On Wed, Mar 7, 2018 at 11:26 AM, Vihanga Liyanage <viha...@wso2.com> wrote:

> Hi all,
>
> [Update]
> I have completed the second phase of the project, providing service
> provider level configurations in admin dashboard to configure encryption
> algorithm and encryption method. With this update, once you enable
> encrypting id tokens for an SP in the admin dashboard, two select boxes
> will appear with supported encryption algorithms and supported encryption
> methods. These supported algorithms are pulled from the identity.xml file.
>

Do we persist the encrypted ID Token to database at any point? If so, is
there any comparison of encrypted ID token with the value in the database?
I'm asking this because you seem to be using encryption algorithm with
dynamic padding.

>
>
>
> Respective git issue and pull requests are as follows.
>
>    - https://github.com/wso2/product-is/issues/2387
>    - https://github.com/wso2/carbon-identity-framework/pull/1416
>    - https://github.com/wso2-extensions/identity-inbound-
>    auth-oauth/pull/832
>
> I have also updated the docs as well.
>
> Thanks,
> Vihanga.
>
> On Tue, Feb 20, 2018 at 2:45 PM, Vihanga Liyanage <viha...@wso2.com>
> wrote:
>
>> Hi all,
>>
>> [Update]
>> I was able to complete the initial development of the proposed project,
>> encrypted id token support in OIDC flow. Following are the links related to
>> the development.
>>
>>    - An issue was created in product-is repository to track the
>>    development.
>>       - https://github.com/wso2/product-is/issues/2336
>>    - Pull request is made to identity-inbound-auth-oauth repository with
>>    required updates.
>>    - https://github.com/wso2-extensions/identity-inbound-auth-oau
>>       th/pull/798
>>    - Pull request is made to product-is repository with updated
>>    playground application to test the feature
>>    - https://github.com/wso2/product-is/pull/2313
>>    - Code review was held to review the code written in both PRs.
>>
>> All PRs are merged by now.
>> Currently, I'm working on integration test to test the newly added
>> feature.
>>
>> Thanks,
>> Vihanga
>>
>> On Fri, Feb 9, 2018 at 5:07 PM, Vihanga Liyanage <viha...@wso2.com>
>> wrote:
>>
>>> Yes, Farasath. As for the offline discussions with Drashana, I came to
>>> the same conclusion and exploring the SAML sample app right now.
>>>
>>> Although I'm not sure about signing JWE. I couldn't find anything
>>> specific about that in the RFC. Also, the API in Nimbus only expects the
>>> claims set and the public key of the client to create and encrypt a JWE.
>>> Please do let me know if you find something else.
>>>
>>> On Fri, Feb 9, 2018 at 4:34 PM, Farasath Ahamed <farasa...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Friday, February 9, 2018, Vihanga Liyanage <viha...@wso2.com> wrote:
>>>>
>>>>> [- Engineering, Strategy]
>>>>> [+ Architecture, Dev]
>>>>>
>>>>> Thanks,
>>>>> Vihanga
>>>>>
>>>>> On Fri, Feb 9, 2018 at 8:56 AM, Vihanga Liyanage <viha...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Farasath,
>>>>>>
>>>>>> For the above two points IMO it would be better to provide an option
>>>>>>> at Service Provider OAuth/OIDC configuration. This will be similar to 
>>>>>>> what
>>>>>>> we have done for SAML.
>>>>>>>
>>>>>>
>>>>>> That is the initial idea came to me as well. But shouldn't the
>>>>>> clients have a choice of deciding that as well? May be through a request
>>>>>> parameter. To use either JWS or JWE, the client have to support them 
>>>>>> right?
>>>>>>
>>>>>
>>>> By enabling the option to encrypt id_token in the service provider
>>>> configs the client is acknowledging that it can support encrypted
>>>> id_tokens.
>>>>
>>>> AFAIK even for JWE we need to first sign and then encrypt. Also I
>>>> couldn't find any reference on a standard approach to allow clients to
>>>> switch between JWS and JWE via a request parameter.
>>>>
>>>> If we take a look at how we handle this is SAML, we have an option in
>>>> the SAML configs to say whether the assertion needs to be encrypted or not.
>>>> Once the option to encrypt assertion is enabled SAML assertions will always
>>>> be encrypted for the particular service provider (ie. There is no
>>>> requirement to switch between signed or encrypted assertions)
>>>>
>>>> IMO we can follow the same approach. WDYT?
>>>>
>>>>
>>>>>>> On a separate note, any specific reason why we are discussing this
>>>>>>> in strategy and not in Dev and architecture mailing lists?
>>>>>>>
>>>>>>> I feel that we need to discuss this feature in architecture mailing
>>>>>>> list to get the input from community.
>>>>>>>
>>>>>>
>>>>>> No such specific reason at all. On the previous project I did, the
>>>>>> mail was asked to sent to engineering and strategy. So I followed the 
>>>>>> same
>>>>>> protocol. I'll change that now.
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Vihanga.
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> Vihanga Liyanage
>>>>>>>>
>>>>>>>> Software Engineer | WS*O₂* Inc.
>>>>>>>>
>>>>>>>> M : +*94710124103* | http://wso2.com
>>>>>>>>
>>>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>>>>>>>
>>>>>>>>
>>>>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
>>>>>>>>  Virus-free.
>>>>>>>> www.avast.com
>>>>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>>>>>>>> <#m_2937290581037942005_m_4770696490581545647_m_-2123188955827273075_m_6964541531375253954_m_-4836321406318245336_m_-5520087002137875506_m_-4545884336410447238_m_6821664179648888237_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>>>>>>>
>>>>>>>> --
>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>> Groups "WSO2 Engineering Group" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>> send an email to engineering-group+unsubscr...@wso2.com.
>>>>>>>> For more options, visit https://groups.google.com/a/ws
>>>>>>>> o2.com/d/optout.
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Farasath Ahamed
>>>>>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com
>>>>>>> Mobile: +94777603866
>>>>>>> Blog: blog.farazath.com
>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>>>>>> <http://wso2.com/signature>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Vihanga Liyanage
>>>>>>
>>>>>> Software Engineer | WS*O₂* Inc.
>>>>>>
>>>>>> M : +*94710124103* | http://wso2.com
>>>>>>
>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Vihanga Liyanage
>>>>>
>>>>> Software Engineer | WS*O₂* Inc.
>>>>>
>>>>> M : +*94710124103* | http://wso2.com
>>>>>
>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>>>>
>>>>
>>>>
>>>> --
>>>> Farasath Ahamed
>>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com
>>>> Mobile: +94777603866
>>>> Blog: blog.farazath.com
>>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>>> <http://wso2.com/signature>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Vihanga Liyanage
>>>
>>> Software Engineer | WS*O₂* Inc.
>>>
>>> M : +*94710124103* | http://wso2.com
>>>
>>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>>
>>
>>
>>
>> --
>>
>> Vihanga Liyanage
>>
>> Software Engineer | WS*O₂* Inc.
>>
>> M : +*94710124103* | http://wso2.com
>>
>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>
>
>
>
> --
>
> Vihanga Liyanage
>
> Software Engineer | WS*O₂* Inc.
>
> M : +*94710124103* | http://wso2.com
>
> [image: http://wso2.com/signature] <http://wso2.com/signature>
>
> _______________________________________________
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Denuwanthi De Silva
Senior Software Engineer;
WSO2 Inc.; http://wso2.com,
Email: denuwan...@wso2.com
Blog: https://denuwanthi.wordpress.com/
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Reply via email to