On Wed, May 30, 2018 at 4:17 PM, Megala Uthayakumar <[email protected]> wrote:
> Yes. I tried to explain the same thing, seems it is confusing. I will > simplify it. > Thanks for the clarification. > > Thanks. > > Regards, > Megala > > On Wed, May 30, 2018 at 4:12 PM, Farasath Ahamed <[email protected]> > wrote: > >> >> >> On Wed, May 30, 2018 at 4:04 PM, Megala Uthayakumar <[email protected]> >> wrote: >> >>> Resending the missing image >>> >>> >>> >> >> Regarding "SP Claim Mapping exist with requested attributes" decision, >> shouldn't this simply be SP requested claims since we do not care about SP >> claim mapping in OIDC flow? >> >> >>> >>> >>> On Wed, May 30, 2018 at 4:02 PM, Megala Uthayakumar <[email protected]> >>> wrote: >>> >>>> *Hi,* >>>> >>>> *As per the offline discussion with IAM team, following is the agreed >>>> design.* >>>> >>>> >>>> >>>> *Darshana/Maduranga/Farasath/IAM Team - Please do correct me if I have >>>> misunderstood regarding this.* >>>> >>>> *Thanks.* >>>> >>>> Regards, >>>> Megala >>>> >>>> On Thu, May 24, 2018 at 9:41 AM, Megala Uthayakumar <[email protected]> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> As per the meeting held offline, it was decide to only send the custom >>>>> claims when the scope is given as "openid". Sending custom claims that are >>>>> not defined in dialect can be supported by adding new claims to openid >>>>> dialect and by appending the relevant scopes to "/oidc" resource in config >>>>> registry. >>>>> >>>>> Thanks. >>>>> >>>>> Regards, >>>>> Megala >>>>> >>>>> On Wed, May 23, 2018 at 2:41 PM, Bhathiya Jayasekara < >>>>> [email protected]> wrote: >>>>> >>>>>> Thanks, I just understood the scenario. >>>>>> >>>>>> Thanks, >>>>>> Bhathiya >>>>>> >>>>>> On Wed, May 23, 2018 at 2:36 PM, Megala Uthayakumar <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Bhathiya, >>>>>>> >>>>>>> On Wed, May 23, 2018 at 1:05 PM, Bhathiya Jayasekara < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Megala, >>>>>>>> >>>>>>>> On Wed, May 23, 2018 at 10:11 AM, Megala Uthayakumar < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> I am working on $subject for IS 5.5.0. >>>>>>>>> >>>>>>>>> When handling custom claims, we do have two options. >>>>>>>>> >>>>>>>>> 1. Handling custom claims as we have handled it in the >>>>>>>>> SAML2BearerGrantHandler. >>>>>>>>> - Current SAML2BearerGrantHandler converts the claims >>>>>>>>> coming from IDP to local claims and then filter out oidc claims >>>>>>>>> only, given >>>>>>>>> that scope is given as openid. >>>>>>>>> 2. Handle relevant custom claims as it is when scope is not >>>>>>>>> openid and if the scope is openid filter out the openid scopes as >>>>>>>>> we do for >>>>>>>>> SAML2BearerGrantHandler >>>>>>>>> - If the scope is not openid, add all the custom claims >>>>>>>>> with the access token. >>>>>>>>> - If the scope is openid, follow the same approach followed >>>>>>>>> by SAML2BearerGrantHandler. >>>>>>>>> >>>>>>>>> I think option 2 is better way to handle this, becuase, >>>>>>>>> >>>>>>>>> JWT do not restrict the collection of custom claims, hence if we >>>>>>>>> go with option 1, customer is expected to select one of the open id >>>>>>>>> claims >>>>>>>>> to get his claims back in original incoming JWT. >>>>>>>>> >>>>>>>> >>>>>>>> Could you please explain this line further? >>>>>>>> >>>>>>> In our wso2 IS server, we have predefined list of oidc claims[1], >>>>>>> but in JWT we can have custom claims that are not defined in our list. >>>>>>> >>>>>>> For example, >>>>>>> A thrid party identity provider may send a claim with the name >>>>>>> "testClaim" with its JWT token and the service provider may expect the >>>>>>> same >>>>>>> claim with the same name, but this cannot be done in our case, as we >>>>>>> only >>>>>>> pass the predefined set of oidc claims to service provider. >>>>>>> >>>>>>> >>>>>>>> And in the subject you meant generating access token (but not JWT >>>>>>>> token) right? >>>>>>>> >>>>>>> Self contained access token, which is a JWT token. [2] >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Bhathiya >>>>>>>> >>>>>>> >>>>>>> [1] https://docs.wso2.com/display/IS550/Configuring+Claims+f >>>>>>> or+an+Identity+Provider#ConfiguringClaimsforanIdentityProvid >>>>>>> er-MappingconfiguredclaimstoanOpenIDConnectclaim >>>>>>> [2] https://docs.wso2.com/display/IS550/Self-contained+Acces >>>>>>> s+Tokens >>>>>>> <https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Megala Uthayakumar >>>>>>> >>>>>>> Senior Software Engineer >>>>>>> Mobile : 0779967122 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Bhathiya Jayasekara* >>>>>> *Associate Technical Lead,* >>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>> >>>>>> *Phone: +94715478185* >>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>> <https://twitter.com/bhathiyax>* >>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Megala Uthayakumar >>>>> >>>>> Senior Software Engineer >>>>> Mobile : 0779967122 >>>>> >>>> >>>> >>>> >>>> -- >>>> Megala Uthayakumar >>>> >>>> Senior Software Engineer >>>> Mobile : 0779967122 >>>> >>> >>> >>> >>> -- >>> Megala Uthayakumar >>> >>> Senior Software Engineer >>> Mobile : 0779967122 >>> >> >> >> >> -- >> Farasath Ahamed >> Senior Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> > > > -- > Megala Uthayakumar > > Senior Software Engineer > Mobile : 0779967122 > -- Farasath Ahamed Senior Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
