Even with signed id tokens, we didn't persist them in the database. Hense I didn't either. Do you see any value in doing so?
On Wed, Mar 7, 2018 at 12:46 PM, Denuwanthi De Silva <denuwan...@wso2.com> wrote: > > > On Wed, Mar 7, 2018 at 11:26 AM, Vihanga Liyanage <viha...@wso2.com> > wrote: > >> Hi all, >> >> [Update] >> I have completed the second phase of the project, providing service >> provider level configurations in admin dashboard to configure encryption >> algorithm and encryption method. With this update, once you enable >> encrypting id tokens for an SP in the admin dashboard, two select boxes >> will appear with supported encryption algorithms and supported encryption >> methods. These supported algorithms are pulled from the identity.xml file. >> > > Do we persist the encrypted ID Token to database at any point? If so, is > there any comparison of encrypted ID token with the value in the database? > I'm asking this because you seem to be using encryption algorithm with > dynamic padding. > >> >> >> >> Respective git issue and pull requests are as follows. >> >> - https://github.com/wso2/product-is/issues/2387 >> - https://github.com/wso2/carbon-identity-framework/pull/1416 >> - https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/pull/832 >> >> I have also updated the docs as well. >> >> Thanks, >> Vihanga. >> >> On Tue, Feb 20, 2018 at 2:45 PM, Vihanga Liyanage <viha...@wso2.com> >> wrote: >> >>> Hi all, >>> >>> [Update] >>> I was able to complete the initial development of the proposed project, >>> encrypted id token support in OIDC flow. Following are the links related to >>> the development. >>> >>> - An issue was created in product-is repository to track the >>> development. >>> - https://github.com/wso2/product-is/issues/2336 >>> - Pull request is made to identity-inbound-auth-oauth repository >>> with required updates. >>> - https://github.com/wso2-extensions/identity-inbound-auth-oau >>> th/pull/798 >>> - Pull request is made to product-is repository with updated >>> playground application to test the feature >>> - https://github.com/wso2/product-is/pull/2313 >>> - Code review was held to review the code written in both PRs. >>> >>> All PRs are merged by now. >>> Currently, I'm working on integration test to test the newly added >>> feature. >>> >>> Thanks, >>> Vihanga >>> >>> On Fri, Feb 9, 2018 at 5:07 PM, Vihanga Liyanage <viha...@wso2.com> >>> wrote: >>> >>>> Yes, Farasath. As for the offline discussions with Drashana, I came to >>>> the same conclusion and exploring the SAML sample app right now. >>>> >>>> Although I'm not sure about signing JWE. I couldn't find anything >>>> specific about that in the RFC. Also, the API in Nimbus only expects the >>>> claims set and the public key of the client to create and encrypt a JWE. >>>> Please do let me know if you find something else. >>>> >>>> On Fri, Feb 9, 2018 at 4:34 PM, Farasath Ahamed <farasa...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Friday, February 9, 2018, Vihanga Liyanage <viha...@wso2.com> >>>>> wrote: >>>>> >>>>>> [- Engineering, Strategy] >>>>>> [+ Architecture, Dev] >>>>>> >>>>>> Thanks, >>>>>> Vihanga >>>>>> >>>>>> On Fri, Feb 9, 2018 at 8:56 AM, Vihanga Liyanage <viha...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Farasath, >>>>>>> >>>>>>> For the above two points IMO it would be better to provide an option >>>>>>>> at Service Provider OAuth/OIDC configuration. This will be similar to >>>>>>>> what >>>>>>>> we have done for SAML. >>>>>>>> >>>>>>> >>>>>>> That is the initial idea came to me as well. But shouldn't the >>>>>>> clients have a choice of deciding that as well? May be through a request >>>>>>> parameter. To use either JWS or JWE, the client have to support them >>>>>>> right? >>>>>>> >>>>>> >>>>> By enabling the option to encrypt id_token in the service provider >>>>> configs the client is acknowledging that it can support encrypted >>>>> id_tokens. >>>>> >>>>> AFAIK