Initial Implementation of Fine-Grained Authorization Interface

components/org.wso2.carbon.identity.oauth/pom.xml

@@ -262,6 +262,28 @@
             <groupId>org.wso2.orbit.javax.xml.bind</groupId>
             <artifactId>jaxb-api</artifactId>
         </dependency>
+
+        <dependency>
+            <groupId>javax.ws.rs</groupId>
+            <artifactId>javax.ws.rs-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.application.authz.topaz</groupId>
+            <artifactId>org.wso2.carbon.identity.application.authz.topaz</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.swagger</groupId>
+            <artifactId>swagger-annotations</artifactId>
+            <version>1.6.2</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.validation</groupId>
+            <artifactId>validation-api</artifactId>
+            <version>2.0.1.Final</version> <!-- or the latest stable version -->
+        </dependency>
+
         <!--Test Dependencies-->
         <dependency>
             <groupId>org.testng</groupId>
@@ -352,6 +374,11 @@
             <artifactId>jose4j</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+            <scope>provided</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -457,7 +484,7 @@
                             !org.wso2.carbon.identity.oauth.common.*,
                             org.wso2.carbon.identity.oauth.*; version="${identity.inbound.auth.oauth.exp.pkg.version}",
                             org.wso2.carbon.identity.oauth2.*; version="${identity.inbound.auth.oauth.exp.pkg.version}",
-                            org.wso2.carbon.identity.openidconnect.*;version="${identity.inbound.auth.oauth.exp.pkg.version}",
+                            org.wso2.carbon.identity.openidconnect.*;version="${identity.inbound.auth.oauth.exp.pkg.version}"
                         </Export-Package>
                         <DynamicImport-Package>*</DynamicImport-Package>
                         <ListenerManager-RequiredServices>
@@ -603,4 +630,3 @@
     </build>
 
 </project>
-

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthComponentServiceHolder.java

@@ -35,6 +35,9 @@
 import org.wso2.carbon.identity.oauth2.OAuth2Service;
 import org.wso2.carbon.identity.oauth2.dao.AccessTokenDAO;
 import org.wso2.carbon.identity.oauth2.dao.TokenManagementDAO;
+import org.wso2.carbon.identity.oauth2.fga.FGADataManagementInterface;
+import org.wso2.carbon.identity.oauth2.fga.FGASchemaManagementInterface;
+import org.wso2.carbon.identity.oauth2.fga.FGAuthorizationInterface;
 import org.wso2.carbon.identity.oauth2.token.handlers.response.AccessTokenResponseHandler;
 import org.wso2.carbon.identity.oauth2.validators.scope.ScopeValidator;
 import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandler;
@@ -86,6 +89,10 @@ public class OAuthComponentServiceHolder {
 
     private ActionExecutorService actionExecutorService;
 
+    private FGAuthorizationInterface fgAuthorizationInterface;
+    private FGASchemaManagementInterface fgaSchemaManagementInterface;
+    private FGADataManagementInterface fgaDataManagementInterface;
+
     private OAuthComponentServiceHolder() {
 
     }
@@ -195,6 +202,30 @@ public OAuthEventInterceptor getOAuthEventInterceptorProxy() {
         return this.oAuthEventInterceptorHandlerProxy;
     }
 
+    public void addFGAuthorizationService(FGAuthorizationInterface authorizationInterface) {
+        this.fgAuthorizationInterface = authorizationInterface;
+    }
+
+    public FGAuthorizationInterface getFGAuthorizationService() {
+        return this.fgAuthorizationInterface;
+    }
+
+    public void addFGASchemaManagementService(FGASchemaManagementInterface schemaManagementInterface) {
+        this.fgaSchemaManagementInterface = schemaManagementInterface;
+    }
+
+    public FGASchemaManagementInterface getFGASchemaManagementService() {
+        return this.fgaSchemaManagementInterface;
+    }
+
+    public void addFGADataManagementService(FGADataManagementInterface dataManagementInterface) {
+        this.fgaDataManagementInterface = dataManagementInterface;
+    }
+
+    public FGADataManagementInterface getFGADataManagementService() {
+        return this.fgaDataManagementInterface;
+    }
+
     public OAuth2Service getOauth2Service() {
 
         return oauth2Service;

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/internal/OAuthServiceComponent.java

@@ -52,6 +52,9 @@
 import org.wso2.carbon.identity.oauth.listener.OAuthTokenSessionMappingEventHandler;
 import org.wso2.carbon.identity.oauth2.OAuth2ScopeService;
 import org.wso2.carbon.identity.oauth2.OAuth2Service;
+import org.wso2.carbon.identity.oauth2.fga.FGADataManagementInterface;
+import org.wso2.carbon.identity.oauth2.fga.FGASchemaManagementInterface;
+import org.wso2.carbon.identity.oauth2.fga.FGAuthorizationInterface;
 import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
 import org.wso2.carbon.identity.oauth2.token.handlers.response.AccessTokenResponseHandler;
 import org.wso2.carbon.identity.organization.management.organization.user.sharing.OrganizationUserSharingService;
@@ -239,6 +242,99 @@ protected void unsetOAuthEventInterceptor(OAuthEventInterceptor oAuthEventInterc
         OAuthComponentServiceHolder.getInstance().addOauthEventInterceptorProxy(null);
     }
 
+    @Reference(
+            name = "org.wso2.carbon.identity.oauth2.fga.FGAuthorizationInterface",
+            service = FGAuthorizationInterface.class,
+            cardinality = ReferenceCardinality.MULTIPLE,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetFGAuthorizationInterface"
+    )
+    protected void setFGAuthorizationInterface(FGAuthorizationInterface authorizationInterface){
+        if (authorizationInterface == null) {
+            log.warn("Null FGA authorization service received, hence not registering");
+            return;
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("Setting FGA authorization service :" + authorizationInterface.getClass().getName());
+        }
+        log.info("Setting FGA authorization service :" + authorizationInterface.getClass().getName());
+        OAuthComponentServiceHolder.getInstance().addFGAuthorizationService(authorizationInterface);
+    }
+
+    protected void unsetFGAuthorizationInterface(FGAuthorizationInterface authorizationInterface){
+        if (authorizationInterface == null) {
+            log.warn("Null oauth FGA authorization service received, hence cannot unbind.");
+            return;
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("unbinding FGA authorization service :" + authorizationInterface.getClass().getName());
+        }
+        log.info("unbinding FGA authorization service :" + authorizationInterface.getClass().getName());
+        OAuthComponentServiceHolder.getInstance().addFGAuthorizationService(null);
+    }
+
+    @Reference(
+            name = "org.wso2.carbon.identity.oauth2.fga.FGASchemaManagementInterface",
+            service = FGASchemaManagementInterface.class,
+            cardinality = ReferenceCardinality.MULTIPLE,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetFGASchemaManagementInterface"
+    )
+    protected void setFGASchemaManagementInterface(FGASchemaManagementInterface schemaManagementInterface){
+        if (schemaManagementInterface == null) {
+            log.warn("Null FGA Schema Management service received, hence not registering");
+            return;
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("Setting FGA Schema Management service :" + schemaManagementInterface.getClass().getName());
+        }
+        log.info("Setting FGA Schema Management service :" + schemaManagementInterface.getClass().getName());
+        OAuthComponentServiceHolder.getInstance().addFGASchemaManagementService(schemaManagementInterface);
+    }
+
+    protected void unsetFGASchemaManagementInterface(FGASchemaManagementInterface schemaManagementInterface){
+        if (schemaManagementInterface == null) {
+            log.warn("Null oauth FGA Schema Management service received, hence cannot unbind.");
+            return;
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("unbinding FGA Schema Management service :" + schemaManagementInterface.getClass().getName());
+        }
+        log.info("unbinding FGA Schema Management service :" + schemaManagementInterface.getClass().getName());
+        OAuthComponentServiceHolder.getInstance().addFGASchemaManagementService(null);
+    }
+
+    @Reference(
+            name = "org.wso2.carbon.identity.oauth2.fga.FGADataManagementInterface",
+            service = FGADataManagementInterface.class,
+            cardinality = ReferenceCardinality.MULTIPLE,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetFGADataManagementInterface"
+    )
+    protected void setFGADataManagementInterface(FGADataManagementInterface dataManagementInterface){
+        if (dataManagementInterface == null) {
+            log.warn("Null FGA Data Management service received, hence not registering");
+            return;
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("Setting FGA Data Management service :" + dataManagementInterface.getClass().getName());
+        }
+        log.info("Setting FGA Data Management service :" + dataManagementInterface.getClass().getName());
+        OAuthComponentServiceHolder.getInstance().addFGADataManagementService(dataManagementInterface);
+    }
+
+    protected void unsetFGADataManagementInterface(FGADataManagementInterface dataManagementInterface){
+        if (dataManagementInterface == null) {
+            log.warn("Null oauth FGA Data Management service received, hence cannot unbind.");
+            return;
+        }
+        if (log.isDebugEnabled()) {
+            log.debug("unbinding FGA Data Management service :" + dataManagementInterface.getClass().getName());
+        }
+        log.info("unbinding FGA Data Management service :" + dataManagementInterface.getClass().getName());
+        OAuthComponentServiceHolder.getInstance().addFGADataManagementService(null);
+    }
+
     @Reference(
             name = "org.wso2.carbon.identity.oauth2.token.handlers.response.AccessTokenResponseHandler",
             service = AccessTokenResponseHandler.class,

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/fga/AccessControlFactory.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.fga;
+
+public class AccessControlFactory {
+
+    private static FGAEngineHandler fgaEngineHandler;
+
+    public static FGAEngineHandler createServiceInstance() throws Exception {
+
+        if (fgaEngineHandler == null) {
+            fgaEngineHandler = new FGAEngineHandler();
+        }
+        return fgaEngineHandler;
+    }
+}

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/fga/FGADataManagementInterface.java

@@ -0,0 +1,8 @@
+package org.wso2.carbon.identity.oauth2.fga;
+
+public interface FGADataManagementInterface {
+
+//    AbstractDataWriteResponse writeAuthzData(FGARequestInterface writeAuthzDataRequest);
+//    AbstractDataReadResponse readAuthzData(FGARequestInterface readAuthzDataRequest);
+//    AbstractDataDeleteResponse deleteAuthzData(FGARequestInterface deleteAuthzDataRequest);
+}

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/fga/FGAEngineHandler.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.fga;
+
+import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
+
+/**
+ * This class handles the FGA connector registered as an OSGi service.
+ */
+public class FGAEngineHandler {
+    private static FGAuthorizationInterface authorizationService;
+    private static FGASchemaManagementInterface schemaManagementService;
+    private static FGADataManagementInterface dataManagementService;
+
+    public FGAuthorizationInterface getAuthorizationService() {
+
+        if (authorizationService == null) {
+            authorizationService = OAuthComponentServiceHolder.getInstance().getFGAuthorizationService();
+        }
+        return authorizationService;
+    }
+
+    public FGASchemaManagementInterface getSchemaManagementService() {
+
+        if (schemaManagementService == null) {
+            schemaManagementService = OAuthComponentServiceHolder.getInstance().getFGASchemaManagementService();
+        }
+        return schemaManagementService;
+    }
+
+    public FGADataManagementInterface getDataManagementService() {
+
+        if (dataManagementService == null) {
+            dataManagementService = OAuthComponentServiceHolder.getInstance().getFGADataManagementService();
+        }
+        return dataManagementService;
+    }
+}

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/fga/FGASchemaManagementInterface.java

@@ -0,0 +1,7 @@
+package org.wso2.carbon.identity.oauth2.fga;
+
+public interface FGASchemaManagementInterface {
+
+//    AbstractSchemaWriteResponse writeAuthzSchema(FGARequestInterface writeScehemaRequest);
+//    AbstractSchemaReadResponse readAuthzSchema(FGARequestInterface readSchemaRequest);
+}

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/fga/FGAuthorizationInterface.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.fga;
+
+import java.util.ArrayList;
+
+/**
+ * Interface for authorization using a FGA connector.
+ */
+public interface FGAuthorizationInterface {
+
+    ArrayList<String> getFGAuthorizedScopes(FGAuthzReqContext fgAuthzReqContext);
+}

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/fga/FGAuthzReqContext.java

@@ -0,0 +1,42 @@
+package org.wso2.carbon.identity.oauth2.fga;
+
+import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
+import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
+import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
+
+import java.util.ArrayList;
+
+/**
+ * Model class to send request context to FGA authorization implementation.
+ */
+public class FGAuthzReqContext {
+
+    private String subjectId;
+    //private JSONObject context;
+    private ArrayList<String> requestedScopes;
+
+    public FGAuthzReqContext(OAuthAuthzReqMessageContext authzReqMessageContext) throws UserIdNotFoundException {
+
+        subjectId = authzReqMessageContext.getAuthorizationReqDTO().getUser().getUserId();
+    }
+
+    public FGAuthzReqContext(OAuthTokenReqMessageContext tokenReqMessageContext) throws UserIdNotFoundException {
+
+        subjectId = tokenReqMessageContext.getAuthorizedUser().getUserId();
+    }
+
+    public String getSubjectId() {
+
+        return subjectId;
+    }
+
+    public ArrayList<String> getRequestedScopes() {
+
+        return requestedScopes;
+    }
+
+    public void setRequestedScopes(ArrayList<String> requestedScopes) {
+
+        this.requestedScopes = requestedScopes;
+    }
+}