cancel
Showing results for 
Search instead for 
Did you mean: 

Applying custom scope granting policy rules using tags

UnboundID boli
0 Kudos

Configuring tags is a useful way to apply custom policy rules to an arbitrary group of configured scopes and/or OAuth 2 clients. Since scope or client names are not directly referenced in policy, administrators do not need to modify XACML policies each time a new scope and/or client is added or to change the granting behavior of an existing scope. 

 

The example rule snippet below will only grant scopes tagged with 'sensitive' to OAuth 2 clients that have been tagged with 'approved'.

 

 

<Rule RuleId="urn:unboundid:qa:rule:RequireApprovedClient" Effect="Deny">
  <Description>
    Deny scopes with tag 'sensitive' if the requesting client has not
    been tagged with 'approved'.
  </Description>
  <Target>
    <!-- Match scope where its 'tags' property includes the string 'sensitive' -->
    <AnyOf>
      <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
            sensitive
          </AttributeValue>
          <AttributeSelector
                  Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                  Path="tags"
                  DataType="http://www.w3.org/2001/XMLSchema#string"
                  MustBePresent="false"/>
        </Match>
      </AllOf>
    </AnyOf>
  </Target>
  <Condition>
    <!-- Match client where its 'tags' property does NOT include the string 'approved' -->
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
            approved
          </AttributeValue>
        </Apply>
        <AttributeSelector Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                           Path="tags"
                           DataType="http://www.w3.org/2001/XMLSchema#string"
                           MustBePresent="false"/>
      </Apply>
    </Apply>
  </Condition>
  <AdviceExpressions>
    <AdviceExpression AdviceId="request-denied-reason" AppliesTo="Deny">
      <AttributeAssignmentExpression AttributeId="error">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
          access_denied
        </AttributeValue>
      </AttributeAssignmentExpression>
      <AttributeAssignmentExpression AttributeId="error-description">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
          A scope granting access to sensitive data may not be requested by an unreviewed client.
        </AttributeValue>
      </AttributeAssignmentExpression>
    </AdviceExpression>
  </AdviceExpressions>
</Rule>

 

Be sure to add any custom scope granting policies to the OAuth 2 Policy Set.