ISAM Authorization Rule for OAuth Scope

The vast majority of the work in developing this Authorization Rule was developed by my colleague Shane Weeden. Thanks for sharing Shane! Find more of his work here:
https://www-304.ibm.com/connections/blogs/sweeden/?lang=en_us

This authorization rule extracts the OAuth values of scope from the ISAM credential and applies a TRUE or FALSE authorization result subject to it containing the appropriate Scope value.

This article is part of a series of articles on OAuth Authorization use cases. For the full list, and an overview of the problem – see here: OAuth Authorization

Note: This mechanism is dependent on the use of the OAuth-Auth mechanism (as defined here: OAuth Authentication and Sessions)

Authorization Rules are documented here in the Knowledge center:

http://www-01.ibm.com/support/knowledgecenter/SSPREK_8.0.1.r2/com.ibm.isamw.doc_8.0.1.2/base_admin/concept/con_mgauthorule.html?lang=en

And can be applied using pdadmin or the Web based Policy Administration portal.

Here is Shanes example, looking for the scope attribute “full_profile” in order to permit access.

<xsl:template match="/XMLADI">
  <!--
    This variable will be populated with the string MATCH or NOMATCH
    depending on whether or not the comma-separated scope value from the
    ADI (i.e. cred attribute) contains the literal string defined in the 
    lookingfor parameter.
  -->
  <xsl:variable name="matchingscope"> 
    <xsl:call-template name="unpackCSV">
      <xsl:with-param name="csv" select="/XMLADI/scope" /> 
      <xsl:with-param name="lookingfor" select="'full_profile'" /> 
    </xsl:call-template>
  </xsl:variable> 

  <!--
    This is the real logic of the rule - if the cred contained a
    matching authorized scope, return !TRUE! otherwise return !FALSE!
  -->
  <xsl:choose> 
    <xsl:when test="$matchingscope = 'MATCH'">!TRUE!</xsl:when> 
    <xsl:otherwise>!FALSE!</xsl:otherwise> 
  </xsl:choose>
</xsl:template>

<xsl:template match="nothing" name="unpackCSV"> 
  <xsl:param name="csv" /> 
  <xsl:param name="lookingfor" />
  <!--
  This is a secondary "callable" template which is actually a 
  recursive utility function that looks through a comma-separated 
  list looking for a matching string parameter, returning MATCH if
  it is found in the CSV list of strings, or NOMATCH if it is not.
  -->
  <xsl:choose> 
    <xsl:when test="contains($csv, ',')"> 
      <xsl:variable name="nextbit" select="substring-before($csv,',')" />
      <xsl:choose>
        <xsl:when test="$nextbit = $lookingfor">MATCH</xsl:when>
        <xsl:otherwise>
          <xsl:call-template name="unpackCSV">
            <xsl:with-param name="csv" select="substring-after($csv,',')" /> 
            <xsl:with-param name="lookingfor" select="$lookingfor" /> 
          </xsl:call-template>
        </xsl:otherwise>
      </xsl:choose>
    </xsl:when>
    <xsl:otherwise> 
      <xsl:choose>
        <xsl:when test="$csv = $lookingfor">MATCH</xsl:when>
        <xsl:otherwise>NOMATCH</xsl:otherwise>
      </xsl:choose>
    </xsl:otherwise> 
  </xsl:choose> 
</xsl:template>

One thought on “ISAM Authorization Rule for OAuth Scope

  1. Pingback: OAuth Authorization | Phil Nye

Comments are closed.

Website Built with WordPress.com.

Up ↑

%d bloggers like this: