Hi All,
Requirement 1. Maintain list of Remembered devices and show it in the user’s profile 2. There should be a consent page in the authentication flow to get the user’s consent and description/name for the device (Human readable) and we need to persist. Should be able to skip the consent page 3. There is an option to “Forget device” where user can remove Remembered devices from user profile. Please see the proposed solutions for this requirement. Solution1 1. Keep a separate table to maintain device information 2. Expose device CRUD operations as rest services 3. Store some signed information in the cookie with some unique identifier 4. When user login need to extract the cookie and do the validation with what we have persisted in the table (We need to decide how enforcement happens. Ex. using an authenticator or some other way) Solution2 1. Maintain device information as a claim of a user 2. Since user can have multiple devices, claim will be a json content with multiple devices information 3. Use SCIM API to get/update claim of the user Solution3 Use current consent management implementation to maintain remembered devices. Here we either have to maintain device ID as PII or as a property. If we are maintaining as a PII, we need to add device ID as a PII category and then its creating PII category per device. Note: Maintaining device as PII category having scalability issues and maintaining device ID in the property also not a clean solution for this. >From above solutions, I would like to go ahead with the claim based solution (Solution2) since it’s more suitable with the current capabilities we having in consent mgt. Appreciate your thoughts. Thanks Godwin -- Godwin Amila Shrimal | Technical Lead | WSO2 Inc. (m) +44 744 466 3849 | (w) +44 203 696 6510 | (e) [email protected] <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
