin service. >>> >>> There is a class (an authenticator) which we can use to get a cookie >>> from a SAML assertion. >>> >> >> Which one you are talking about ? >> >> > > > [1] is the one we are using. We call this admis service method ( login() ) > with the user's SAML response and get 'set-cookie' header value of the > service call response. > > > >> >>> I'm looking for something similar for OAuth token --> cookie scenario. >>> >>> Is there a code being implemented for this ? >>> >> As I explained above, autheticators are handlers in our case and you can >> implement it within our generic approach. >> >> > > Can you please share the code ? > https://github.com/wso2-extensions/identity-inbound-auth-oauth > > > [1] - https://github.com/wso2/carbon-identity/blob/ > 8cd996c1dc6d9e7c0df491322af6e9ddf1cf3709/components/carbon- > authenticators/saml2-sso-authenticator/org.wso2.carbon. > identity.authenticator.saml2.sso/src/main/java/org/wso2/ > carbon/identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java#L84 > > > > >> >>> On Tue, Aug 9, 2016 at 8:13 AM, Harsha Thirimanna <hars...@wso2.com> >>> wrote: >>> >>>> Hi All, >>>> Yes, We were tying to solve this problem in generic manner that can be >>>> used across the platform. For that, we have written a component to register >>>> authentication handler and the interceptors to intercept rest call. For now >>>> we have written Basic and OAuth token base handlers. But anyone can write >>>> custom handlers and register as a OSGi to use by the interceptors. As >>>> Interceptors , we wrote common tomcat valve and hope to write servlet >>>> filter and cxf filter. >>>> >>>> You also can intercept the request in your own place and authenticate >>>> the request using our generic component. It has a manager class to do the >>>> authentication. Handler will pick based on can handle method by handler >>>> manager. >>>> >>>> In addition, we have develop another interceptor point to do the >>>> authorization and it is also like same authentication component. You can >>>> write your own handlers, and intercept by any place. We have written an >>>> another valve as interceptor and authorization handler check the permission >>>> as configure in identity.xml as follows. >>>> >>>> <ResourceAccessControl> >>>> <Resource context="/api/identity/*" secured="true" >>>> http-method="all"> >>>> <Permissions>/permission/admin/login</Permissions> >>>> </Resource> >>>> <Resource context="/api/test" secured="true" >>>> http-method="put,post"> >>>> <Permissions>/permission/admin/test</Permissions> >>>> </Resource> >>>> </ResourceAccessControl> >>>> >>>> We are going to release 1.0.0 M1 with next upcoming milestone in 5.3.0. >>>> Your ideas welcome to improve this component in more generic manner. >>>> Please let us know anything related to this. >>>> >>>> >>>> >>>> >>>> >>>> *Harsha Thirimanna* >>>> Associate Tech Lead | WSO2 >>>> >>>> Email: hars...@wso2.com >>>> Mob: +94715186770 >>>> Blog: http://harshathirimanna.blogspot.com/ >>>> Twitter: http://twitter.com/harshathirimann >>>> Linked-In: linked-in: http://www.linkedin.com/pub/ha >>>> rsha-thirimanna/10/ab8/122 >>>> <http://wso2.com/signature> >>>> >>>> On Tue, Aug 9, 2016 at 4:00 AM, Farasath Ahamed <farasa...@wso2.com> >>>> wrote: >>>> >>>>> Hi Rushmin, >>>>> >>>>> On Mon, Aug 8, 2016 at 4:14 PM, Rushmin Fernando <rush...@wso2.com> >>>>> wrote: >>>>> >>>>>> Thanks Ishara ! >>>>>> >>>>>> Since our products are adopting OAuth protected ReST APIs, is there >>>>>> an OAuth authencator being developed and planed to be developed ? >>>>>> >>>>> >>>>> Harsha has worked on developing a generic component that can be used >>>>> by OAuth protected REST APIs[1]. Adding Harsha as he can provide more >>>>> details on this. >>>>> >>>>> [1] https://github.com/wso2-extensions/identity-carbon-auth-rest >>>>> >>>>> >>>>> >>>>>> Regards, >>>>>> Rushmin >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com >>>>>> > wrote: >>>>>> >>>>>>> Hi Dinusha, >>>>>>> >>>>>>> In this case I think publisher user should be able to create those >>>>>>> SP, XACML policies etc. >>>>>>> Since publisher use is within the publisher role you can assign >>>>>>> necessary permission to that role. >>>>>>> Once user login (SSO) to publisher with his credential he can get a >>>>>>> cookie for that >>>>>>> and he can use that cookie to authenticate to the admin services. >>>>>>> >>>>>>> @Rushmin, >>>>>>> We don't have a authenticator for OAuth token. Better to get a ID >>>>>>> token using OIDC or after validating OAuth token >>>>>>> and create a carbon authenticator like saml carbon authenticator. >>>>>>> >>>>>>> Thanks, >>>>>>> Ishara >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> In addition to creating these entries from the UI, we need to >>>>>>>> create the same using our ReST API as well. And the API is OAuth >>>>>>>> protected. >>>>>>>> >>>>>>>> Is there an authenticator which gives back a cookie for an OAuth >>>>>>>> token as well ? >>>>>>>> >>>>>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna < >>>>>>>> isha...