OAuth is the de facto standard for API security and it's all about access delegation.
The resource owner delegates a limited set of access rights to a third party. In OAuth terminology, this is the “scope”. A given access token has a scope associated with it and it governs the access token’s capabilities.
XACML (eXtensible Access Control Markup Language) is the de facto standard for fine-grained access control. OAuth scope can be represented in XACML policies.
Say, for example a user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities connection. To achieve fine-grained access control, this can be represented in a XACML policy.
token=gfgew789hkhjkew87
resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
Authorization Server now needs to find the scope and the client id associated with the given token and build the XACML request.
The resource owner delegates a limited set of access rights to a third party. In OAuth terminology, this is the “scope”. A given access token has a scope associated with it and it governs the access token’s capabilities.
XACML (eXtensible Access Control Markup Language) is the de facto standard for fine-grained access control. OAuth scope can be represented in XACML policies.
Say, for example a user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities connection. To achieve fine-grained access control, this can be represented in a XACML policy.
<Policy>
<Target>
<Anyof>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
user_activities
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false">
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_rule">
</Rule>
<Rule Effect="Deny" RuleId="deny_rule">
</Rule>
</Policy>
The above policy will be picked when the scope associated with the access token is equal to user_activities. Authorization Server first needs to find all the scopes associated with the given access token and build the XAML request accordingly.
Authorization Server first gets the following introspection request.token=gfgew789hkhjkew87
resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
Authorization Server now needs to find the scope and the client id associated with the given token and build the XACML request.
<Request>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue>
</Attribute>
<Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue>
</Attribute>
</Attributes>
</Request>
The above request will pick the policy we defined first and evaluate the rules. Each rule can define the criteria, whether to permit or deny.
- User / System accesses the API passing an access token.
- API Gateway intercepts the request - finds the access token and calls OAuth Authorization Server (Introspection endpoint) to validate it.
- Authorization Server, finds the scopes and the client id associated with access token, builds a XACML request can call XACML PDP.
- XACML PDP evaluates the XACML requests against its policy set and returns back a XACML response.
- OAuth Authorization Server sends back a Introspection Response which indicates the validity of the token.
- API Gateway validates Introspection Response and then invokes the backend business API.