To obtain an access token using the client credentials grant we need to store client id and client secrete. How are we going to store it so that it cannot be stolen?
Also, I think it is better if we revoke the token as the user is signed up. So each sign up will need to obtain a new access token. Thanks & Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Tue, Jul 31, 2018 at 3:21 PM, Vithursa Mahendrarajah <[email protected]> wrote: > + [architecture] > > On Tue, Jul 31, 2018 at 12:55 PM Kasun Thennakoon <[email protected]> > wrote: > >> Hi Rukshan, >> >> This is the current flow >> >> [image: image.png] >> >> So how we restricted this token, talk only to signup api? with scopes?? >>> >> Yes we get an access token for self signup scope only >> >> >> Thanks >> ~KasunTe >> >> >> On Tue, Jul 31, 2018 at 11:21 AM Rukshan Premathunga <[email protected]> >> wrote: >> >>> >>> >>> On Tue, Jul 31, 2018 at 11:12 AM, Uvindra Dias Jayasinha < >>> [email protected]> wrote: >>> >>>> >>>> >>>> On 31 July 2018 at 10:57, Rukshan Premathunga <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 31, 2018 at 10:57 AM, Rukshan Premathunga < >>>>> [email protected]> wrote: >>>>> >>>>>> in sigin up case, if you take a token to talk to signup api, is it >>>>>> also store in the browser? >>>>>> >>>>> * in signup case, if you take a token to talk to signup api, is it >>>>> also store in the browser? >>>>> >>>> >>>> In this case, Yes. Since there is no user involved yet(user has not got >>>> registered yet), it is the store that is making this call on behalf of the >>>> user so that they can get registered. >>>> >>> So how we restricted this token, talk only to signup api? with scopes?? >>> >>>> >>>>>> On Tue, Jul 31, 2018 at 10:26 AM, Fazlan Nazeem <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Yes, since the client secret will not be known to the end users >>>>>>> there is no threat in adding client_credentials grant to the store app. >>>>>>> >>>>>>> On Tue, Jul 31, 2018 at 10:18 AM Uvindra Dias Jayasinha < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> +1 for option 1, adding the client credentials capability to the >>>>>>>> store app makes sense to support this use case. >>>>>>>> >>>>>>>> On 31 July 2018 at 10:06, Kasun Thennakoon <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Vithursa, >>>>>>>>> >>>>>>>>> >>>>>>>>> In my opinion >>>>>>>>> >>>>>>>>> *Option-1: *Adding *client_credentials* grant type to existing >>>>>>>>>> application >>>>>>>>>> >>>>>>>>> >>>>>>>>> option-1 would be more appropriate here, other than maintaining a >>>>>>>>> separate OAuth app for the self sign-up feature. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> ~KasunTe >>>>>>>>> >>>>>>>>> On Mon, Jul 30, 2018 at 9:17 PM Vithursa Mahendrarajah < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> I encountered an issue while implementing feature to self-sign up >>>>>>>>>> user via UI. Access token generation using >>>>>>>>>> *client_credentials *grant type is needed to call REST API >>>>>>>>>> resource of self-sign up. As per current implementation, we have one >>>>>>>>>> DCR >>>>>>>>>> Application for publisher and one for st*o*re which does not >>>>>>>>>> support *client_credentials* grant type, hence token generation >>>>>>>>>> fails. It can be resolved in two ways: >>>>>>>>>> >>>>>>>>>> *Option-1: *Adding *client_credentials* grant type to existing >>>>>>>>>> application >>>>>>>>>> *Option-2: *Creating new application which supports >>>>>>>>>> *client_credentials* grant type >>>>>>>>>> Which one would be the better solution for this. >>>>>>>>>> >>>>>>>>>> Comments or suggestions are highly appreciated. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Vithursa >>>>>>>>>> >>>>>>>>>> On Wed, Jul 25, 2018 at 4:05 PM Uvindra Dias Jayasinha < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Its great if we can implement this in our light weight key >>>>>>>>>>> manager so that we can support this on the UI >>>>>>>>>>> >>>>>>>>>>> On 25 July 2018 at 15:48, Chanaka Jayasena <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> I have attached the paper mockups for the User register, >>>>>>>>>>>> signin, and change password pages. But the Captcha is not captured >>>>>>>>>>>> in the >>>>>>>>>>>> mockups. +1 to add Captcha if that is supported. >>>>>>>>>>>> >>>>>>>>>>>> thanks, >>>>>>>>>>>> Chanaka >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Jul 25, 2018 at 3:44 PM Uvindra Dias Jayasinha < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> As far as Captcha goes, this[1] is what is already provided by >>>>>>>>>>>>> IS to achieve this. But I don't think this functionality is >>>>>>>>>>>>> available in >>>>>>>>>>>>> our default light weight key manager currently >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> [1] https://docs.wso2.com/display/IS560/User+Information+ >>>>>>>>>>>>> Recovery+Service >>>>>>>>>>>>> >>>>>>>>>>>>> On 25 July 2018 at 15:37, Uvindra Dias Jayasinha < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Can we add a Captcha to the user sign up page? This was one >>>>>>>>>>>>>> of the basic features we were missing OOB and there were quite a >>>>>>>>>>>>>> few >>>>>>>>>>>>>> customers who ended doing custom themes to add that >>>>>>>>>>>>>> functionality. