Thanks, I just understood the scenario. Thanks, Bhathiya
On Wed, May 23, 2018 at 2:36 PM, Megala Uthayakumar <[email protected]> wrote: > Hi Bhathiya, > > On Wed, May 23, 2018 at 1:05 PM, Bhathiya Jayasekara <[email protected]> > wrote: > >> Hi Megala, >> >> On Wed, May 23, 2018 at 10:11 AM, Megala Uthayakumar <[email protected]> >> wrote: >> >>> Hi All, >>> >>> I am working on $subject for IS 5.5.0. >>> >>> When handling custom claims, we do have two options. >>> >>> 1. Handling custom claims as we have handled it in the >>> SAML2BearerGrantHandler. >>> - Current SAML2BearerGrantHandler converts the claims coming from >>> IDP to local claims and then filter out oidc claims only, given that >>> scope >>> is given as openid. >>> 2. Handle relevant custom claims as it is when scope is not >>> openid and if the scope is openid filter out the openid scopes as we do >>> for >>> SAML2BearerGrantHandler >>> - If the scope is not openid, add all the custom claims with the >>> access token. >>> - If the scope is openid, follow the same approach followed by >>> SAML2BearerGrantHandler. >>> >>> I think option 2 is better way to handle this, becuase, >>> >>> JWT do not restrict the collection of custom claims, hence if we go with >>> option 1, customer is expected to select one of the open id claims to get >>> his claims back in original incoming JWT. >>> >> >> Could you please explain this line further? >> > In our wso2 IS server, we have predefined list of oidc claims[1], but in > JWT we can have custom claims that are not defined in our list. > > For example, > A thrid party identity provider may send a claim with the name "testClaim" > with its JWT token and the service provider may expect the same claim with > the same name, but this cannot be done in our case, as we only pass the > predefined set of oidc claims to service provider. > > >> And in the subject you meant generating access token (but not JWT token) >> right? >> > Self contained access token, which is a JWT token. [2] > > >> >> Thanks, >> Bhathiya >> > > [1] https://docs.wso2.com/display/IS550/Configuring+Claims+f > or+an+Identity+Provider#ConfiguringClaimsforanIdentityProvid > er-MappingconfiguredclaimstoanOpenIDConnectclaim > [2] https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens > <https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens> > > > -- > Megala Uthayakumar > > Senior Software Engineer > Mobile : 0779967122 > -- *Bhathiya Jayasekara* *Associate Technical Lead,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
