Hi Bhathiya, On Wed, May 23, 2018 at 1:05 PM, Bhathiya Jayasekara <[email protected]> wrote:
> Hi Megala, > > On Wed, May 23, 2018 at 10:11 AM, Megala Uthayakumar <[email protected]> > wrote: > >> Hi All, >> >> I am working on $subject for IS 5.5.0. >> >> When handling custom claims, we do have two options. >> >> 1. Handling custom claims as we have handled it in the >> SAML2BearerGrantHandler. >> - Current SAML2BearerGrantHandler converts the claims coming from >> IDP to local claims and then filter out oidc claims only, given that >> scope >> is given as openid. >> 2. Handle relevant custom claims as it is when scope is not openid >> and if the scope is openid filter out the openid scopes as we do for >> SAML2BearerGrantHandler >> - If the scope is not openid, add all the custom claims with the >> access token. >> - If the scope is openid, follow the same approach followed by >> SAML2BearerGrantHandler. >> >> I think option 2 is better way to handle this, becuase, >> >> JWT do not restrict the collection of custom claims, hence if we go with >> option 1, customer is expected to select one of the open id claims to get >> his claims back in original incoming JWT. >> > > Could you please explain this line further? > In our wso2 IS server, we have predefined list of oidc claims[1], but in JWT we can have custom claims that are not defined in our list. For example, A thrid party identity provider may send a claim with the name "testClaim" with its JWT token and the service provider may expect the same claim with the same name, but this cannot be done in our case, as we only pass the predefined set of oidc claims to service provider. > And in the subject you meant generating access token (but not JWT token) > right? > Self contained access token, which is a JWT token. [2] > > Thanks, > Bhathiya > [1] https://docs.wso2.com/display/IS550/Configuring+Claims+f or+an+Identity+Provider#ConfiguringClaimsforanIdentityProvid er-MappingconfiguredclaimstoanOpenIDConnectclaim [2] https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens <https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens> -- Megala Uthayakumar Senior Software Engineer Mobile : 0779967122
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
