Please see [1] to read more about storing the application certificate in the database.
[1] - Mail Thread: '[Feature] Storing the application certificate in the database.' On Fri, Jan 5, 2018 at 11:08 AM, Prakhash Sivakumar <[email protected]> wrote: > > > On Fri, Jan 5, 2018 at 9:47 AM, Hasanthi Purnima Dissanayake < > [email protected]> wrote: > >> Hi Isura/Omindu, >> >> Which data are supposed to store in IDN_JWT_PRIVATE_KEY table? What is >>> the reason to store those data? >>> >> >> In the patch that we have provided for 5.3.0 , this table contains >> following fields. >> JWT_ID (primary key) >> EXP_TIME >> TIME_CREATED >> >> JWT_ID is an unique identifier for the token. According to the spec this >> token should not be reused. So JWT_ID is responsible for prevent re-use of >> this token. Hence we need to store the JWT_ID. Based on the EXP_TIME we >> have planned to clean the records. The spec is bit flexible on re-using >> the token. So once the token is expired we let the same JWT_ID to be >> re-used. >> >> >> jtiREQUIRED. JWT ID. A unique identifier for the token, which can be >> used to prevent reuse of the token. These tokens MUST only be used once, >> unless conditions for reuse were negotiated between the parties; any such >> negotiation is beyond the scope of this specification. >> >> >> If we are storing private keys in the table, make sure the content is >>> encrypted to avoid security concerns. >> >> >> Actually we don't store private keys here. Anyway the table name is bit >> misleading. So shall we re-name the table as IDN_OIDC_JTI? >> > > Yes this name is misleading, as we don't store private keys here its > better to rename this table. > >> >> >> Thanks, >> >> On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne <[email protected]> wrote: >> >>> Hi Hasanthi, >>> >>> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake < >>> [email protected]> wrote: >>> >>>> Hi All, >>>> >>>> Following tasks are identified for the implementation for the $subject. >>>> >>>> 1. Move the logic of validating the token API invocation request to >>>> validate required parameters for JWT client authentication to >>>> PrivatekeyJWTClientAuthHandler >>>> 2. Introduce a new interface to read the public certificate. >>>> - Certificate can be read from keystore >>>> - Certificate can be read from db >>>> - Certificate can be read from any other means >>>> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown >>>> rapidly which may cause to some performance issues. So need to implement a >>>> cleanup script based on the expiration time of the JWT. >>>> >>> >>> Which data are supposed to store in IDN_JWT_PRIVATE_KEY table? What is >>> the reason to store those data? >>> >>> Thanks >>> Isura. >>> >>>> 4. Honour the UI configuration for confidential applications which is >>>> discussed in mail [1] >>>> >>>> Apart from above need to consider on following tasks: >>>> 1. Improving the unit tests of the repository >>>> 2. Improve the documentations for the $subject. >>>> >>>> >>>> [1] Confidential Aplications in OAuth2 Flow >>>> >>>> Thanks, >>>> -- >>>> >>>> Hasanthi Dissanayake >>>> >>>> Senior Software Engineer | WSO2 >>>> >>>> E: [email protected] >>>> M :0718407133| http://wso2.com <http://wso2.com/> >>>> >>> >>> >>> >>> -- >>> >>> *Isura Dilhara Karunaratne* >>> Associate Technical Lead | WSO2 >>> Email: [email protected] >>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>> Blog : http://isurad.blogspot.com/ >>> >>> >>> >>> >> >> >> -- >> >> Hasanthi Dissanayake >> >> Senior Software Engineer | WSO2 >> >> E: [email protected] >> M :0718407133| http://wso2.com <http://wso2.com/> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Prakhash Sivakumar > Software Engineer | WSO2 Inc > Platform Security Team > Mobile : +94771510080 <+94%2077%20151%200080> > Blog : https://medium.com/@PrakhashS > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Best Regards* *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware mobile : +94775615183
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
