On Fri, Feb 10, 2017 at 1:15 AM, Gayan Gunawardana <[email protected]> wrote:
> > > On Thu, Feb 9, 2017 at 7:43 PM, Omindu Rathnaweera <[email protected]> > wrote: > >> One option would be to introduce a claim property to indicate who can >> modify the claims. We can even introduce a similar property to specify who >> can read a claim as well. >> >> Regards, >> Omindu >> >> On Thu, Feb 9, 2017 at 5:39 PM, Isura Karunaratne <[email protected]> wrote: >> >>> Hi all, >>> >>> What is the best way to handle special claims such as last login >>> time and last password update time? These claims should >>> only be modified by the system. >>> >>> Ideally, we should not be able to update these claims using an APIs such >>> as SCIM. >>> >> From SCIM user manager level we can filter and remove these claims for > Create Update Delete operations. > Totally -1. As Darshana mentioned we should handle these in a centralized intercepting layer so that it doesn't get coupled to the various external endpoints that we expose. SCIM 2.0 in fact defines its own attribute profile in the specification. Please check property called "mutability" for each User/Group attribute. SCIM 2.0 defines following 4 values by default for it. "readOnly", "readWrite", "immutable", "writeOnly" So we can't be doing our own thing here. SCIM 2.0 already defined how to handle these kind of claims and we need to be able to support these various mutability values from our profile-mgt implementation. Regards, Johann. -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
