How is this going to impact migrating clients? For the data that's already available in the DB, I guess we won't be changing their user store domains. So I guess they will still be treated in the old way?
On Tue, May 16, 2017 at 7:53 PM, Pushpalanka Jayawardhana <[email protected]> wrote: > Hi All, > > We have below 3 issues that are caused mainly because we don't have a > clear way to distinguish local and federated users in oauth related tables > (authorization code and access token storage). > There are few more issues related to sending subject claim in proper > format in IDtoken, that needs to identify the user as federated or local. > > In order to address these issues we need to check whether user is from a > federated IDP. To fix this without having DB schema changes, IsharaK came > up with this idea to use 'UserStoreDomain' column, > to store the value 'FEDERATED' as user store domain for tokens and > authorization codes issued to federated users. The relevant authenticators > and grant handlers are responsible to set 'isFederatedUser' flag to true, > whenever they are creating and passing an authenticated user to > messageContext. OAuth storage will read and store it as the userStoreDomain > value with 'FEDERATED'. This domain is never expected to be sent out from > server as a user attribute or property or as part of username. > > In order to avoid any conflicts, we will avoid users from creating user > store domains with the name 'FEDERATED'. > If you see any pitfalls with this approach, please raise. We are > proceeding with implementation as above. > > [1] - https://wso2.org/jira/browse/IDENTITY-5939 > [2] - https://wso2.org/jira/browse/IDENTITY-4880 > [3] - https://wso2.org/jira/browse/IDENTITY-4512 > > Thanks, > -- > Pushpalanka. > -- > Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). > Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ > Mobile: +94779716248 > Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/ > pushpalanka/ | Twitter: @pushpalanka > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
