FI-WARE Access Control GE (Part 4) - Access Control GE API & IdM GE Integration
1. Follow @FIWARE #FIWARE-AZ on Twitter !
The FI-WARE Project – Base Platform for Future
Service Infrastructures
FI-WARE API Access Control GE
Part 4 – AC GE API & IdM GE Integration Cyril DANGERVILLE, Thales
FI-WARE / WP8 / T8.2
fiware-api-cross@lists.fi-ware.eu
2. AC GE Setup after IdM GE OAuth Setup
1. Access Control GE steps (contact: Thales (C. Dangerville))
1. Request new policy admin domain (≈ tenant) for your Use Case
2. Set the access control policy (XACML <PolicySet>)
3. Option 1 & 2: set PDP attribute finders to get attributes from OAuth
Access Token, and from REST API of IdM GE
2. Implement/Configure your PEP depending on your option (1, 2 or 3)
The FI-WARE Project – Base Platform for Future
Service Infrastructures
3. Access Control GE –
Policy Admin API (XACML PAP)
WADL (REST)
Update access control <PolicySet> (XACML)
PUT https://_HOST_/authz/domains/{domainId}/pap/policySet
Body: XACML <PolicySet>
Example of simple RBAC policyset
Example of <PolicySet> with <Obligations> providing attributes in
PDP response to PEP (Option 1 & 2)
The FI-WARE Project – Base Platform for Future
Service Infrastructures
4. Access Control Policy Admin API –
Attribute Finders (Option 1 & 2)
PUT https://_HOST_/authz/domains/{domainId}/pap/attributeFinders
JWT Attribute Finder (Option 1 only)
Signature/Timestamp/Audience Validation
JSON Parsing into XACML attributes
JWS (JSON Web Signature):
eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnY3AiLCJhdWQiOiJodHRwczovL2FjbWUuY29tL215dGFyZ2V0c2VydmljZSIsImlhdCI6MTM
3MDQ1MDY1MCwibmJmIjoxMzcwNDUwNTkwLCJleHAiOjEzNzA0Nzk0NTAsImp0aSI6IjQwYmMwZGU0LTUyMWMtNDNjMC1iNzIyLW
FmZjUyYTA2ZGY5ZiIsImh0dHA6Ly9nY3AudGVsZWtvbS5kZS9heHNjaGVtYS9maXJzdG5hbWUiOiJDeXJpbCIsImh0dHA6Ly9nY3Au
dGVsZWtvbS5kZS9heHNjaGVtYS9lbWFpbCI6ImN5cmlsLmRhbmdlcnZpbGxlKzdAZ21haWwuY29tIiwiaHR0cDovL2djcC50ZWxla29tL
mRlL2F4c2NoZW1hL2xhc3RuYW1lIjoiRGFuZ2VydmlsbGU3IiwiaHR0cDovL2djcC50ZWxla29tLmRlL2F4c2NoZW1hL3RlbmFudCI6ey
JodHRwOi8vZ2NwLnRlbGVrb20uZGUvYXhzY2hlbWEvdGVuYW50SWQiOiIxMDAwMDA5NSJ9LCJodHRwOi8vZ2NwLnRlbGVrb20uZ
GUvYXhzY2hlbWEvZ2NwaWQiOiIyMDEwMTAwMDAwOTUwNjAyNDQxMDUwNDMwNzYyIn0.tR42ucSzliZkX9V1KCztN7RonNA1f1-
mXtEHu82s5hw
eyJhbGciOiJIUzI1NiJ9 -> {"alg":"HS256"} -> HMAC SHA-256
JWT (JWS payload) + signature
REST-API-Managed Attribute Finder (Option 1 & 2)
Retrieves user attributes from IdM GE API
Only tested with GCP, but generic
For attributes not in token or changing during token lifetime
The FI-WARE Project – Base Platform for Future
Service Infrastructures
6. Thanks !
http://fi-ppp.eu
http://fi-ware.eu
Follow @FIWARE #FIWARE-AZ on Twitter !
The FI-WARE Project – Base Platform for Future
Service Infrastructures
5