On Fri, Jan 5, 2018 at 11:55 AM, Isura Karunaratne <[email protected]> wrote:
> Hi Rushmin, > > On Fri, Jan 5, 2018 at 11:50 AM, Hasanthi Purnima Dissanayake < > [email protected]> wrote: > >> Hi Rushmin, >> >> *How is this done now?* >>> >>> The application certificate should be imported to the keystore file and >>> the alias should be mentioned in the service provider so that the service >>> provider can validate the signature against the certificate identified >>> by that alias. >>> >> >> If we have the current option of importing the certificate to the >> keystore, in JWT client authentication [1] we have to provide the >> certificate alias as the client id inorder to identify the application. So >> with this implementation we don't need to enforce end users to do the above >> as we can fetch the client_id directly from the db. >> >> +1 for the approach. >> >> [1] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0 >> >> Thanks, >> >> On Fri, Jan 5, 2018 at 11:31 AM, Rushmin Fernando <[email protected]> >> wrote: >> >>> >>> In the identity server, a service provider represents the application >>> which uses the Identity Server as an Identity Provider. >>> >>> In some cases, Identity Server needs to validate the identity of the >>> application to make sure the authentication/authorization requests are >>> coming from the legitimate application. >>> >>> *How is this done now?* >>> >>> The application certificate should be imported to the keystore file and >>> the alias should be mentioned in the service provider so that the service >>> provider can validate the signature against the certificate identified by >>> that alias. >>> >>> *Why is this needs to be improved?* >>> >>> 1) keystore file resides in the file system. Therefore in a clustered >>> deployment, either the certificate should be added to all the nodes or the >>> keystore file should be synced. >>> >>> 2) The server needs a restart after importing a certificate. >>> >>> *What is the solution?* >>> >>> The certificate should be stored in the database so that it is shared >>> and a restart is not needed. >>> >>> *High-level design/UX decisions* >>> >>> 1) The SP UI will have a new text area to enter the certificate in PEM >>> format. >>> >> Is there any specific reason to use text area here? In IDP UI, we have an > option to upload the idp cert. IMO it is better to have that option in SP > UI as well for the UI consistance. > It is bit easier for users to paste the content staight away rather than uploading files. +1 for making both UIs consistent. > Thanks > Isura. > >> >>> 2) The certificate will be stored in the SP_APP table. A new column will >>> be added. >>> >>> *REASON*: >>> >>> Service provider --> certificate is a 1:1 relationship. >>> >>> 3) An interface will be introduced to abstract out the certificate >>> handling of the SP. Two implementations will be there to support the >>> current behavior and the proposed behavior. >>> >>> 4) Current behavior will be deprecated. >>> >>> 5) Choosing between the two implementations not explicit for the users, >>> so a configuration will not be provided. If a certificate is not available >>> in the database Identity Server will fall back to the current approach. >>> >>> *REASON*: >>> >>> 1. This feature is about changing an internal implementation. So the >>> users should not worry about it. >>> >>> >>> >>> Please share your thoughts. >>> >>> >>> >>> >>> -- >>> *Best Regards* >>> >>> *Rushmin Fernando* >>> *Technical Lead* >>> >>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>> >>> mobile : +94775615183 >>> >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> >> Hasanthi Dissanayake >> >> Senior Software Engineer | WSO2 >> >> E: [email protected] >> M :0718407133| http://wso2.com <http://wso2.com/> >> > > > > -- > > *Isura Dilhara Karunaratne* > Associate Technical Lead | WSO2 > Email: [email protected] > Mob : +94 772 254 810 <+94%2077%20225%204810> > Blog : http://isurad.blogspot.com/ > > > > -- *Best Regards* *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware mobile : +94775615183
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
