Re: [Architecture] IS550: Oauth Role or XACML scope validation

2018-05-08 Thread Senthalan Kanagalingam 
Hi,

Scope validation for OAuth tokens will be applied during the token
validation time. The XACML policies with the action-name "token_validation"
will be applied at token validation time.  In
"scope_based_token_validation_policy_template", you need to update the
"sp-name" and "scope-name" according to your need.

   - If you registered the SP name "playground2", then change sp-name to
   "playground2".
   - If you are going to validate the scope "openId", change the scope-name
   to "openId".
   - Publish the policy to PDP.
   - You have to request with scope name in the 2nd step.

 curl -u : -k -d "grant_type=password=
user=user1*=openId*" -H "Content-Type:application/x-ww
w-form-urlencoded"https://localhost:9443/oauth2/token

   - Then try to validate the access token,

curl -k -u : -H 'Content-Type:
application/x-www-form-urlencoded' -X POST --data 'token='
https://localhost:9443/oauth2/introspect

Now only the published policy will be applied.

Thanks,
Senthalan.

On Sat, May 5, 2018 at 10:39 AM Farasath Ahamed  wrote:

>
>
> On Friday, May 4, 2018, Vadim Kimlaychuk 
> wrote:
>
>> Dear architects,
>>
>>   I am trying to implement validation for OAuth tokens described here
>> :
>> https://docs.wso2.com/display/IS560/Validating+the+Scope+of+OAuth+Access+Tokens+using+XACML+Policies.
>> Since this example failed for me I have tried to do similar with role
>> validation described here:
>> https://docs.wso2.com/display/IS560/Configuring+Access+Control+Policy+for+a+Service+Provider.
>> When none of them worked I started to investigate logs of the server and
>> saw that none of validation seems to happen. Should I write down some
>> module/class and register it to make it work or configuration through UI
>> should be enough?
>>
>>   My test scenario with IS 5.5.0 and curl is following:
>>
>>1. Registered SP Playground2 with OAuth2/OpenID connect
>>configuration. "Authorization", "SaaS",  "Role based scope validator" and
>>"XACML Scope Validator" options are enabled
>>2.  curl -u : -k -d
>>"grant_type=password=user=user1" -H
>>"Content-Type:application/x-www-form-urlencoded"
>>https://localhost:9443/oauth2/token works and I got access token
>>3. Created PAP from auth_role_based_policy where user "user" is
>>"denied" because he is not in a role. Checked it with "Try" -- works
>>4. Published to PDP
>>5. tried curl to issue new token -- token issued as before. No
>>restriction for the user
>>
>>   May be I am using it in a wrong way?
>>
>> Thanks in advance,
>>
>> Vadim
>>
>
>
> --
> Farasath Ahamed
> Senior Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
>
>

-- 

*Senthalan Kanagalingam*
*Software Engineer - WSO2 Inc.*
*Mobile : +94 (0) 77 18 77 466*

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] IS550: Oauth Role or XACML scope validation

2018-05-04 Thread Farasath Ahamed 
On Friday, May 4, 2018, Vadim Kimlaychuk 
wrote:

> Dear architects,
>
>   I am trying to implement validation for OAuth tokens described here
> : https://docs.wso2.com/display/IS560/Validating+the+Scope+of+
> OAuth+Access+Tokens+using+XACML+Policies. Since this example failed for
> me I have tried to do similar with role validation described here:
> https://docs.wso2.com/display/IS560/Configuring+Access+
> Control+Policy+for+a+Service+Provider. When none of them worked I started
> to investigate logs of the server and saw that none of validation seems to
> happen. Should I write down some module/class and register it to make it
> work or configuration through UI should be enough?
>
>   My test scenario with IS 5.5.0 and curl is following:
>
>1. Registered SP Playground2 with OAuth2/OpenID connect configuration.
>"Authorization", "SaaS",  "Role based scope validator" and "XACML Scope
>Validator" options are enabled
>2.  curl -u : -k -d 
> "grant_type=password=user=user1"
>-H "Content-Type:application/x-www-form-urlencoded"
>https://localhost:9443/oauth2/token
> works and I got access token
>3. Created PAP from auth_role_based_policy where user "user" is
>"denied" because he is not in a role. Checked it with "Try" -- works
>4. Published to PDP
>5. tried curl to issue new token -- token issued as before. No
>restriction for the user
>
>   May be I am using it in a wrong way?
>
> Thanks in advance,
>
> Vadim
>


-- 
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] IS550: Oauth Role or XACML scope validation

2018-05-04 Thread Vadim Kimlaychuk 

Dear architects,

  I am trying to implement validation for OAuth tokens described 
here : 
https://docs.wso2.com/display/IS560/Validating+the+Scope+of+OAuth+Access+Tokens+using+XACML+Policies. 
Since this example failed for me I have tried to do similar with role 
validation described here: 
https://docs.wso2.com/display/IS560/Configuring+Access+Control+Policy+for+a+Service+Provider. 
When none of them worked I started to investigate logs of the server and 
saw that none of validation seems to happen. Should I write down some 
module/class and register it to make it work or configuration through UI 
should be enough?


  My test scenario with IS 5.5.0 and curl is following:

1. Registered SP Playground2 with OAuth2/OpenID connect configuration.
   "Authorization", "SaaS",  "Role based scope validator" and "XACML
   Scope Validator" options are enabled
2.   curl -u : -k -d
   "grant_type=password=user=user1" -H
   "Content-Type:application/x-www-form-urlencoded"
   https://localhost:9443/oauth2/token works and I got access token
3. Created PAP from auth_role_based_policy where user "user" is
   "denied" because he is not in a role. Checked it with "Try" -- works
4. Published to PDP
5. tried curl to issue new token -- token issued as before. No
   restriction for the user

  May be I am using it in a wrong way?

Thanks in advance,

Vadim

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture