Hi All, On Fri, Jun 3, 2016 at 5:46 PM, Prabath Siriwardana <[email protected]> wrote:
> > > On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake < > [email protected]> wrote: > >> Hi, >> I am working on implementing regeneration of client secret/key of an >> oauth app and revocation of an oauth app for the next milestone release of >> Identity Server. Appreciate your feedbacks on the following approaches I >> have taken. >> >> A trusted client would need to update the client secret/key, in order to >> prevent the abuse of revealed client secret/key. So for addressing that, I >> am working on adding two options as *Regenerate Client Secret *and >> *Regenerate >> Consumer Key* for oauth applications in IS. After a client secret/key >> get regenerated, that will immediately invalidate any active authorization >> code, access token or refresh token, issued to the respective client. >> >> *Will it be necessary to add two options for revoking client secret and >> key or better to go for a different approach?* >> > > I guess (as discussed in this thread already) - having the ability to > change the consumer secret would be enough. Changing the consumer key is > bit challanging too - we would have all the analytics data against the > consumer key. > On a side note which is not directly relevant to consumer key revocation, I have seen occasions where customers wanted to decide the consumer key than generating them. Use case: Eg: When they are already having plenty of applications(may be mobile apps) which have embedded consumer key or/and secret, and then moving from current authorization server to WSO2 Identity Server they need to update consumer credentials in all these applications to use WSO2 generated ones, which they are reluctant to do. While we may be able to support above use case via a extension point, won't it be good to have a highly secured API to do it? Analytics, we may have to handle using the old to new consumer key mapping. > > Also - consumer key is not something - someone would remember and use - so > I don't think its same as the username - so I don't see any need to change > > >> >> >> >> And apart from that planning for the implementation of *Revoking an >> oauth app*. In there the oauth app will be revoked and that also will >> immediately invalidate any active authorization code, access token or >> refresh token, issued to the respective client. In order to activate the >> oauth app again, need to regenerate the client secret. >> >> >> *In there to activate the app, better to regenerate "both client key and >> secret" or "either client key or secret"?* >> > > Revoking an app means - mostly the revoking of its consumer secret (the > previous scenario). > > Another couple of use cases we can address with this: > > 1. Blocking an app temporary - Deactivate the App - and the Activate it > after sometime - nothing to do with the consumer secret revocation. > > 2. Ability to revoke an access token (s) issued on behalf of a user for a > particular app. > > 3. Ability to revoke all the access tokens issued on behalf of a user > across all the apps. > > Thanks & regards, > -Prabath > > >> >> >> Really value your ideas/suggestions on improving this feature. >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Email [email protected] >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
