On Friday, January 5, 2018, Hasanthi Purnima Dissanayake <hasan...@wso2.com> wrote:
> Hi Isura/Omindu, > > Which data are supposed to store in IDN_JWT_PRIVATE_KEY table? What is >> the reason to store those data? >> > > In the patch that we have provided for 5.3.0 , this table contains > following fields. > JWT_ID (primary key) > EXP_TIME > TIME_CREATED > > JWT_ID is an unique identifier for the token. According to the spec this > token should not be reused. So JWT_ID is responsible for prevent re-use of > this token. Hence we need to store the JWT_ID. Based on the EXP_TIME we > have planned to clean the records. The spec is bit flexible on re-using > the token. So once the token is expired we let the same JWT_ID to be > re-used. > Shouldn't this restriction per SP(client)? Since jti is an identifier string, what happens if two different SPs send two different JWTs with the same jti? > > > jtiREQUIRED. JWT ID. A unique identifier for the token, which can be used > to prevent reuse of the token. These tokens MUST only be used once, unless > conditions for reuse were negotiated between the parties; any such > negotiation is beyond the scope of this specification. > > > If we are storing private keys in the table, make sure the content is >> encrypted to avoid security concerns. > > > Actually we don't store private keys here. Anyway the table name is bit > misleading. So shall we re-name the table as IDN_OIDC_JTI? > > > Thanks, > > On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne <is...@wso2.com> wrote: > >> Hi Hasanthi, >> >> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake < >> hasan...@wso2.com> wrote: >> >>> Hi All, >>> >>> Following tasks are identified for the implementation for the $subject. >>> >>> 1. Move the logic of validating the token API invocation request to >>> validate required parameters for JWT client authentication to >>> PrivatekeyJWTClientAuthHandler >>> 2. Introduce a new interface to read the public certificate. >>> - Certificate can be read from keystore >>> - Certificate can be read from db >>> - Certificate can be read from any other means >>> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown >>> rapidly which may cause to some performance issues. So need to implement a >>> cleanup script based on the expiration time of the JWT. >>> >> >> Which data are supposed to store in IDN_JWT_PRIVATE_KEY table? What is >> the reason to store those data? >> >> Thanks >> Isura. >> >>> 4. Honour the UI configuration for confidential applications which is >>> discussed in mail [1] >>> >>> Apart from above need to consider on following tasks: >>> 1. Improving the unit tests of the repository >>> 2. Improve the documentations for the $subject. >>> >>> >>> [1] Confidential Aplications in OAuth2 Flow >>> >>> Thanks, >>> -- >>> >>> Hasanthi Dissanayake >>> >>> Senior Software Engineer | WSO2 >>> >>> E: hasan...@wso2.com >>> M :0718407133| http://wso2.com <http://wso2.com/> >>> >> >> >> >> -- >> >> *Isura Dilhara Karunaratne* >> Associate Technical Lead | WSO2 >> Email: is...@wso2.com >> Mob : +94 772 254 810 <+94%2077%20225%204810> >> Blog : http://isurad.blogspot.com/ >> >> >> >> > > > -- > > Hasanthi Dissanayake > > Senior Software Engineer | WSO2 > > E: hasan...@wso2.com > M :0718407133| http://wso2.com <http://wso2.com/> > -- Farasath Ahamed Senior Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
