Thanks for the response Vihanga, So according to your response. Encryption Algorithm = Asymmetric Key Encryption Algorithm Encryption Method = Symmetric Key Encryption Algorithm
Yeah, I think its bit confusing. we may use better names than lib. nothing comes to my mind now :) Thanks Godwin On Thu, Mar 8, 2018 at 10:00 AM, Vihanga Liyanage <[email protected]> wrote: > The encryption algorithm is the asymmetric key encryption algorithm that > is used to encrypt the CEK with the recipient's public key. I've updated > these in the public docs [1], [2]. I know these two names are confusing a > bit. I just followed the lib for the time being. > > I'd be happy to talk about a suitable name pair. :) > > [1] - https://docs.wso2.com/display/IS550/Decrypting+OpenID+Connec > t+Encrypted+ID+Tokens > [2] - https://docs.wso2.com/display/IS550/Testing+OIDC+Encrypted+ > ID+Token+with+IS+5.5.0 > > On Thu, Mar 8, 2018 at 9:53 AM, Godwin Shrimal <[email protected]> wrote: > >> Well, if Encryption Method mentioned is referring to "symmetric key >> encryption algorithm", What is "Encryption Algorithm" on the screen? >> >> >> Thanks >> Godwin >> >> On Thu, Mar 8, 2018 at 9:47 AM, Godwin Shrimal <[email protected]> wrote: >> >>> Can you send me the list of values in that dropdown? Cipher Block >>> Chaining is how we are chaining encrypted values since encryption happens >>> as blocks (8 bit, 6 bit etc.) You can read about it here [1]. >>> >>> [1] https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation >>> >>> Thanks >>> Godwin >>> >>> On Wed, Mar 7, 2018 at 10:57 PM, Vihanga Liyanage <[email protected]> >>> wrote: >>> >>>> The Encryption Method mentioned here is the symmetric key encryption >>>> algorithm that is used to encrypt the JWT claims set. We used the Nimbus >>>> [1] <https://connect2id.com/products/nimbus-jose-jwt> library for the >>>> implementation and within that, they have used the name "Encryption Method" >>>> to identify this algorithm. They have a class defined as >>>> com.nimbusds.jose.EncryptionMethod which wraps all supported symmetric >>>> key encryption algorithms. >>>> I took the name from there. I'm not sure what you mean by "cipher >>>> chaining mode". Is this mentioned in the JWE RFC? >>>> >>>> [1] - https://connect2id.com/products/nimbus-jose-jwt >>>> >>>> On Wed, Mar 7, 2018 at 10:00 PM, Godwin Shrimal <[email protected]> >>>> wrote: >>>> >>>>> should be corrected as "Chaining Mode". >>>>> >>>>> >>>>> Thanks >>>>> Godwin >>>>> >>>>> On Wed, Mar 7, 2018 at 5:26 PM, Godwin Shrimal <[email protected]> >>>>> wrote: >>>>> >>>>>> "Encryption Method" is the correct term/word here? AFAIK It's cipher >>>>>> chaining mode. I know it's a technical word, but still, I feel like we >>>>>> have >>>>>> to use correct naming. Something like "Chaning Mode". >>>>>> >>>>>> >>>>>> Thanks >>>>>> Godwin >>>>>> >>>>>> On Wed, Mar 7, 2018 at 11:26 AM, Vihanga Liyanage <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> [Update] >>>>>>> I have completed the second phase of the project, providing service >>>>>>> provider level configurations in admin dashboard to configure encryption >>>>>>> algorithm and encryption method. With this update, once you enable >>>>>>> encrypting id tokens for an SP in the admin dashboard, two select boxes >>>>>>> will appear with supported encryption algorithms and supported >>>>>>> encryption >>>>>>> methods. These supported algorithms are pulled from the identity.xml >>>>>>> file. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Respective git issue and pull requests are as follows. >>>>>>> >>>>>>> - https://github.com/wso2/product-is/issues/2387 >>>>>>> - https://github.com/wso2/carbon-identity-framework/pull/1416 >>>>>>> - https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>>>> th/pull/832 >>>>>>> >>>>>>> I have also updated the docs as well. >>>>>>> >>>>>>> Thanks, >>>>>>> Vihanga. >>>>>>> >>>>>>> On Tue, Feb 20, 2018 at 2:45 PM, Vihanga Liyanage <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> [Update] >>>>>>>> I was able to complete the initial development of the proposed >>>>>>>> project, encrypted id token support in OIDC flow. Following are the >>>>>>>> links >>>>>>>> related to the development. >>>>>>>> >>>>>>>> - An issue was created in product-is repository to track the >>>>>>>> development. >>>>>>>> - https://github.com/wso2/product-is/issues/2336 >>>>>>>> - Pull request is made to identity-inbound-auth-oauth >>>>>>>> repository with required updates. >>>>>>>> - https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>>>>> th/pull/798 >>>>>>>> - Pull request is made to product-is repository with updated >>>>>>>> playground application to test the feature >>>>>>>> - https://github.com/wso2/product-is/pull/2313 >>>>>>>> - Code review was held to review the code written in both PRs. >>>>>>>> >>>>>>>> All PRs are merged by now. >>>>>>>> Currently, I'm working on integration test to test the newly added >>>>>>>> feature. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Vihanga >>>>>>>> >>>>>>>> On Fri, Feb 9, 2018 at 5:07 PM, Vihanga Liyanage <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Yes, Farasath. As for the offline discussions with Drashana, I >>>>>>>>> came to the same conclusion and exploring the SAML sample app right >>>>>>>>> now. >>>>>>>>> >>>>>>>>> Although I'm not sure about signing JWE. I couldn't find anything >>>>>>>>> specific about that in the RFC. Also, the API in Nimbus only expects >>>>>>>>> the >>>>>>>>> claims set and the public key of the client to create and encrypt a >>>>>>>>> JWE. >>>>>>>>> Please do let me know if you find something else. >>>>>>>>> >>>>>>>>> On Fri, Feb 9, 2018 at 4:34 PM, Farasath Ahamed < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Friday, February 9, 2018, Vihanga Liyanage <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> [- Engineering, Strategy] >>>>>>>>>>> [+ Architecture, Dev] >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Vihanga >>>>>>>>>>> >>>>>>>>>>> On Fri, Feb 9, 2018 at 8:56 AM, Vihanga Liyanage < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Farasath, >>>>>>>>>>>> >>>>>>>>>>>> For the above two points IMO it would be better to provide an >>>>>>>>>>>>> option at Service Provider OAuth/OIDC configuration. This will be >>>>>>>>>>>>> similar >>>>>>>>>>>>> to what we have done for SAML. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> That is the initial idea came to me as well. But shouldn't the >>>>>>>>>>>> clients have a choice of deciding that as well? May be through a >>>>>>>>>>>> request >>>>>>>>>>>> parameter. To use either JWS or JWE, the client have to support >>>>>>>>>>>> them right? >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> By enabling the option to encrypt id_token in the service >>>>>>>>>> provider configs the client is acknowledging that it can support >>>>>>>>>> encrypted >>>>>>>>>> id_tokens. >>>>>>>>>> >>>>>>>>>> AFAIK even for JWE we need to first sign and then encrypt. Also I >>>>>>>>>> couldn't find any reference on a standard approach to allow clients >>>>>>>>>> to >>>>>>>>>> switch between JWS and JWE via a request parameter. >>>>>>>>>> >>>>>>>>>> If we take a look at how we handle this is SAML, we have an >>>>>>>>>> option in the SAML configs to say whether the assertion needs to be >>>>>>>>>> encrypted or not. Once the option to encrypt assertion is enabled >>>>>>>>>> SAML >>>>>>>>>> assertions will always be encrypted for the particular service >>>>>>>>>> provider >>>>>>>>>> (ie. There is no requirement to switch between signed or encrypted >>>>>>>>>> assertions) >>>>>>>>>> >>>>>>>>>> IMO we can follow the same approach. WDYT? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>> On a separate note, any specific reason why we are discussing >>>>>>>>>>>>> this in strategy and not in Dev and architecture mailing lists? >>>>>>>>>>>>> >>>>>>>>>>>>> I feel that we need to discuss this feature in architecture >>>>>>>>>>>>> mailing list to get the input from community. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> No such specific reason at all. On the previous project I did, >>>>>>>>>>>> the mail was asked to sent to engineering and strategy. So I >>>>>>>>>>>> followed the >>>>>>>>>>>> same protocol. I'll change that now. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> Vihanga. >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> >>>>>>>>>>>>>> Vihanga Liyanage >>>>>>>>>>>>>> >>>>>>>>>>>>>> Software Engineer | WS*O₂* Inc. >>>>>>>>>>>>>> >>>>>>>>>>>>>> M : +*94710124103* | http://wso2.com >>>>>>>>>>>>>> >>>>>>>>>>>>>> [image: http://wso2.com/signature] >>>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> >>>>>>>>>>>>>> Virus-free. >>>>>>>>>>>>>> www.avast.com >>>>>>>>>>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link> >>>>>>>>>>>>>> <#m_6332394846254301198_m_8057692432825865838_m_5099748796189052088_m_7870699289905781735_m_5903333062190250635_m_-701407733432389279_m_7594679342619863323_m_4770696490581545647_m_-2123188955827273075_m_6964541531375253954_m_-4836321406318245336_m_-5520087002137875506_m_-4545884336410447238_m_6821664179648888237_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>> Google Groups "WSO2 Engineering Group" group. >>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>>>>> For more options, visit https://groups.google.com/a/ws >>>>>>>>>>>>>> o2.com/d/optout. >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Farasath Ahamed >>>>>>>>>>>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>>>>>>> Mobile: +94777603866 >>>>>>>>>>>>> Blog: blog.farazath.com >>>>>>>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> Vihanga Liyanage >>>>>>>>>>>> >>>>>>>>>>>> Software Engineer | WS*O₂* Inc. >>>>>>>>>>>> >>>>>>>>>>>> M : +*94710124103* | http://wso2.com >>>>>>>>>>>> >>>>>>>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> Vihanga Liyanage >>>>>>>>>>> >>>>>>>>>>> Software Engineer | WS*O₂* Inc. >>>>>>>>>>> >>>>>>>>>>> M : +*94710124103* | http://wso2.com >>>>>>>>>>> >>>>>>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Farasath Ahamed >>>>>>>>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>>>> Mobile: +94777603866 >>>>>>>>>> Blog: blog.farazath.com >>>>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Vihanga Liyanage >>>>>>>>> >>>>>>>>> Software Engineer | WS*O₂* Inc. >>>>>>>>> >>>>>>>>> M : +*94710124103* | http://wso2.com >>>>>>>>> >>>>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> Vihanga Liyanage >>>>>>>> >>>>>>>> Software Engineer | WS*O₂* Inc. >>>>>>>> >>>>>>>> M : +*94710124103* | http://wso2.com >>>>>>>> >>>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Vihanga Liyanage >>>>>>> >>>>>>> Software Engineer | WS*O₂* Inc. >>>>>>> >>>>>>> M : +*94710124103* | http://wso2.com >>>>>>> >>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Godwin Amila Shrimal* >>>>>> Associate Technical Lead >>>>>> WSO2 Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> mobile: *+94772264165* >>>>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>>>> twitter: https://twitter.com/godwinamila >>>>>> <http://wso2.com/signature> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Godwin Amila Shrimal* >>>>> Associate Technical Lead >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> mobile: *+94772264165* >>>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>>>> twitter: https://twitter.com/godwinamila >>>>> <http://wso2.com/signature> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Vihanga Liyanage >>>> >>>> Software Engineer | WS*O₂* Inc. >>>> >>>> M : +*94710124103* | http://wso2.com >>>> >>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> *Godwin Amila Shrimal* >>> Associate Technical Lead >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> mobile: *+94772264165* >>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >>> twitter: https://twitter.com/godwinamila >>> <http://wso2.com/signature> >>> >> >> >> >> -- >> *Godwin Amila Shrimal* >> Associate Technical Lead >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> >> mobile: *+94772264165* >> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ >> <https://www.linkedin.com/in/godwin-amila-2ba26844/>* >> twitter: https://twitter.com/godwinamila >> <http://wso2.com/signature> >> > > > > -- > > Vihanga Liyanage > > Software Engineer | WS*O₂* Inc. > > M : +*94710124103* | http://wso2.com > > [image: http://wso2.com/signature] <http://wso2.com/signature> > -- *Godwin Amila Shrimal* Associate Technical Lead WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: *+94772264165* linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ <https://www.linkedin.com/in/godwin-amila-2ba26844/>* twitter: https://twitter.com/godwinamila <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
