Authentication and Authorization using OAuth2/OpenID Connect

1
votes

I understand the OAuth 2.0 spec. allows third-party applications to grant limited access to the application, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf.

I have a scenario, where I have an application and I need the user to get authenticated with some IAM provider. The roles and privileges are configured in the authorization server for each user. I can query the introspection point of the authorization server and based on the scope details, my application can decide the access to any resource for the user.

In this case, the user is not the resource owner. The types of resources the user can access is decided by my application, instead of the user allowing/denying the application to access resources.

Since the user is not the resource owner, can OAuth/OpenId Connect be used in this scenario ? Is it possible with WSO2 IAM?

I tried the playground sample which is available in WSO2. Once the user logs in, there is a window which asks "playground requests access to your profile information" and requesting the user to allow/deny. Can this be avoided, since in my case the user is not allowed to make any decisions ?

If not, what are the other options to authorize/limit access to resources which is decided by the authorization server/resource server, instead of user granting access ?

Thanks, Albie Morken

1
oauthwso2authorizationwso2isopenid-connect
Do you use ID tokens ?Kavindu Dodanduwa
Yes, I can use id tokens and access tokensuser8369244
You could use OpenID Connect (ID token) for just authentication and then check access rights in your application. ID token could contain all you need (username, name, email, roles).Ján Halaša

1 Answers

0
votes

In this case, the user is not the resource owner. The types of resources the user can access is decided by my application, instead of the user allowing/denying the application to access resources.

In your scenario, you are relying on tokens issued by authorisation server to access a protected resource. The protected resource is your application. And this application must have internal mechanisms to verify the tokens it receives to grant access.

Short answer to your question is - YES

You can use openID connect for this scenario. And you have two options to adopt,

1. Use access tokens with introspection end point

You can use access tokens to grant access to your application. The client should send the access token as a bearer token as described in RFC6750. When the application end point receives a request, this access token can be validated against introspection endpoint RFC7662

2. Use ID token

ID tokens too can be used as bearer tokens.ID token is a JWT (RFC7519) and is self contained. It contains validation mechanisms as described by OpenID connect spec which are self sufficient to allow grant. And also to you can check claims it contains to authorise the end user. More can be found from this link.

I tried the playground sample which is available in WSO2. Once the user logs in, there is a window which asks "playground requests access to your profile information" and requesting the user to allow/deny. Can this be avoided, since in my case the user is not allowed to make any decisions ?

Consent page can be disabled. According to spec. it can be done by configuring identity.xml as follow,

<SkipUserConsent>true</SkipUserConsent>

It is described in their documentation too.

Hope this helped.

p.s - WSO2IS contains inbuilt XACML engine. XACML is the standard for access control. You can fine more information from this link.