Hi all, Imagine my user account in WSO2 Identity Server is *john*. I have also one other associated user account in the identity server under the name, *ben*.
I use an application, which shows all my user accounts in the identity server once I successfully logged in. As of now, the above scenario can be done successfully. The application can call the WSO2 Identity Server user account association APIs and list all the associated accounts on-behalf of me(once I logged in). But I want to see some of my attributes of the associated accounts(Ex: email addresses). This should be possible in a way that the application calls WSO2 IS SCIM APIs on-behalf of my associated accounts, then retrieve any attributes, without me logging in as each associated user(Ex: When I log in as *john*, the email address of *ben* should be shown by the application). The idea here is that all my associated accounts are essentially mine, therefore once logged in as a user, any of the subsequent REST API calls on-behalf of any associated user account, should be allowed. Please find the corresponding public JIRA <https://github.com/wso2/product-is/issues/6882>[2]. I had an initial discussion on this with +Isura Karunaratne <is...@wso2.com>. Based on that, I have implemented the following approach. We will introduce a new header called "AssociatedUserId". If this header is present for a REST API call, the authentication valve is responsible to read the fully qualified name of the associated user sent with this header. Then if a valid association exists with the authenticated user, the authentication valve will set the associated user in the carbon context, instead of the authenticated user, during the post-authentication stage. This will make sure that the REST API call is called on-behalf of the associated user identified with the above-mentioned header. Please find the pull request <https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/92>[3] with this approach. Your valuable feedback is highly appreciated. PS: This requirement initially discussed at [1]. [1] "[IAM][IS 5.10.0] REST APIs For Federated Associations Of The User"@architecture-group [2] https://github.com/wso2/product-is/issues/6882 [3] https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/92 Regards, Tharindu. -- *Tharindu Bandara* Senior Software Engineer | WSO2 Email : tharin...@wso2.com Mobile : +94 714221776 web : http://wso2.com <https://www.google.com/url?q=http://wso2.com&sa=D&ust=1517653383990000&usg=AFQjCNFggB4bSJTKmdqKcBV0VY9xx1ABKg> https://wso2.com/signature
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
