OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

WSO2 Identity Server 4.5.0 - User Store Management

In this post we will be going through the high level view of user management in WSO2 Carbon Products from Kernel 4.2.0 on. Specifically in WSO2 IS 4.5.0 which is based on this Kernel. These versions are armed with the capability to configure user stores at run time. 

Org.wso2.carbon.user.core is the  OSGI component responsible for handling users in Carbon products. There we have the concept of 'User Realm' which is a collection of users with attributes. It consists of following four aspects,
  • Use store management
  • Authorization Management
  • Claim management
  • Profile configuration management
You can get a clear picture of these 4 aspects from this blog, http://xacmlinfo.org/2012/06/21/user-core-concepts-in-wso2-identity-server/ . Here we will see into the improvements done in User Store Management aspects with the newly released version. It provides the capability to configure user stores at run time, even in a clustered mode as described in this previous post by myself, using a convenient UI. Following diagram shows how it happening.

In the implementation, once we enter the user name and password, those are sent to User Store Manager(Taken from User Realm of the Tenant according to the user name) to authenticate. 
  • If user is as 'user1' user realm of super tenant is used. If user is as 'user1@wso2.com', User realm of tenant 'wso2.com' is used. In any case the flow is same that, first Primary user store manager checks for a matching user with same credentials.
  • If user name is correct, but password is wrong still it will not issue a decision on authentication, but continue to check. If there is a matching user it will return and go for the next step in the flow which is authorization. 
  • If a matching user is not found in primary user store, then the secondary user store manager is used and it will look in secondary user store whether a matching user exists. Like wise this will go till the end of user store manager chain. at this point the user is not authenticated and will provide the info that authentication is failed for provided credentials.
This procedure not new in the latest version.  Plugging user store managers at run time is what is new. For this we have a UI which can be used to create the configuration file. Once this user store management configuration file is dropped into relevant folder 'Deployment Manager' is triggered and it updates the chain accordingly.
For super tenant files goes to,
For a general tenant files goes to,

How Configurations are Populated in Cluster

The user store configurations are populated in a cluster using 'SVN based deployment synchronizer' component of WSO2 Carbon. Once this is correctly enabled in the cluster, the modifications we do in the primary node are committed to the SVN repo. Once the committing is done this node sends a cluster message so that other nodes can check it out from the svn repo. Then the modifications are checked out to the relevant folders. So with this modification, the 'Deployment Manager' of each node is triggered and flow in a single node will start.

You can try this out following this post.



  1. Hi, Pushpalanka

    Thank you very much for these blogs. I have a question on the basics of using wso2is. When authenticating user, we could using AuthenticationAdminStub.login(). It seems the store management service offers another way of authenticating user by UserStoreManager.authenticate(). I am a little confused here. Which one should be used for login user? What is the difference between these two service calls?


    1. Hi,

      The authenticate method inside the UserStoreManagers just do the authentication step of letting a user login. This means it just check whether the user submitted user name and password matches with what is in user store.

      Authentication is actually just one step of the login process. In addition we do set the environment parameters for the user and do authorization at login procedure.
      Hope this helps.


    2. Thanks, Pushpalanka. This definitely helps.

  2. This comment has been removed by a blog administrator.

  3. Is there a way that we can integrate Identity server with facebook login? What I'm interested is when the user logins to the facebook or twitter trough WSO2is the user will have a valid IS SSO session for multiple web applications. Wonder that is possible through oAuth? I'm currently evaluating an identity server and it would be nice if you can provide an answer. This is already possible in JASIG CAS.

  4. Yes this is possible through OAuth and WSO2 IS supports this. You can read about WSO2 OAuth support at http://nallaa.wordpress.com/2013/07/25/oauth-2-0-with-wso2-identity-server/. This facebook sample in wso2 svn will help you as well http://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/samples/ .

  5. Hi Pushpalanka,

    Nice to know that this is possible in WSO2 IS. The facebook example you provided does not seems to have any direct relationship with the WSO2 IS sso scenario that I'm talking about. Would you be able to provide me a more dependable example where I can integrate facebook login and IS sso.


Post a Comment

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

OPA for HTTP Authorization

How to Write a Custom User Store Manager - WSO2 Identity Server 4.5.0