This documentation is for WSO2 Identity Server 5.7.0 . View documentation for the latest release.

All docs This doc
Skip to end of metadata
Go to start of metadata

To provide fine-grained access control to APIs, WSO2 Identity Server allows validating the scope of an OAuth access token using XACML policies during the token issuing phase.

If you want the XACML scope validator to execute when issuing an access token in an OAuth access token issuing flow, you can select the scope validator as XACML when you configure a service provider. This provides fine-grained access control to APIs.

Follow the steps below to configure WSO2 Identity Server to validate OAuth access tokens scopes using XACML policies: 


To use this feature, apply the 4682 WUM update for WSO2 Identity Server 5.7.0 using the WSO2 Update Manager (WUM).To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

Before you begin

Access the WSO2 Identity Server Management Console.

Configuring the service provider

To configure the client application as a service provider in WSO2 Identity Server: 

  1. On the Main menu, click Identity > Service Provider > Add.

    Add Service Provider menu-item

    The Add New Service Provider screen appears.

    Add New Service Provider screen

  2. Enter a meaningful name for the client application in the Service Provider Name text box and click Register. The Service Providers screen appears. 

    Service Providers screen

  3. Under the Inbound Authentication Configuration section, click OAuth/OpenID Connect Configuration > Configure

    Inbound Authentication Configuration options

    The Register New Application screen appears.

  4. Enter the callback URL or your application in the Callback Url text box.

  5. Select the XACML Scope Validator check box under Scope Validators.

  6. Click Add

You have successfully added and configured the service provider. Next, we will learn how to configure a XACML policy to validate the OAuth access token scopes that are used to authenticate the access requests for the client application. 

Setting up the XACML policy

To publish a XACML policy using a default XACML policy template in WSO2 Identity Server:

  1. On the Main menu of the Management Console, click Entitlement > PAP > Policy Administration.

    Policy Administration menu-item

    The Policy Administration screen appears.

    Policy Adminisrtration screen

  2. Click Edit of the scope_based_token_issuance_policy_template policy.

    Scope-Based Token Issuance Policy Template

    The Policy Editor appears with the pre-configured template with place holders.

    Policy Editor

  3. Edit the policy as required including the PolicyId and click Save.
    A new policy with the changes you made to the template appears with the policy ID you added. (The original policy is intact)

  4. Click Publish To My PDP of the new policy. The Publish Policy screen appears.

    Publish Policy screen

  5. Leave the default values as they are and click Publish

    To ensure that the policy has been successfully published,

    1. On the Main menu, click Entitlement > PDP > Policy View.
      Policy View menu-item
    2. Check whether the published policy is listed.

You have successfully published a XACML policy. Let's test the policy to evaluate whether the XACML scope is validated during OAuth token issuance.

Try it out 

The XACML TryIt tool allows you to test the policies easily without having to create and send authorization requests to WSO2 Identity Server. It is a tool through which authorization requests can be created and evaluated against the available policies. You can write simple XACML 3.0 requests in XML format and try them using the web UI of the TryIt tool. 

To try out the policy using the XACML TryIt tool: 

  1. On the Tools menu of the Management Console, click XACML > TryIt.

    XACML TryIt menu-item

  2. The TryIt screen appears.

    XACML TryIt screen

  3. Click Create Request Using Editor. The Evaluate Entitlement Policy screen appears.

    Evaluate Entitlement Policy screen

  4. Enter the following as the sample request and click Evaluate With PDP

    <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
        <Attributes Category="">
           <Attribute AttributeId="" IncludeInResult="false">
              <AttributeValue DataType="">playground2</AttributeValue>
        <Attributes Category="">
           <Attribute AttributeId="" IncludeInResult="false">
              <AttributeValue DataType="">scope_validation</AttributeValue>
        <Attributes Category="">
           <Attribute AttributeId="" IncludeInResult="false">
              <AttributeValue DataType="">SCOPE_1</AttributeValue>

    A response message with either Permit or Deny appears based on the XACML scope validation during token issuance.

    For backward compatibility, you can disable this validation by setting the following property value to true in the identity.xml file in the <IS_HOME>/repository/conf directory.


  • No labels