OAuth Scopes\Claims Restriction

OAuth Scopes\Claims Restriction

Introduction


 
Access Manager allows you to use OAuth2.0 protocol for authentication and authorization.

When using OAuth2.0, each application can get an access token by choosing one of the supported methods (Authorization Code, Implicit, Resource Owner Credentials, Client Credentials, SAML 2.0 Assertion).

When configuring a Resource Server, you can define as many scopes as you want:

Resource Server Scopes

Each access token is assigned with a scope that is being requested by the application on the authorization and token endpoints.

In addition to the authentication and authorization, the Access Manager has a UserInfo Endpoint that is used for getting Resource Owner's claims. A client can send a request to UserInfo endpoint with a valid access token and get the claims that are authorized by Resource Owner to share.

Each scope can be assigned with claims (user attributes or virtual attributes), which is returned on the UserInfo response, if and only if the access token contains that specific scope.

The Problem


 
Access Manager does not restricts OAuth2.0 applications from requesting and receiving scopes.

All scopes are published on the "scopes_supported" at the authorization server's OpenID Metadata Endpoint.

That means that if we published a scope names "email", that contains the user's email address, all applications will be able to request this scope, and we will not be able to restrict that.

The way the this restriction may be achieved on Access Manager is by using "User Consent" flow, where the user is permitting\denying the application from getting a specific attribute, but this is not happening when we choose to not require the user permissions (consent) for this specific flow:

User consent disabled for scope

We want to be able to restrict application access to specific claims - the same as we have on SAML and WS-Federation.

The Solution


 
We wrote a simple Java Servlet filter that can be integrated with the NIDP web application and restrict applications access to specific scopes.

Using this filter, you can define scopes that are public allowed for everyone, and scopes that are specific allowed to specific applications.

How to use the filter



  • On each identity server, create a configuration file (default location is /etc/edp/config/oauth_filter.xml). An example for this file can be found here:

  • Define all public allowed scopes under the <publicScopes> tag, using a <scope> tag. For example:



<publicScopes>
<scope>address</scope>
<scope>profile</scope>
</publicScopes>


  • For each application, define a <clientScopes> tag under the <clientSpecificScopes> tag. clientScopes tag describes the allowed scopes for each application. For example:


<clientSpecificScopes>
<clientScopes>
<clientID>428269de-79d7-42a3-905a-d08668538228</clientID>
<scopes>
<scope>email</scope>
</scopes>
</clientScopes>
<clientScopes>
<clientID>412349de-79d7-42a3-905a-d08668531118</clientID>
<scopes>
<scope>email</scope>
<scope>phone</scope>
</scopes>
</clientScopes>
</clientSpecificScopes>



  • The above example allows email scope for the first application, and both email and phone to the other one.

  • Download latest EDPNAMFilters jar file from my github

  • Copy the file to the Identity Server, and put it on /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib

  • edit /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml file and add the filter and filter mapping:



<filter>
<filter-name>EDPOAuthScopesFilter</filter-name>
<filter-class>il.co.edp.nam.filters.OAuthScopesFilter</filter-class>
<init-param>
<param-name>oauth.filter.config.path</param-name>
<param-value>/etc/edp/config/oauth_authorization_filter.xml</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>EDPOAuthScopesFilter</filter-name>
<url-pattern>/oauth/nam/authz</url-pattern>
<url-pattern>/oauth/nam/token</url-pattern>
</filter-mapping>



  • restart Identity Server: /etc/init.d/novell-idp restart



Now, every client that tries to request a scope that he is not allowed for, will get a HTTP 401 error from the Authorization Endpoint (/oauth/nam/authz)

How to modify the filter configuration



  • Edit you xml configuration file (default location is /etc/edp/config/oauth_filter.xml) and save.

  • Configuration is automatically reloaded by the filter upon file save  - no restart needed.


 

Source Code


 
The source code of the filter can be found on my GitHub account:

https://github.com/tomerazran/EDPNAMFilters 

 

 

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
Very useful! Microfocus should consider adding this capability to the iManager interface
I've been waiting for this solution for so long, thank youTomer Azran
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2019-02-22 23:04
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.