even for JWE we need to first sign and then encrypt. Also I >>>>> couldn't find any reference on a standard approach to allow clients to >>>>> switch between JWS and JWE via a request parameter. >>>>> >>>>> If we take a look at how we handle this is SAML, we have an option in >>>>> the SAML configs to say whether the assertion needs to be encrypted or >>>>> not. >>>>> Once the option to encrypt assertion is enabled SAML assertions will >>>>> always >>>>> be encrypted for the particular service provider (ie. There is no >>>>> requirement to switch between signed or encrypted assertions) >>>>> >>>>> IMO we can follow the same approach. WDYT? >>>>> >>>>> >>>>>>>> On a separate note, any specific reason why we are discussing this >>>>>>>> in strategy and not in Dev and architecture mailing lists? >>>>>>>> >>>>>>>> I feel that we need to discuss this feature in architecture mailing >>>>>>>> list to get the input from community. >>>>>>>> >>>>>>> >>>>>>> No such specific reason at all. On the previous project I did, the >>>>>>> mail was asked to sent to engineering and strategy. So I followed the >>>>>>> same >>>>>>> protocol. I'll change that now. >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Vihanga. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Vihanga Liyanage >>>>>>>>> >>>>>>>>> Software Engineer | WS*O₂* Inc. >>>>>>>>> >>>>>>>>> M : +*94710124103* | http://wso2.com >>>>>>>>> >>>>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>>>>> >>>>>>>>> >>>>>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> >>>>>>>>> Virus-free. >>>>>>>>> www.avast.com >>>>>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link> >>>>>>>>> <#m_-5404667828781828103_m_2937290581037942005_m_4770696490581545647_m_-2123188955827273075_m_6964541531375253954_m_-4836321406318245336_m_-5520087002137875506_m_-4545884336410447238_m_6821664179648888237_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "WSO2 Engineering Group" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to engineering-group+unsubscr...@wso2.com. >>>>>>>>> For more options, visit https://groups.google.com/a/ws >>>>>>>>> o2.com/d/optout. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Farasath Ahamed >>>>>>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>> Mobile: +94777603866 >>>>>>>> Blog: blog.farazath.com >>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Vihanga Liyanage >>>>>>> >>>>>>> Software Engineer | WS*O₂* Inc. >>>>>>> >>>>>>> M : +*94710124103* | http://wso2.com >>>>>>> >>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Vihanga Liyanage >>>>>> >>>>>> Software Engineer | WS*O₂* Inc. >>>>>> >>>>>> M : +*94710124103* | http://wso2.com >>>>>> >>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Farasath Ahamed >>>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com >>>>> Mobile: +94777603866 >>>>> Blog: blog.farazath.com >>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>> <http://wso2.com/signature> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Vihanga Liyanage >>>> >>>> Software Engineer | WS*O₂* Inc. >>>> >>>> M : +*94710124103* | http://wso2.com >>>> >>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>> >>> >>> >>> >>> -- >>> >>> Vihanga Liyanage >>> >>> Software Engineer | WS*O₂* Inc. >>> >>> M : +*94710124103* | http://wso2.com >>> >>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>> >> >> >> >> -- >> >> Vihanga Liyanage >> >> Software Engineer | WS*O₂* Inc. >> >> M : +*94710124103* | http://wso2.com >> >> [image: http://wso2.com/signature] <http://wso2.com/signature> >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Denuwanthi De Silva > Senior Software Engineer; > WSO2 Inc.; http://wso2.com, > Email: denuwan...@wso2.com > Blog: https://denuwanthi.wordpress.com/ > -- Vihanga Liyanage Software Engineer | WS*O₂* Inc. M : +*94710124103* | http://wso2.com [image: http://wso2.com/signature] <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture