Yes, Farasath. As for the offline discussions with Drashana, I came to the
same conclusion and exploring the SAML sample app right now.

Although I'm not sure about signing JWE. I couldn't find anything specific
about that in the RFC. Also, the API in Nimbus only expects the claims set
and the public key of the client to create and encrypt a JWE. Please do let
me know if you find something else.

On Fri, Feb 9, 2018 at 4:34 PM, Farasath Ahamed <farasa...@wso2.com> wrote:

>
>
> On Friday, February 9, 2018, Vihanga Liyanage <viha...@wso2.com> wrote:
>
>> [- Engineering, Strategy]
>> [+ Architecture, Dev]
>>
>> Thanks,
>> Vihanga
>>
>> On Fri, Feb 9, 2018 at 8:56 AM, Vihanga Liyanage <viha...@wso2.com>
>> wrote:
>>
>>> Hi Farasath,
>>>
>>> For the above two points IMO it would be better to provide an option at
>>>> Service Provider OAuth/OIDC configuration. This will be similar to what we
>>>> have done for SAML.
>>>>
>>>
>>> That is the initial idea came to me as well. But shouldn't the clients
>>> have a choice of deciding that as well? May be through a request parameter.
>>> To use either JWS or JWE, the client have to support them right?
>>>
>>
> By enabling the option to encrypt id_token in the service provider configs
> the client is acknowledging that it can support encrypted id_tokens.
>
> AFAIK even for JWE we need to first sign and then encrypt. Also I couldn't
> find any reference on a standard approach to allow clients to switch
> between JWS and JWE via a request parameter.
>
> If we take a look at how we handle this is SAML, we have an option in the
> SAML configs to say whether the assertion needs to be encrypted or not.
> Once the option to encrypt assertion is enabled SAML assertions will always
> be encrypted for the particular service provider (ie. There is no
> requirement to switch between signed or encrypted assertions)
>
> IMO we can follow the same approach. WDYT?
>
>
>>>> On a separate note, any specific reason why we are discussing this in
>>>> strategy and not in Dev and architecture mailing lists?
>>>>
>>>> I feel that we need to discuss this feature in architecture mailing
>>>> list to get the input from community.
>>>>
>>>
>>> No such specific reason at all. On the previous project I did, the mail
>>> was asked to sent to engineering and strategy. So I followed the same
>>> protocol. I'll change that now.
>>>
>>>>
>>>>
>>>>>
>>>>> Thanks,
>>>>> Vihanga.
>>>>>
>>>>> --
>>>>>
>>>>> Vihanga Liyanage
>>>>>
>>>>> Software Engineer | WS*O₂* Inc.
>>>>>
>>>>> M : +*94710124103* | http://wso2.com
>>>>>
>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>>>>
>>>>>
>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
>>>>>  Virus-free.
>>>>> www.avast.com
>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>>>>> <#m_6964541531375253954_m_-4836321406318245336_m_-5520087002137875506_m_-4545884336410447238_m_6821664179648888237_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "WSO2 Engineering Group" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to engineering-group+unsubscr...@wso2.com.
>>>>> For more options, visit https://groups.google.com/a/wso2.com/d/optout.
>>>>>
>>>>
>>>>
>>>> --
>>>> Farasath Ahamed
>>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com
>>>> Mobile: +94777603866
>>>> Blog: blog.farazath.com
>>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>>> <http://wso2.com/signature>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Vihanga Liyanage
>>>
>>> Software Engineer | WS*O₂* Inc.
>>>
>>> M : +*94710124103* | http://wso2.com
>>>
>>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>>
>>
>>
>>
>> --
>>
>> Vihanga Liyanage
>>
>> Software Engineer | WS*O₂* Inc.
>>
>> M : +*94710124103* | http://wso2.com
>>
>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>
>
>
> --
> Farasath Ahamed
> Senior Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 <https://twitter.com/farazath619>
> <http://wso2.com/signature>
>
>
>
>
>


-- 

Vihanga Liyanage

Software Engineer | WS*O₂* Inc.

M : +*94710124103* | http://wso2.com

[image: http://wso2.com/signature] <http://wso2.com/signature>
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Reply via email to