OAuth Authorization

When using ISAM in OAuth patterns, there are a number of ways you can do authorization based on OAuth scopes. In general, at last check, there are three main ways of Authorizing OAuth requests based on their scope. (or other attributes associated with the tokens).

The mechanisms available are dependent on which OAuth validation mechanism you use with ISAM, I talk about them each in more detail here: OAuth Authentication and Sessions

  1. Using OAuth Mapping rules.
    Suitable when using the OAuth EAS without caching and OAuth Auth without sessions.
    This is dependant on validating the token with ISAM’s OAuth Server on every request.
    This means it will not work for session based OAuth flows, but should work fine when using the EAS approach and OAuth-Auth on its own.I’ve already described this approach in an earlier blog, here:
    OAuth Authorization in Mapping Rules
    This means you can use any atttribute supplied in the request, user information stored with the OAuth tokens, state information about the token, and also things like the scope. And you can write the authorization code in the flexible language of JavaScript.
  2. Using Context Based Access Policy, the ISAM Advanced Access Control engine.
    Suitable when using the OAuth Auth both with and without sessions.
    The context based access (CBA) policy allows us to do fine grained authorization based as a form of attribute based access control (ABAC). Included in this, is the ability to write policy based on information supplied in the ISAM credential. Since the OAuth Scope is available in the credential, its possible to write a fairly simple If then else statement based on such attributes.There is one caveat here – the scope attribute is a concatenated comma separated set of values, the easiest fix here, is to make a JavaScript PIP that will parse them into separate values.My Colleague Scott Andrews has kindly developed one that I have published here ISAM Context Based Access PIP for OAuth.
  3. Using WebSEAL Authorization Rules.
    Suitable when using the OAuth Auth both with and without sessions.
    Since all of the OAuth attributes can be populated into the ISAM credential when using OAuth Authentication, its possible to write Authorization rules that can perform performant authorization policy on the WebSEAL instance.
    My Colleague Shane Weeden has kindly developed one that I have published here ISAM Authorization Rule for OAuth Scope. It can also similarly be used for Authorization of Client IDs etc too in a similar fashion.
  4. Using WebSEAL ACLs
    Suitable when using the OAuth Auth both with and without sessions. This is more user based authorization, as opposed to scopes, but I want to put this here for completeness.
    Anytime you’re using the OAuth Authentication its also possible to use standard ACLs and POPs too since we are in a fully authenticated state when passing through the ISAM WebSEAL Policy Engine. If you are using an external user with OAuth, you can even assert the group in the OAuth Mapping rule response.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Up ↑

%d bloggers like this: