Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11913

Policy evaluation should accept OAuth2/OIDC tokens

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 13.5.1, 13.5.2, 14.1.1, 14.5.0, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1, 6.5.1, 6.5.2
    • None
    • entitlements, policy
    • None
    • Rank:
      1|hzud27:
    • 0
    • No
    • None

    Description

      The policy evaluation takes in the sso token and some set of claims. However, it does not provide first-class or out of the box support for OAuth2 or OIDC token.

      First request
      Currently to make these works seems to entail customization like what's described in https://forum.forgerock.com/2016/05/federated-authorization-using-3rd-party-jwts/ or http://yaunap.blogspot.sg/2016/07/fun-with-openam13-authz-policies-over.html to either use the claims and enviromment to pass some extra and heavily write policy scripts. Or that one may need write a new EntitlementModule (eg: https://github.com/ForgeRock/openam-policy-eval-sample) for a new subject.

      So this RFE is for making to more directly support evaluating say OIDC/JWT or OAuth2 tokens.

      2nd request
      In addition to this,the next related RFE is about not requiring SSOToken (iPlanetDirectoryPro) header but instead using Bearer token via the Authorization header (where this bearer token is grant permission to do policy evaluation).

      Attachments

        Activity

          People

            Unassigned Unassigned
            chee-weng.chea C-Weng C
            Votes:
            8 Vote for this issue
            Watchers:
            20 Start watching this issue

            Dates

              Created:
              Updated: