Develop Fine-Grained Authorization Engine (FGA) for WSO2 Identity Server

[EsalaMapa]

Is your feature request related to a problem? Please describe.

Authorization is the process through which an entity is granted permission to access resources or make decisions within a system. This mechanism is not just about allowing or denying access; it's about ensuring that the right individuals have the appropriate level of access to the correct resources. In the ever-evolving landscape of digital information, robust authorization strategies are essential for maintaining the integrity, confidentiality, and availability of sensitive data.

WSO2 Identity Server currently utilizes the extensible Access Control Markup Language (XACML) for its authorization needs. XACML, known for its fine-grained access control, provides a comprehensive framework for defining security policies and access control decisions. However, as technology progresses, the limitations of XACML in terms of flexibility, scalability, and ease of use in modern environments become apparent. Given the rapid advancements in authorization technologies, it's imperative for WSO2 Identity Server to evaluate newer, more efficient, and potentially more secure authorization models that align with current and future industry standards.

From previous research we identified following concepts

• Use cases
• Models
• Potential third party integrations
• POC for integrating Topaz AS

As next step, we propose to develop end to end fine grained authorization engine using Topaz. Note that Topaz already decided as the third party solution for FGA.

Describe the solution you would prefer

This will mainly focus on the development of integrating Topaz into WSO2 Identity server to replace XACML in ABAC, ReBAC scenarios.

Scope:

• Develop an integration point for runtime authorization for third party AS.
• Current Scope validation mechanism doesn't have a single service exposed to outside as its using class methods to validate scopes.
• First we need to develop an integration point which can be implemented by third party AS.
• Develop an integration point for creating models/objects in third party AS.
• Develop a Connector to plugin Topaz with IS.
• Develop a UI so that developers can add their policies.

[EsalaMapa]

Update ( 09 August)

• Read the research documentation and tried out the POC that has been implemented.
• Worked on following blockers that came up while adding the POC to the product IS to test it out.
  • Maven configuration issues came up when trying to add the component to the latest snapshot of product IS
  • Issues with dependency configurations such as version changes
• After adding the POC topaz connector to IS worked on following blockers to make a successful connection with a local instance of topaz.
  • Added security certifications to IS keystore to fix errors came up with API validation
  • Change the code to use Apache libraries to send https requests since java.net libraries which had been used originally caused file not found errors.
• Was able to send a successful API call to the topaz instance at the end but parameters of the API request is getting mixed up in the process and working on figuring what caused this issue.

Update (16 August)

• Started discussions on a possible integration design.
• Understanding how IS internal workflow for authorization works.
• Possibility of a different third party application for FGA is in discussion.

Update ( 23 August)

• Initiated Research on another possible 3rd Party Authorization Engine called Permify
• Comparing Permify and Topaz using information their own documentation and applying a Use Case Scenario to Determine the most suitable one.

[EsalaMapa]

Update ( 5th September)

• Trying integrating topaz's one endpoint to the IS authorization flow to try and make a successful connection between IS and topaz instance in authorization process.
  • Implementation is done. Fixing bugs.

[EsalaMapa]

Update (13th September)

• Successfully integrated topaz to scope validation flow in IS authorization flow with hard coded values.
• Started working on enhancing the code with dynamic values and connecting more endpoints in topaz.
• Trying out a use case scenario.

[EsalaMapa]

Update (20th September)

• Found a bug in topaz while trying out a use case scenario. Notified topaz about this.
• Since FGA requires additional data such as relation between entities and entity ids, Looking for a viable way to send this data in the request. Rich Authorization Request (RAR) looks promising.
• Working on expanding the connection between IS and topaz.

[EsalaMapa]

Update (27th September)

• Reconsidering other options to see if we can replace topaz since topaz has few limitations and issues such as having to store policy scripts in a GHCR container.
• Working on workarounds for limitations

[EsalaMapa]

Update (4th October)

• Comparing Topaz, spiceDB and permify focusing on ABAC support, storage methods and authorization features.

[EsalaMapa]

Update (18th October)

• Decided to switch to SpiceDB since spiceDB now has ABAC support to some extent which it didn't when the initial research was conducted.
• Will be developing a connection between IS and spiceDB as next step

[EsalaMapa]

Update (26th October)

• Developing a connection to spiceDB through IS using spiceDB java SDK.
• have some issues with loading classes. looking for a possible fix.