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 25 July 2018 at 15:18, Vithursa Mahendrarajah < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> HI Isuru/Mushthaq, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks for the suggestions. Yes, +1 to add *Forgot password* >>>>>>>>>>>>>>> option as well as *Sign-up* option in Sign-in page. Will >>>>>>>>>>>>>>> add mentioned changes. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 2:09 PM Mushthaq Rumy < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> You may refer the APIM 2.2.0 or 2.5.0 version and get an >>>>>>>>>>>>>>>> idea on how the password reset function works in the UI. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>>>>>> Mushthaq >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 2:06 PM Isuru Haththotuwa < >>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I assume the anonymous user page is basically for users to >>>>>>>>>>>>>>>>> signup to the system, and by that create users in the system. >>>>>>>>>>>>>>>>> This page >>>>>>>>>>>>>>>>> looks ok, we basically need a new view when the user clicks >>>>>>>>>>>>>>>>> on the sign in >>>>>>>>>>>>>>>>> page, which has a link to reset password and forget password >>>>>>>>>>>>>>>>> options. Sign >>>>>>>>>>>>>>>>> in should have a link to the sign up page as well. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 11:11 AM, Vithursa Mahendrarajah < >>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I am working on $subject. Based on current >>>>>>>>>>>>>>>>>> implementations, we do not have a way to create users via >>>>>>>>>>>>>>>>>> UI. As an initial >>>>>>>>>>>>>>>>>> step, I am implementing anonymous-user view page in API >>>>>>>>>>>>>>>>>> Store. Mock UI >>>>>>>>>>>>>>>>>> design can be found below: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> [image: anonymous_view(1).jpg] >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Comments or suggestions on are highly appreciated. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>>> Vithursa >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Thanks and Regards, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Isuru H. >>>>>>>>>>>>>>>>> +94 716 358 048* <http://wso2.com/>* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Mushthaq Rumy >>>>>>>>>>>>>>>> *Senior Software Engineer* >>>>>>>>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>>>>>>>> Email : [email protected] >>>>>>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> Uvindra >>>>>>>>>>>>>> >>>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Uvindra >>>>>>>>>>>>> >>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Chanaka Jayasena >>>>>>>>>>>> Associate Tech Lead, >>>>>>>>>>>> email: [email protected]; cell: +94 77 4464006 >>>>>>>>>>>> blog: http://chanaka3d.blogspot.com >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Regards, >>>>>>>>>>> Uvindra >>>>>>>>>>> >>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Kasun Thennakoon* >>>>>>>>> Software Engineer >>>>>>>>> WSO2, Inc. >>>>>>>>> Mobile:+94 711661919 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Regards, >>>>>>>> Uvindra >>>>>>>> >>>>>>>> Mobile: 777733962 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks & Regards, >>>>>>> >>>>>>> *Fazlan Nazeem* >>>>>>> Senior Software Engineer >>>>>>> WSO2 Inc >>>>>>> Mobile : +94772338839 >>>>>>> [email protected] >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Rukshan Chathuranga. >>>>>> Software Engineer. >>>>>> WSO2, Inc. >>>>>> +94711822074 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Rukshan Chathuranga. >>>>> Software Engineer. >>>>> WSO2, Inc. >>>>> +94711822074 >>>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> Uvindra >>>> >>>> Mobile: 777733962 >>>> >>> >>> >>> >>> -- >>> Rukshan Chathuranga. >>> Software Engineer. >>> WSO2, Inc. >>> +94711822074 >>> >> >> >> -- >> *Kasun Thennakoon* >> Software Engineer >> WSO2, Inc. >> Mobile:+94 711661919 >> > > > -- > Vithursa Mahendrarajah > Software Engineer > WSO2 Inc. - http ://wso2.com > Mobile : +947*66695643* > > > * <http://wso2.com/signature> <http://wso2.com/signature> > <http://wso2.com/signature>* >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
