Re: [Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)

[Krzysztof B. <kb...@un...>]

Hi Jan,

W dniu 10.01.2017 o 13:15, Jan Wielemaker pisze:
> Hi Krzysztof,
>
> Thanks for the answer.  Lots of things came in between, but I now got it
> working.  See below.

Good to hear that :-)

> The flow I have in mind is this:
>
>   - User logs in to service using Unity and wants to access resource R.
>   - Services asks ABAC (Attribute Based Access Control) whether "sub"
>     is allowed to access R given a set of policies.
>   - ABAC asks Unity for CfPersID (CERIF person id) of "sub" (optionally
>     for service)
>   - ABAC applies policies on CERIF data for CfPersID
>   - ABAC replies access "granted/denied" for R.
>
> So, I think what we need is a (web) API call from the ABAC component
> that is trusted by the Unity server and that can be used to retrieve the
> CfPersID attribute from Unity based on the anonymous identity Unity has
> provided to the service.
>
> Note that we do not want to expose CfPersID to the service as that
> reveals the true identity of the user.
>
> Is this possible, i.e., is there an API that can be used to get info
> about a Unity user based on the anonymous id provided to some service?

Sure, we use similar scenario quite often, e.g. when mixing OAuth authN 
for regular services with a special admin service which provides domain 
specific UI leveraging Unity as users backend DB.

To solve this simply you need to:
1) create an identity with credential (username&pass or certificate) to 
represent your ABAC service
2) authorize ABAC to have global read permission
3) then ABAC will be able to use Unity REST Admin endpoint in RO mode to 
obtain the CfPersID.

In the step 3 you will need to perform 2 calls to REST endpoint (results 
of the first one can be safely cached):
a) resolve Oauth id from sub claim (or other claim if you put it to 
OAuth claimset) to "entityId" which is internal unity id of logical 
person (entity) and is used in API calls.
b) get the attributes

You will have to authenticate this REST call of ABAC service the same 
way as you created entity for ABAC in point (1).

And finally there is one very important thing to remember. With default 
settings of OAuth endpoint, unity puts "targetedPersistent" identity 
into sub claim. As you can read in docs (section 7.1) such identity is 
persistent, anonymous and *targeted at particular client*. So won't be 
visible (at least easily) for the ABAC client. Therefore change your 
OAuth config, so that it puts *global* persistent identity into sub claim:

unity.oauth2.as.identityTypeForSubject=persistent

HTH,
Krzysztof