-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IS 7.0 Authorization Server Support #2937
Comments
Hi all, Earlier, I tested with the old scope model - as depicted in the diagram in this issue's description [1]. The following properties were enabled in IS 7.0's
Since we'll have to use the new permission model of IS 7.0 to do the same thing, I tested by manually creating the artifacts that go on par with IS 7.0's new permission model. (I removed the above two properties as well) Based on the above diagram, when the user I tested the above, and it's working as expected. Next step is to check the APIs and see a way to automate these artifact creations. [1] #2937 (comment) |
Hi all, One possible approach we discussed with @tharindu1st to maintain a list of scopes was, to have a common API Resource for all the scopes that are created by the IS7 Connector (eg: I tried adding only the API Resource under We won't be able to add "all scopes of an API resource" everytime we create an application, because once a new scope is created, we will have to revisit every application that we created, and add that new scope to the list of 'authorized scopes' (Since we will be creating applications in IS7 continuously, and scopes continuously as well). We will have to check whether we can avoid listing down each scope of the API resource under the application, so that, once we create an application, we just allow the API resource, not each scope individually. |
Hi all, Currently I'm proceeding with the approach of using an API Resource which will contain all the scopes we create from the APIM IS7 Connector. According to IS7 migration model [1], we could use the API Resource name We had a discussion with the IS team regarding the need of explicitly authorizing scopes under API Resource. We requested them for a way, where we should be able to allow IS7 OAuth2 applications to request scopes without being authorized with any API Resource. For now, the above shortcoming is not a blocker for the implementation. I'm manually authorizing the application to allow access to all those scopes of that API Resource when testing a subscription. Even though it's not a blocker for implementation, as we discussed, we can't release an update to the connector (with the improvement) without the above concern being addressed. |
Hi all, [1] #2937 (comment) |
Hi all, The IS team has provided us a preQA with their changes. I'm resuming this task, and starting to test it & improve the code. Will keep this thread updated as I progress. |
Hi all, So far, I have tested the following:
When testing the I'll keep this thread updated as I perform more tests & progress. |
Hi all, I have tested the following flows:
The system-wide property that was introduced from IS side - to make OAuth2 applications in IS7 not to be authorized with API Resources & Scopes before requesting scopes - is working as expected. Upon our testing, we noticed the following shortcomings, and we will need the following fixes from the IS team.
We have requested the above from the IS team, and they agreed to deliver us the fixes by this week. We'll have to modify our code according to these, so it's an implementation blocker for us. For the moment, I'll be improving the code, and will be testing other applicable flows while waiting for the fix from the IS team. |
Hi all, I have sent the PR for this feature at [1]. The IS team has provided the fixes requested at [2], and they work as expected. I will get the PR reviewed, and provide an update here. |
Hi all, The PRs for this feature [1][2] have been merged. APIM IS7 KM connector 2.0.3 [3] has been released with RBAC support for IS7. [1] wso2-extensions/apim-km-wso2is#147 Thanks, |
Problem
Currently when using IS7 as a Key Manager with APIM 4.3.0, we don't support scopes. We don't create Scope-to-Role mapping in IS7. We will only create Resource-to-Scope mapping from APIM side. The relevant Scope-to-Role mapping should have been created in IS7, similar to the example shown in the following diagram:
Diagram1
This limitation is due to the new Scopes & Roles model introduced in IS 7.
As shown in Diagram 1 above, we needed to create the necessary role via the IS 7 Console UI, and the scope binding (via Scopes REST API)
Solution
We will have to use the REST APIs provided by IS7 [1] to create the necessary role & scope mappings when creating a Resource-to-Scope mapping from APIM side.
[1] https://is.docs.wso2.com/en/latest/apis/roles-v2-rest-api/
Affected Component
APIM
Version
4.3.0
Implementation
No response
Related Issues
No response
Suggested Labels
No response
The text was updated successfully, but these errors were encountered: