Skip to content

UMA RPT Policy#

This is a special script for UMA. It allows an admin to protect UMA scopes with policies. It is possible to add more than one UMA policy to an UMA scope. On requesting access to a specified resource, the application should call specified UMA policies in order to grant or deny access.

Interface#

The UMA RPT Authorization Policy script implements the UmaRptPolicyType interface. This extends methods from the base script type in addition to adding new method:

Inherited Methods#

Method header Method description
def init(self, customScript, configurationAttributes) This method is only called once during the script initialization. It can be used for global script initialization, initiate objects etc
def destroy(self, configurationAttributes) This method is called once to destroy events. It can be used to free resource and objects created in the init() method
def getApiVersion(self, configurationAttributes, customScript) The getApiVersion method allows API changes in order to do transparent migration from an old script to a new API. Only include the customScript variable if the value for getApiVersion is greater than 10

New Methods#

Method header Method description
def getRequiredClaims(self, authorizationContext) Returns required claims definitions. This method must provide definition of all claims that is used in 'authorize' method. Return empty array [] if no claims should be gathered. Note : name in both places must match. %1$s - placeholder for issuer. It uses standard Java Formatter, docs : https://docs.oracle.com/javase/7/docs/api/java/util/Formatter.html
def authorize(self, authorizationContext) Main authorization method. Must return True or False.
def getClaimsGatheringScriptName(self, authorizationContext) Returns name of the Claims-Gathering script which will be invoked if need_info error is returned. Return blank/empty string if claims gathering flow is not involved.

Objects#

Object name Object description
customScript The custom script object. Reference
configurationAttributes configurationProperties passed in when adding custom script. Map<String, SimpleCustomProperty> configurationAttributes
SimpleCustomProperty Map of configuration properties. Reference
context Reference
ClaimDefinition Reference

Use case: Request Country and City Policies#

This script was adapted from the Gluu Server UMA RPT Authorization Script.

Script Type: Python#

# oxAuth is available under the MIT License (2008). See http://opensource.org/licenses/MIT for full text.
# Copyright (c) 2017, Janssen
#
# Author: Yuriy Zabrovarnyy
#
# Call sequence
# 1. First is call constructor of the Script __init__
# 2. Next init() method
# 3. Next getRequiredClaims() - method returns required claims, so UMA engine checks whether
#    in request RP provided all claims that are required. Pay attention that there can be
#    multiple scripts bound to the scopes, means that UMA engine will build set of required claims
#    from all scripts. If not all claims are provided need_info error is sent to RP.
#    During need_info construction getClaimsGatheringScriptName() method is called
# 4. authorize() method is called if all required claims are provided.
# 5. destroy()

from io.jans.model.custom.script.type.uma import UmaRptPolicyType
from io.jans.model.uma import ClaimDefinitionBuilder
from java.lang import String

class UmaRptPolicy(UmaRptPolicyType):
    def __init__(self, currentTimeMillis):
        self.currentTimeMillis = currentTimeMillis

    def init(self, customScript, configurationAttributes):
        print "RPT Policy. Initializing ..."
        print "RPT Policy. Initialized successfully"

        return True

    def destroy(self, configurationAttributes):
        print "RPT Policy. Destroying ..."
        print "RPT Policy. Destroyed successfully"
        return True

    def getApiVersion(self):
        return 11

    # Returns required claims definitions.
    # This method must provide definition of all claims that is used in 'authorize' method.
    # Note : name in both places must match.
    # %1$s - placeholder for issuer. It uses standard Java Formatter, docs : https://docs.oracle.com/javase/7/docs/api/java/util/Formatter.html
    def getRequiredClaims(self, context): # context is reference of io.jans.as.uma.authorization.UmaAuthorizationContext
        json = """[
        {
            "issuer" : [ "%1$s" ],
            "name" : "country",
            "claim_token_format" : [ "http://openid.net/specs/openid-connect-core-1_0.html#IDToken" ],
            "claim_type" : "string",
            "friendly_name" : "country"
        },
        {
            "issuer" : [ "%1$s" ],
            "name" : "city",
            "claim_token_format" : [ "http://openid.net/specs/openid-connect-core-1_0.html#IDToken" ],
            "claim_type" : "string",
            "friendly_name" : "city"
        }
        ]"""
        context.addRedirectUserParam("customUserParam1", "value1") # pass some custom parameters to need_info uri. It can be removed if you don't need custom parameters.
        return ClaimDefinitionBuilder.build(String.format(json, context.getIssuer()))

    # Main authorization method. Must return True or False.
    def authorize(self, context): # context is reference of io.jans.as.uma.authorization.UmaAuthorizationContext
        print "RPT Policy. Authorizing ..."

        if context.getClaim("country") == 'US' and context.getClaim("city") == 'NY':
            print "Authorized successfully!"
            return True

        return False

    # Returns name of the Claims-Gathering script which will be invoked if need_info error is returned.
    def getClaimsGatheringScriptName(self, context): # context is reference of io.jans.as.uma.authorization.UmaAuthorizationContext
        context.addRedirectUserParam("customUserParam2", "value2") # pass some custom parameters to need_info uri. It can be removed if you don't need custom parameters.
        return "sampleClaimsGathering"

Script Type: Java#

import java.util.List;
import java.util.Map;

import io.jans.model.SimpleCustomProperty;
import io.jans.model.custom.script.model.CustomScript;
import io.jans.model.custom.script.type.uma.UmaRptPolicyType;
import io.jans.model.uma.ClaimDefinition;
import io.jans.service.custom.script.CustomScriptManager;
import io.jans.as.server.uma.authorization.UmaAuthorizationContext;
import io.jans.model.uma.ClaimDefinitionBuilder;


import org.slf4j.Logger;
import org.slf4j.LoggerFactory;


public class UmaRptPolicy implements UmaRptPolicyType {

        private static final Logger log = LoggerFactory.getLogger(UmaRptPolicy.class);

        @Override
        public boolean init(Map<String, SimpleCustomProperty> configurationAttributes) {
        log.info("UMA RPT Policy Authorization. Initializing...");
        log.info("UMA RPT Policy Authorization. Initialized");
                return true;
        }

        @Override
        public boolean init(CustomScript customScript, Map<String, SimpleCustomProperty> configurationAttributes) {
        log.info("UMA RPT Policy Authorization. Initializing...");
        log.info("UMA RPT Policy Authorization. Initialized");
        return true;
        }

        @Override
        public boolean destroy(Map<String, SimpleCustomProperty> configurationAttributes) {
        log.info("UMA RPT Policy Authorization. Destroying...");
        log.info("UMA RPT Policy Authorization. Destroyed.");
        return true;
        }

        @Override
        public int getApiVersion() {
                return 11;
        }

        @Override
        public List<ClaimDefinition> getRequiredClaims(Object authorizationContext) {
                UmaAuthorizationContext authContext = (UmaAuthorizationContext) authorizationContext;

                // TODO: Customize this JSON array with your required claim definitions
                String json = "[{\"issuer\":[\"%s\"],\"name\":\"country\",\"claim_token_format\":[\"http://openid.net/specs/openid-connect-core-1_0.html#IDToken\"],\"claim_type\":\"string\",\"friendly_name\":\"country\"},{\"issuer\":[\"%s\"],\"name\":\"city\",\"claim_token_format\":[\"http://openid.net/specs/openid-connect-core-1_0.html#IDToken\"],\"claim_type\":\"string\",\"friendly_name\":\"city\"}]";

                authContext.addRedirectUserParam("customUserParam1", "value1");
                return ClaimDefinitionBuilder.build(String.format(json, authContext.getIssuer(), authContext.getIssuer()));
        }

        @Override
        public boolean authorize(Object authorizationContext) {
                log.info("UMA RPT Policy Authorization. Authorizing...");
                UmaAuthorizationContext authContext = (UmaAuthorizationContext) authorizationContext;
                if ("US".equals(authContext.getClaim("country")) && "NY".equals(authContext.getClaim("city"))) {
                        log.info("Authorized successfully!");
                        return true;
                }
                return false;
        }

        @Override
        public String getClaimsGatheringScriptName(Object authorizationContext) {
                UmaAuthorizationContext authContext = (UmaAuthorizationContext) authorizationContext;
                // pass some custom parameters to need_info uri. It can be removed if you don't need custom parameters.
                authContext.addRedirectUserParam("customUserParam2", "value2"); 
                return "sampleClaimsGathering";
        }

}