Posts

Showing posts from June, 2017

OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

WSO2 Identity Server - Extension Points - Part 2 - OAuth

OAuth2 is widely used in the enterprise today for authorization aspects of APIs. This is the second post on the extension points available in WSO2 Identity Server after WSO2 Identity Server - Extension Points - Part 1 - SAML

All the implementation using following extension point needs to be configured at <IS_HOME>/repository/conf/identity/identity.xml file under the element OAuth.
1. Custom OAuth grant handlerUsage: When we need to support an OAuth flow that is different from standard grant types. Validates the grant, scopes, and access delegation.
Sample:https://docs.wso2.com/display/IS510/Writing+a+Custom+OAuth+2.0+Grant+Type
Interface:org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
2. Client Auth Handler
Usage: When the client credential authentication needs to be customized. By default we validate the client id and secret.
Interface: org.wso2.carbon.identity.oauth2.token.handlers.clientauth.ClientAuthenticationHandler
3. OAuthCallbackHandlerAn ex…