OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: openaz: xacml oauth demo policy model - as discussed @ 5/11 tc mtg

As mentioned in yesterday's minutes:
https://lists.oasis-open.org/archives/xacml/201705/msg00002.htmlOp
  Rich:
   The OpenAZ demo on the TC site does a good job of demonstrating how
    OAuth can be implemented in conjunction with XACML.
  Bill:
   I think it would be worthwhile to see if we can find a way to bump this up.
   I think we were ahead of the curve here.
The OpenAz project demonstrated how to implement a baseline OAuth Authorization Server
using XACML policies.

Basically, there were 3 endpoints, each of which would trigger activation of distinct PolicySet
for requests that went to:
/authorize
/token
/validate (now called /introspect)
The policies were written in a pre-ALFA pseudo-policy language, which would then be parsed
and translated into standard XACML.

The pseudo language (called "xacml shorthand" )is easier to follow than the pure xacml, but links to both follow
for reference:
pseudo-language for basic OAuth AzSvr:
https://sourceforge.net/p/openaz/code/HEAD/tree/branches/RB-1.2/openaz/test/policy/TestAzApi-OAuth-Only-Pseudo-Policy.txt
generated xacml from above for basic OAuth AzSvr:
https://sourceforge.net/p/openaz/code/HEAD/tree/branches/RB-1.2/openaz/test/policy/TestAzApi-OAuth-Only-Generated-Policy.xml
So, basically, a quick reading of the .txt file above shows comments on the 3 main policysets:
/authorize endpoint: comment lines 53->56 for PS 10-2
// This PolicySet is for the AUTHORIZATION ENDPOINT (az-endpt-uri), where the client
// redirects the request so the res-owner/user can authorize it.
// The first policy is to authorize the client-id;
//  the second is to authenticate and authorize the user
//    and to approve the generation of the "authorization code"


/token endpoint: comment lines: 116->117 for PS 10-3
// This PolicySet is for the TOKEN ENDPOINT (tk-endpt-uri) for the issuance of access tokens
// based on valid client creds and authorization code

/validate endpoint: comment lines: 10->12 for PS 10-1
// This PolicySet is for the VALIDATION ENDPOINT (vl-endpt-uri) where the
// resource-server will be looking for either a token validation (/introspect)
// or a redirect uri (basically /discovery).
// The resource being used is the validation service at vl-endpt-uri

Feel free to ask any questions. The main web-site contains all the directions for
downloading, building, running, etc. (RB 1.2 was the last version before it was
moved to apache incubator)
https://sourceforge.net/p/openaz/code/HEAD/tree/branches/RB-1.2/

  Thanks,
  Rich



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]