Implementation using custom authorization with the couple AM/IS to allow X to access only to its own "objects"

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Implementation using custom authorization with the couple AM/IS to allow X to access only to its own "objects"

Thomas LEGRAND
Hello,

I have a data model where there is an entity X which is bound to n entities Y in my application. This entity X can be identified by a OAuth token generated by the API manager and its account exists on the identity server:


Images intégrées 1
The path to access to this entity Y would be something like /entityY/{entityYId}. This means that a X' identified entity could access to the entities bound to X.

To ensure that an entity X access to only its own entities Y, we would like to implement a layer of authorization on the API Manager where the OAuth token could be use to identify the entity X

I think of two solutions :

- The first one consists of creating an API (via the Publisher) gathering every permutation of /entityY/{entityYId} for each entity X. And then, by creating an application (via the Store) for each entity X to ensure that they have different OAuth token secrets:

Images intégrées 2
That way, we ensure that each of the "identitied" client has its own OAuth key. The main problem is the heavy configuration because each time we have to add a Y or X entity, we have to configure the API Manager.


- The second one is to find a way to retrieve the information concerning the entity X thanks to its OAuth token via the information stored in the user store of the Identity Server. Or even just deduce the X entity to do a custom DB lookup. The main problem is I don't know how to do because I know we can use Mediation Extensions in the API Manager but I don't know how to retrieve information from the IS from the implemented sequence.

- The third one could be to use XACML but, if I understood correctly, that will impose to the client to send some weird XML/JSON body content (like the SAML2 authentication request) each time it will have to access to a resource.

Can you point me in the right direction, please?

Regards,

Thomas

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev