So in this case there are two tokens. One for the sign up that is obtained using client credentials that only has the scope for accessing the sign up resource. The other is the one obtained from the password grant type that is used else where. I don't see a need to immediately revoke the token used for the sign up invocation(it can only be used for signing up), is there any specific concern you have regarding this?
I was thinking that If this signup token is stolen, one can onboard users to the system and will lead to a potential attack. Isn't it? Of cause, if we can have captcha validation we can mitigate this. Thanks & Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Wed, Aug 1, 2018 at 10:48 AM, Uvindra Dias Jayasinha <[email protected]> wrote: > > > On 1 August 2018 at 09:36, Ishara Cooray <[email protected]> wrote: > >> To obtain an access token using the client credentials grant we need to >> store client id and client secrete. >> How are we going to store it so that it cannot be stolen? >> > > > We need the client id and secret for the password grant type as well which > are using for all other calls. We have addressed this security concern > already by storing the client id and secret on the server side as discussed > in the mail thread[1] > > [1] API Manager UI - Storing access token in Cookie > > >> Also, I think it is better if we revoke the token as the user is signed >> up. So each sign up will need to obtain a new access token. >> > > So in this case there are two tokens. One for the sign up that is obtained > using client credentials that only has the scope for accessing the sign up > resource. The other is the one obtained from the password grant type that > is used else where. I don't see a need to immediately revoke the token used > for the sign up invocation(it can only be used for signing up), is there > any specific concern you have regarding this? > >> >> >> >> >> Thanks & Regards, >> Ishara Cooray >> Senior Software Engineer >> Mobile : +9477 262 9512 >> WSO2, Inc. | http://wso2.com/ >> Lean . Enterprise . Middleware >> >> On Tue, Jul 31, 2018 at 3:21 PM, Vithursa Mahendrarajah < >> [email protected]> wrote: >> >>> + [architecture] >>> >>> On Tue, Jul 31, 2018 at 12:55 PM Kasun Thennakoon <[email protected]> >>> wrote: >>> >>>> Hi Rukshan, >>>> >>>> This is the current flow >>>> >>>> [image: image.png] >>>> >>>> So how we restricted this token, talk only to signup api? with scopes?? >>>>> >>>> Yes we get an access token for self signup scope only >>>> >>>> >>>> Thanks >>>> ~KasunTe >>>> >>>> >>>> On Tue, Jul 31, 2018 at 11:21 AM Rukshan Premathunga <[email protected]> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 31, 2018 at 11:12 AM, Uvindra Dias Jayasinha < >>>>> [email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On 31 July 2018 at 10:57, Rukshan Premathunga <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 31, 2018 at 10:57 AM, Rukshan Premathunga < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> in sigin up case, if you take a token to talk to signup api, is it >>>>>>>> also store in the browser? >>>>>>>> >>>>>>> * in signup case, if you take a token to talk to signup api, is it >>>>>>> also store in the browser? >>>>>>> >>>>>> >>>>>> In this case, Yes. Since there is no user involved yet(user has not >>>>>> got registered yet), it is the store that is making this call on behalf >>>>>> of >>>>>> the user so that they can get registered. >>>>>> >>>>> So how we restricted this token, talk only to signup api? with scopes?? >>>>> >>>>>> >>>>>>>> On Tue, Jul 31, 2018 at 10:26 AM, Fazlan Nazeem <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Yes, since the client secret will not be known to the end users >>>>>>>>> there is no threat in adding client_credentials grant to the store >>>>>>>>> app. >>>>>>>>> >>>>>>>>> On Tue, Jul 31, 2018 at 10:18 AM Uvindra Dias Jayasinha < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> +1 for option 1, adding the client credentials capability to the >>>>>>>>>> store app makes sense to support this use case. >>>>>>>>>> >>>>>>>>>> On 31 July 2018 at 10:06, Kasun Thennakoon <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Vithursa, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> In my opinion >>>>>>>>>>> >>>>>>>>>>> *Option-1: *Adding *client_credentials* grant type to existing >>>>>>>>>>>> application >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> option-1 would be more appropriate here, other than maintaining >>>>>>>>>>> a separate OAuth app for the self sign-up feature. >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> ~KasunTe >>>>>>>>>>> >>>>>>>>>>> On Mon, Jul 30, 2018 at 9:17 PM Vithursa Mahendrarajah < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi all, >>>>>>>>>>>> >>>>>>>>>>>> I encountered an issue while implementing feature to self-sign >>>>>>>>>>>> up user via UI. Access token generation using >>>>>>>>>>>> *client_credentials *grant type is needed to call REST API >>>>>>>>>>>> resource of self-sign up. As per current implementation, we have >>>>>>>>>>>> one DCR >>>>>>>>>>>> Application for publisher and one for st*o*re which does not >>>>>>>>>>>> support *client_credentials* grant type, hence token >>>>>>>>>>>> generation fails. It can be resolved in two ways: >>>>>>>>>>>> >>>>>>>>>>>> *Option-1: *Adding *client_credentials* grant type to existing >>>>>>>>>>>> application >>>>>>>>>>>> *Option-2: *Creating new application which supports >>>>>>>>>>>> *client_credentials* grant type >>>>>>>>>>>> Which one would be the better solution for this. >>>>>>>>>>>> >>>>>>>>>>>> Comments or suggestions are highly appreciated. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Vithursa >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Jul 25, 2018 at 4:05 PM Uvindra Dias Jayasinha < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Its great if we can implement this in our light weight key >>>>>>>>>>>>> manager so that we can support this on the UI >>>>>>>>>>>>> >>>>>>>>>>>>> On 25 July 2018 at 15:48, Chanaka Jayasena <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> I have attached the paper mockups for the User register, >>>>>>>>>>>>>> signin, and change password pages. But the Captcha is not >>>>>>>>>>>>>> captured in the >>>>>>>>>>>>>> mockups. +1 to add Captcha if that is supported. >>>>>>>>>>>>>> >>>>>>>>>>>>>> thanks, >>>>>>>>>>>>>> Chanaka >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 3:44 PM Uvindra Dias Jayasinha < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> As far as Captcha goes, this[1] is what is already provided >>>>>>>>>>>>>>> by IS to achieve this. But I don't think this functionality is >>>>>>>>>>>>>>> available in >>>>>>>>>>>>>>> our default light weight key manager currently >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [1] https://docs.wso2.com/display/ >>>>>>>>>>>>>>> IS560/User+Information+Recovery+Service >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 25 July 2018 at 15:37, Uvindra Dias Jayasinha < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Can we add a Captcha to the user sign up page? This was one >>>>>>>>>>>>>>>> of the basic features we were missing OOB and there were quite >>>>>>>>>>>>>>>> a few >>>>>>>>>>>>>>>> customers who ended doing custom themes to add that >>>>>>>>>>>>>>>> functionality. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 25 July 2018 at 15:18, Vithursa Mahendrarajah < >>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> HI Isuru/Mushthaq, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks for the suggestions. Yes, +1 to add *Forgot >>>>>>>>>>>>>>>>> password* option as well as *Sign-up* option in Sign-in >>>>>>>>>>>>>>>>> page. Will add mentioned changes. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 2:09 PM Mushthaq Rumy < >>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> You may refer the APIM 2.2.0 or 2.5.0 version and get an >>>>>>>>>>>>>>>>>> idea on how the password reset function works in the UI. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>>>>>>>> Mushthaq >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 2:06 PM Isuru Haththotuwa < >>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi Vithursa, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I assume the anonymous user page is basically for users >>>>>>>>>>>>>>>>>>> to signup to the system, and by that create users in the >>>>>>>>>>>>>>>>>>> system. This page >>>>>>>>>>>>>>>>>>> looks ok, we basically need a new view when the user clicks >>>>>>>>>>>>>>>>>>> on the sign in >>>>>>>>>>>>>>>>>>> page, which has a link to reset password and forget >>>>>>>>>>>>>>>>>>> password options. Sign >>>>>>>>>>>>>>>>>>> in should have a link to the sign up page as well. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Wed, Jul 25, 2018 at 11:11 AM, Vithursa Mahendrarajah >>>>>>>>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I am working on $subject. Based on current >>>>>>>>>>>>>>>>>>>> implementations, we do not have a way to create users via >>>>>>>>>>>>>>>>>>>> UI. As an initial >>>>>>>>>>>>>>>>>>>> step, I am implementing anonymous-user view page in API >>>>>>>>>>>>>>>>>>>> Store. Mock UI >>>>>>>>>>>>>>>>>>>> design can be found below: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> [image: anonymous_view(1).jpg] >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Comments or suggestions on are highly appreciated. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>>>>> Vithursa >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> * <http://wso2.com/signature> >>>>>>>>>>>>>>>>>>>> <http://wso2.com/signature> <http://wso2.com/signature>* >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> Thanks and Regards, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Isuru H. >>>>>>>>>>>>>>>>>>> +94 716 358 048* <http://wso2.com/>* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> Mushthaq Rumy >>>>>>>>>>>>>>>>>> *Senior Software Engineer* >>>>>>>>>>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>>>>>>>>>> Email : [email protected] >>>>>>>>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>> Uvindra >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>> Uvindra >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Chanaka Jayasena >>>>>>>>>>>>>> Associate Tech Lead, >>>>>>>>>>>>>> email: [email protected]; cell: +94 77 4464006 >>>>>>>>>>>>>> blog: http://chanaka3d.blogspot.com >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Uvindra >>>>>>>>>>>>> >>>>>>>>>>>>> Mobile: 777733962 >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Vithursa Mahendrarajah >>>>>>>>>>>> Software Engineer >>>>>>>>>>>> WSO2 Inc. - http ://wso2.com >>>>>>>>>>>> Mobile : +947*66695643* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> * <http://wso2.com/signature> <http://wso2.com/signature> >>>>>>>>>>>> <http://wso2.com/signature>* >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> *Kasun Thennakoon* >>>>>>>>>>> Software Engineer >>>>>>>>>>> WSO2, Inc. >>>>>>>>>>> Mobile:+94 711661919 >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Regards, >>>>>>>>>> Uvindra >>>>>>>>>> >>>>>>>>>> Mobile: 777733962 >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks & Regards, >>>>>>>>> >>>>>>>>> *Fazlan Nazeem* >>>>>>>>> Senior Software Engineer >>>>>>>>> WSO2 Inc >>>>>>>>> Mobile : +94772338839 >>>>>>>>> [email protected] >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Rukshan Chathuranga. >>>>>>>> Software Engineer. >>>>>>>> WSO2, Inc. >>>>>>>> +94711822074 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Rukshan Chathuranga. >>>>>>> Software Engineer. >>>>>>> WSO2, Inc. >>>>>>> +94711822074 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> Uvindra >>>>>> >>>>>> Mobile: 777733962 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Rukshan Chathuranga. >>>>> Software Engineer. >>>>> WSO2, Inc. >>>>> +94711822074 >>>>> >>>> >>>> >>>> -- >>>> *Kasun Thennakoon* >>>> Software Engineer >>>> WSO2, Inc. >>>> Mobile:+94 711661919 >>>> >>> >>> >>> -- >>> Vithursa Mahendrarajah >>> Software Engineer >>> WSO2 Inc. - http ://wso2.com >>> Mobile : +947*66695643* >>> >>> >>> * <http://wso2.com/signature> <http://wso2.com/signature> >>> <http://wso2.com/signature>* >>> >> >> > > > -- > Regards, > Uvindra > > Mobile: 777733962 >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
