1 / 13

OpenAz – OAuth 2.0

OpenAz – OAuth 2.0. Simulation of OAuth Message Sequence and Authorization Decisions. What’s real and what’s simulated. What’s simulated: There is no HTTP, everything is in one JVM. HTTP messages are replaced by method calls between Java objects.

paiva
Télécharger la présentation

OpenAz – OAuth 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenAz – OAuth 2.0 Simulation of OAuth Message Sequence and Authorization Decisions

  2. What’s real and what’s simulated • What’s simulated: • There is no HTTP, everything is in one JVM. • HTTP messages are replaced by method calls between Java objects. • There is one Java object for each of the following Oauth entities: • Authorization Server • Resource Owner Browser • Client Application • Resource Server

  3. What’s real and what’s simulated (cont) • What’s real: • The data elements in the method calls contain the same information that would be in corresponding HTTP msgs • The method calls in the authorization server generate PepApi decide() calls, which, using a PepApi Mapper, convert the data elements to Xacml Attributes in a RequestContext. • The RequestContext is submitted to the SunXacml PDP. • The SunXacml PDP evaluates the RequestContext against XACML PolicySets. • Therefore, in theory, if an HTTP Servlet binding were attached to this “Authorization Server”, it could serve as a real prototype for an Authorization Service in a real OAuth environment.

  4. What is the purpose? • First is to show how XACML Policy can be used to implement the Authorization Service Decision logic. • Second is to show how OpenAz: PepApi can be used with the info in the HTTP requests to make authorization calls to a XACML PDP. • Third is to show how the existing OpenAz PepApi/AzApi/SunXacml reference implementation can be used as a starting point to build a real OAuth Authorization Service

  5. How to download, build, and run the simulation • To download: • First go to OpenAzTutorial javadoc URL:http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/index.html?tutorial/OpenAzTutorial.htmlwhich is OpenAz project javadoc, which has link to project page, where you can download the project. Click on that link. • To download the project, click on the “Download GNU Tarball File” and save the file into a directory of your choice referred to as “<TopOfProject>”, where you should now have a file called:openaz.tar.gz • Finally: unzip the downloaded file in place so that all files go in <TopOfProject>\openaz\…

  6. How to download, build, and run the simulation (cont) • To build: • Start a command prompt and execute the following instructions: • cd <TopOfProject> • cd openaz\test\build • ant clean • Ant • That’s it. It should have built. If not, call technical support 

  7. How to download, build, and run the simulation (cont) • To run: • First, as a sanity check, run the tutorial by executing the following commands from the cmd prompt from prev slide: • cd \Notes\Downloads\OpenAz\V116\openaz\test\bin • set baseline=\Notes\Downloads\OpenAz\V116\openaz • java -cp .;%baseline%\pep\bin;%baseline%\pdp\bin;%baseline%\azapi\bin;%baseline%\lib\jakarta-commons\commons-logging.jar;%baseline%\pdp\lib\sunxacml.jar tutorial.OpenAzTutorial %baseline%\test\policy\OpenAz-Pseudo-Test-Policy.txt • To run the Oauth simulation, all you need to do is execute the following command: • java -cp .;%baseline%\pep\bin;%baseline%\pdp\bin;%baseline%\azapi\bin;%baseline%\lib\jakarta-commons\commons-logging.jar;%baseline%\pdp\lib\sunxacml.jar test.OAuthSimulator ..\request\sensitive.xml ..\policy\Test*.xml

  8. Diagram of Simulation OAuth-Simulator OaResource-Owner OaClient . OaAzServer . OaResource-Server Shorthand Xacml PolicySet PepApi . AzService . OpenAz PolicyReader SunXacml PDP XacmlPolicyBuilder SunXacml Api Xacml PolicySet

  9. Comments on Diagram • The four boxes in upper right represent the Oauth message sequence explained more here:http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/index.html?test/OAuthSimulator.html • The XACML shorthand policies are manually typed using any editor (ex. notepad), and explained more in following slides • The OpenAzPolicyReader may be run from cmd prompt and it reads the Xacml shorthand policies and uses the SunXacml Api to build SunXacml Policy objects, and then serializes those objects to Xacml XML, which are official Xacml Policies that can be used by the Sun Xacml PDP.

  10. Xacml Shorthand Policies • The Xacml shorthand policies used by the OAuth simulation will be briefly described. • The full PolicySet is part of the OpenAz install and may be found in:<TopOfProject>\openaz\test\policy\TestAzApi-OpenAz-OAuth-Pseudo-Policy.txt • The OAuth part of this full PolicySet is in the 2nd half of the above file and contained in “PolicySet (PS10,in:PS1)”

  11. Xacml Shorthand (cont) • The main OAuth PolicySet contains 3 sub-PolicySets, one for each OAuth endpoint: PolicySet (PS10,in:PS1) ( cb:opo id:OAuth2-TopLevel-PolicySet mlev:1 desc:PS10,in=PS1 ) Target(PolicySet) PolicySet (PS10-1,in:PS10) ( cb:do id:OAuth2-Val-URI-PolicySet mlev:2 desc:PS10-1,in=PS10 ) Target(PolicySet) TR (vl-endpt-uri,"http://az-svr/vl-endpt/" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) PolicySet (PS10-2,in:PS10) ( cb:do id:OAuth2-Az-URI-PolicySet mlev:2 desc:PS10-2,in=PS10 ) Target(PolicySet) TR (az-endpt-uri,"http://az-svr/az-endpt/" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) PolicySet (PS10-3,in:PS10) ( cb:do id:OAuth2-Tk-URI-PolicySet mlev:2 desc:PS10-3,in=PS10 ) Target(PolicySet) TR (tk-endpt-uri,"http://az-svr/tk-endpt/" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) • Syntax of params is: ( [<name>:<value>] * ) • mlev:n is nesting level of PolicySets

  12. Xacml Shorthand (cont) • A typical Policy filters out NotApplicables using attribute comparisons in Target (described next slide): Policy (P10-1-2,in:PS10-1) ( cb:ord-po id:OAuth2-Val-URI-Token-Policy desc:P10-1-2,in=PS10-1 ) Target(Policy) TS (res-svr,"http://res-svr/" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) + (token-present,"true" dt:boolean mtId:boo-eq fnId:! issuer:! mbp:f ) // Note: could have a rule for token not valid and what to return + (token-valid,"true" dt:boolean mtId:boo-eq fnId:! issuer:! mbp:f ) TR (res-id,"oauth-access-token-confirmation" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) TA (act-id,"return-token-confirmation" dt:string mtId:str-eq fnId:! issuer:! mbp:f ) Rules(Policy) Rule ( ef:Permit id:FinalRule ) Target(Rule) Obligations(Policy) Obligation ( fulfillOn:Permit id:ReturnAccessTokenValid ) OA (return-confirmation,"true" dt:boolean mtId:! fnId:! issuer:! mbp:f )

  13. Xacml Shorthand (cont) • The following describes Policy in prev slide: • There are 3 subject attrs, each of which must meet its specified criteria: • The attr named “res-svr” must have value: “http://res-svr/” • The attr named “token-present” must be boolean w value “true” • The attr named “token-valid” must be boolean w value “true” • There is 1 resource attr: • The attr named “res-id” must have value : “oauth-access-token-confirmation” • There is 1 action attr: • The attr named “act-id” must have value: “return-token-confirmation” • There is 1 obligation that is returned on a “Permit” with: • An attr named “return-confirmation” with a value: “true”

More Related