The FI-WARE Project – Base Platform for Future

Service Infrastructures

Follow @FIWARE #FIWARE-AZ on Twitter !

FI-WARE API Access Control GE

Part 4 – AC GE API & IdM GE IntegrationCyril DANGERVILLE, Thales

FI-WARE / WP8 / T8.2

fiware-api-cross@lists.fi-ware.eu

The FI-WARE Project – Base Platform for Future

Service Infrastructures

AC GE Setup after IdM GE OAuth Setup

1. Access Control GE steps (contact: Thales (C. Dangerville))1. Request new policy admin domain (≈ tenant) for your Use Case

2. Set the access control policy (XACML <PolicySet>)

3. Option 1 & 2: set PDP attribute finders to get attributes from OAuth

Access Token, and from REST API of IdM GE

2. Implement/Configure your PEP depending on your option (1, 2 or 3)

The FI-WARE Project – Base Platform for Future

Service Infrastructures

Access Control GE –

Policy Admin API (XACML PAP) WADL (REST)

Update access control <PolicySet> (XACML)

PUT https://_HOST_/authz/domains/domainId/pap/policySet

Body: XACML <PolicySet>

Example of simple RBAC policyset

Example of <PolicySet> with <Obligations> providing attributes in

PDP response to PEP (Option 1 & 2)

The FI-WARE Project – Base Platform for Future

Service Infrastructures

Access Control Policy Admin API –

Attribute Finders (Option 1 & 2)

PUT https://_HOST_/authz/domains/domainId/pap/attributeFinders

JWT Attribute Finder (Option 1 only)

Signature/Timestamp/Audience Validation

JSON Parsing into XACML attributes

JWS (JSON Web Signature):eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnY3AiLCJhdWQiOiJodHRwczovL2FjbWUuY29tL215dGFyZ2V0c2VydmljZSIsImlhdCI6MTM

3MDQ1MDY1MCwibmJmIjoxMzcwNDUwNTkwLCJleHAiOjEzNzA0Nzk0NTAsImp0aSI6IjQwYmMwZGU0LTUyMWMtNDNjMC1iNzIyLW

FmZjUyYTA2ZGY5ZiIsImh0dHA6Ly9nY3AudGVsZWtvbS5kZS9heHNjaGVtYS9maXJzdG5hbWUiOiJDeXJpbCIsImh0dHA6Ly9nY3Au

dGVsZWtvbS5kZS9heHNjaGVtYS9lbWFpbCI6ImN5cmlsLmRhbmdlcnZpbGxlKzdAZ21haWwuY29tIiwiaHR0cDovL2djcC50ZWxla29tL

mRlL2F4c2NoZW1hL2xhc3RuYW1lIjoiRGFuZ2VydmlsbGU3IiwiaHR0cDovL2djcC50ZWxla29tLmRlL2F4c2NoZW1hL3RlbmFudCI6ey

JodHRwOi8vZ2NwLnRlbGVrb20uZGUvYXhzY2hlbWEvdGVuYW50SWQiOiIxMDAwMDA5NSJ9LCJodHRwOi8vZ2NwLnRlbGVrb20uZ

GUvYXhzY2hlbWEvZ2NwaWQiOiIyMDEwMTAwMDAwOTUwNjAyNDQxMDUwNDMwNzYyIn0.tR42ucSzliZkX9V1KCztN7RonNA1f1-

mXtEHu82s5hw

eyJhbGciOiJIUzI1NiJ9 -> "alg":"HS256" -> HMAC SHA-256

JWT (JWS payload) + signature

REST-API-Managed Attribute Finder (Option 1 & 2)

Retrieves user attributes from IdM GE API

Only tested with GCP, but generic

For attributes not in token or changing during token lifetime

The FI-WARE Project – Base Platform for Future

Service Infrastructures

Accounting

The FI-WARE Project – Base Platform for Future

Service Infrastructures

http://fi-ppp.eu

http://fi-ware.eu

Follow @FIWARE #FIWARE-AZ on Twitter !

Thanks !

5