Recently I had a meeting with one of our prospective customer who provides private datacenter and network connectivity services. They were talking about an issue that prevents them from providing fine-grain access control to their cloud services. Once their customer has been authenticated into the cloud service portal through an OpenID Connect provider, literally they could access any services. They could not implement proper RBAC(Role Based Access Control) because of the limited access information carried by the ID token. One issue is the access information such as who can access which system on which capacity is stored in different data store than from the user store where the user attributes and passwords are stored. The current OpenID Connect provider used by them is not capable of getting user access data(as claims in ID token) from outside of the user store. Now, let’s look at how we can build a solution using the WSO2 Identity Server to solve this limitation.
WSO2 Identity Server is an open source certified OpenID connect server. The ID token which is obtained after successful authentication usually contains user claims that can be used by applications to take any authorization decisions. In WSO2 Identity Server, the claims segment of the ID token is populated by user attributes from the connected user store. If you have user claims such as accessible resources or services or other business access attributes somewhere other than user store WSO2 identity server provides an extension called Claim Provider to populate the ID token from none user store data source.
Here is a high-level overview of the solution.
With the custom claim provider, the generated ID token in the OpenID Connect flow will contain user’s attributes from Active Directory user store and the custom claims which carry user’s service access information from a separate database.
If you want to try this solution please check following Github repository which contains sample customization code and detailed instruction on how to test the scenario.