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi Lahiru. >>>>>>>>> >>>>>>>>> >>>>>>>>> Its not the admin user.User trying to do this operation should >>>>>>>>> have enough permission to do this. >>>>>>>>> >>>>>>>>> Use >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *entitlement/policy/view* >>>>>>>>> >>>>>>>>> Add this permission to the user who is trying to view those policies. >>>>>>>>> >>>>>>>>> >>>>>>>>> BR, >>>>>>>>> >>>>>>>>> Ishara >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> + [DEV] >>>>>>>>>> >>>>>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi all, >>>>>>>>>>> >>>>>>>>>>> *Current behaviour:* >>>>>>>>>>> Currently in AppM, when we are creating XACML policies/Service >>>>>>>>>>> Providers via IS admin services, we are providing the super tenant >>>>>>>>>>> admin >>>>>>>>>>> credentials (where the credentials are stored in a config) to get >>>>>>>>>>> authenticated. Further, XACML policies/Service providers are only >>>>>>>>>>> created >>>>>>>>>>> in super tenant and marked as a SAAS app to be used in tenants. >>>>>>>>>>> >>>>>>>>>>> *Problem:* >>>>>>>>>>> As we are moving for AppM - Cloud integration, we are trying to >>>>>>>>>>> deploy these in relevant tenant spaces. So as a solution we have >>>>>>>>>>> tried to >>>>>>>>>>> use *SAML2SSOAuthenticator*[1] (retrieving a cookie passing >>>>>>>>>>> the SAML response and use the same in subsequent service calls) but >>>>>>>>>>> figured >>>>>>>>>>> that this is not applicable for non admin users. >>>>>>>>>>> (*eg:* In AppM user story, non admin users should be allowed to >>>>>>>>>>> create apps with XAML policies) >>>>>>>>>>> >>>>>>>>>>> Any suggestions for this would be highly appreciated! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6 >>>>>>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato >>>>>>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti >>>>>>>>>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe >>>>>>>>>>> nticator/saml2/sso/SAML2SSOAuthenticator.java >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> *Lahiru Cooray* >>>>>>>>>>> Software Engineer >>>>>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> Mobile: +94 715 654154 >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Lahiru Cooray* >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>>>> lean.enterprise.middleware >>>>>>>>>> >>>>>>>>>> Mobile: +94 715 654154 >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Ishara Karunarathna >>>>>>>>> Associate Technical Lead >>>>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>>>> >>>>>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, >>>>>>>>> mobile: +94717996791 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Best Regards* >>>>>>>> >>>>>>>> *Rushmin Fernando* >>>>>>>> *Technical Lead* >>>>>>>> >>>>>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>>>>> >>>>>>>> mobile : +94772891266 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ishara Karunarathna >>>>>>> Associate Technical Lead >>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>> >>>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, >>>>>>> mobile: +94717996791 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Best Regards* >>>>>> >>>>>> *Rushmin Fernando* >>>>>> *Technical Lead* >>>>>> >>>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>>> >>>>>> mobile : +94772891266 >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>> >>> >>> >>> -- >>> *Best Regards* >>> >>> *Rushmin Fernando* >>> *Technical Lead* >>> >>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>> >>> mobile : +94772891266 >>> >>> >>> >> > > > -- > *Best Regards* > > *Rushmin Fernando* > *Technical Lead* > > WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware > > mobile : +94772891266 > > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev