Yes. I tried to explain the same thing, seems it is confusing. I will simplify it.
Thanks. Regards, Megala On Wed, May 30, 2018 at 4:12 PM, Farasath Ahamed <[email protected]> wrote: > > > On Wed, May 30, 2018 at 4:04 PM, Megala Uthayakumar <[email protected]> > wrote: > >> Resending the missing image >> >> >> > > Regarding "SP Claim Mapping exist with requested attributes" decision, > shouldn't this simply be SP requested claims since we do not care about SP > claim mapping in OIDC flow? > > >> >> >> On Wed, May 30, 2018 at 4:02 PM, Megala Uthayakumar <[email protected]> >> wrote: >> >>> *Hi,* >>> >>> *As per the offline discussion with IAM team, following is the agreed >>> design.* >>> >>> >>> >>> *Darshana/Maduranga/Farasath/IAM Team - Please do correct me if I have >>> misunderstood regarding this.* >>> >>> *Thanks.* >>> >>> Regards, >>> Megala >>> >>> On Thu, May 24, 2018 at 9:41 AM, Megala Uthayakumar <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> As per the meeting held offline, it was decide to only send the custom >>>> claims when the scope is given as "openid". Sending custom claims that are >>>> not defined in dialect can be supported by adding new claims to openid >>>> dialect and by appending the relevant scopes to "/oidc" resource in config >>>> registry. >>>> >>>> Thanks. >>>> >>>> Regards, >>>> Megala >>>> >>>> On Wed, May 23, 2018 at 2:41 PM, Bhathiya Jayasekara <[email protected] >>>> > wrote: >>>> >>>>> Thanks, I just understood the scenario. >>>>> >>>>> Thanks, >>>>> Bhathiya >>>>> >>>>> On Wed, May 23, 2018 at 2:36 PM, Megala Uthayakumar <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Bhathiya, >>>>>> >>>>>> On Wed, May 23, 2018 at 1:05 PM, Bhathiya Jayasekara < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Megala, >>>>>>> >>>>>>> On Wed, May 23, 2018 at 10:11 AM, Megala Uthayakumar < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> I am working on $subject for IS 5.5.0. >>>>>>>> >>>>>>>> When handling custom claims, we do have two options. >>>>>>>> >>>>>>>> 1. Handling custom claims as we have handled it in the >>>>>>>> SAML2BearerGrantHandler. >>>>>>>> - Current SAML2BearerGrantHandler converts the claims coming >>>>>>>> from IDP to local claims and then filter out oidc claims only, >>>>>>>> given that >>>>>>>> scope is given as openid. >>>>>>>> 2. Handle relevant custom claims as it is when scope is not >>>>>>>> openid and if the scope is openid filter out the openid scopes as >>>>>>>> we do for >>>>>>>> SAML2BearerGrantHandler >>>>>>>> - If the scope is not openid, add all the custom claims with >>>>>>>> the access token. >>>>>>>> - If the scope is openid, follow the same approach followed >>>>>>>> by SAML2BearerGrantHandler. >>>>>>>> >>>>>>>> I think option 2 is better way to handle this, becuase, >>>>>>>> >>>>>>>> JWT do not restrict the collection of custom claims, hence if we go >>>>>>>> with option 1, customer is expected to select one of the open id >>>>>>>> claims to >>>>>>>> get his claims back in original incoming JWT. >>>>>>>> >>>>>>> >>>>>>> Could you please explain this line further? >>>>>>> >>>>>> In our wso2 IS server, we have predefined list of oidc claims[1], but >>>>>> in JWT we can have custom claims that are not defined in our list. >>>>>> >>>>>> For example, >>>>>> A thrid party identity provider may send a claim with the name >>>>>> "testClaim" with its JWT token and the service provider may expect the >>>>>> same >>>>>> claim with the same name, but this cannot be done in our case, as we only >>>>>> pass the predefined set of oidc claims to service provider. >>>>>> >>>>>> >>>>>>> And in the subject you meant generating access token (but not JWT >>>>>>> token) right? >>>>>>> >>>>>> Self contained access token, which is a JWT token. [2] >>>>>> >>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> Bhathiya >>>>>>> >>>>>> >>>>>> [1] https://docs.wso2.com/display/IS550/Configuring+Claims+f >>>>>> or+an+Identity+Provider#ConfiguringClaimsforanIdentityProvid >>>>>> er-MappingconfiguredclaimstoanOpenIDConnectclaim >>>>>> [2] https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens >>>>>> <https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens> >>>>>> >>>>>> >>>>>> -- >>>>>> Megala Uthayakumar >>>>>> >>>>>> Senior Software Engineer >>>>>> Mobile : 0779967122 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Bhathiya Jayasekara* >>>>> *Associate Technical Lead,* >>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>> >>>>> *Phone: +94715478185* >>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>> *Twitter: https://twitter.com/bhathiyax >>>>> <https://twitter.com/bhathiyax>* >>>>> *Blog: http://movingaheadblog.blogspot.com >>>>> <http://movingaheadblog.blogspot.com/>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Megala Uthayakumar >>>> >>>> Senior Software Engineer >>>> Mobile : 0779967122 >>>> >>> >>> >>> >>> -- >>> Megala Uthayakumar >>> >>> Senior Software Engineer >>> Mobile : 0779967122 >>> >> >> >> >> -- >> Megala Uthayakumar >> >> Senior Software Engineer >> Mobile : 0779967122 >> > > > > -- > Farasath Ahamed > Senior Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > -- Megala Uthayakumar Senior Software Engineer Mobile : 0779967122
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
