Hi Johann/All, We had a couple of discussions with the team, there we decided to *not** to drop the unregistered scopes from OAuth Request in IS*. But as mentioned earlier, from IS 5.10.0, we'll be more descriptive and show the display name of the scope and it's the description as well when we are getting the consent from the user. Also, if the scope is not registered under the OAuth2 scope or OIDC scope in the IS, then we will display with the provided scope name in the consent page. Please find the corresponding improvement of PR [1].
Note in such case, scopes which are not registered will display with the provided scope name and scopes which are registered will displayed with their corresponding display name and description in the consent page. [1] https://github.com/wso2/identity-apps/pull/521 On Tue, Mar 10, 2020 at 1:54 PM Johann Nallathamby <[email protected]> wrote: > Hi Sarubi, > > As Asela pointed out there are use cases for differentiating the access > token not just based on client or user or registered scopes but based on > other environmental attributes. The easiest way of representing these > environmental attributes in OAuth2 and getting unique access tokens in WSO2 > IS is using scopes. This is the reason why WSO2 API Manager also uses > whitelabeled scope prefixes. > > For example APIM customers using this feature to get unique access tokens > per device. They might be not able to register the devices before hand. @Nuwan > Dias <[email protected]> and @Sanjeewa Malalgoda <[email protected]> may be > able to comment more on this. > > Regards, > Johann. > > On Thu, Feb 13, 2020 at 5:32 PM Asela Pathberiya <[email protected]> wrote: > >> >> >> On Thu, Feb 13, 2020 at 11:15 AM Sarubi Thillainathan <[email protected]> >> wrote: >> >>> >>> >>> On Thu, Feb 13, 2020 at 10:50 AM Asela Pathberiya <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Thu, Feb 13, 2020 at 10:48 AM Sarubi Thillainathan <[email protected]> >>>> wrote: >>>> >>>>> Hi Asela, >>>>> >>>>> Just to be clear, Can we register scope values as regex patterns ? >>>>>> In APIM there is scope white listing capabilities which can be sent >>>>>> any scope value related to the given regex, "device_*" such scope. >>>>>> >>>>> Nope, in IS we don't have this capability. >>>>> The only thing that we enforce is can't have space in the scope name. >>>>> >>>> >>>> There are cases in which application needs to send some random scope to >>>> identify the devices. Can't we handle such cases by default ? >>>> >>> Yes, we can't handle such cases default. I would like to know why those >>> needs to be random? If it is for identifying the device then can't we >>> register those beforehand? >>> >> >> Just thought of similar to this [1] as we are not supporting multiple >> access token for given user/application >> >> [1] >> https://apim.docs.wso2.com/en/3.0.0/Learn/APISecurity/OAuth2/OAuth2Scopes/scope-whitelisting/ >> >> >>> >>> >>>> >>>> >>> Thanks, >>>> Asela. >>>> >>>> >>>>> Thanks, >>>>> Sarubi. >>>>> >>>>> On Wed, Feb 12, 2020 at 6:06 PM Asela Pathberiya <[email protected]> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Feb 12, 2020 at 5:44 PM Sarubi Thillainathan <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Feb 12, 2020 at 5:38 PM Sarubi Thillainathan < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> Currently in IS, whenever a token request comes with a list of >>>>>>>> scopes we'll be showing all the scopes and get the consent from the >>>>>>>> user >>>>>>>> regardless of that scopes are requested or not in the Identity Server. >>>>>>>> But by going forward with IS 5.10.0, we'll be more descriptive and >>>>>>>> decided to show the display name of the scope and it's the description >>>>>>>> as >>>>>>>> well when we are getting the consent from the user. Also, if the scope >>>>>>>> is >>>>>>>> not registered under the OAuth2 scope or OIDC scope in the IS, then we >>>>>>>> decided to skip that particular scope from the consent page also in the >>>>>>>> response as a default behaviour. >>>>>>>> >>>>>>> >>>>>> Just to be clear, Can we register scope values as regex patterns ? >>>>>> In APIM there is scope white listing capabilities which can be sent >>>>>> any scope value related to the given regex, "device_*" such scope. >>>>>> >>>>>> Thanks, >>>>>> Asela. >>>>>> >>>>>> >>>>>>> >>>>>>>> In order to keep the backward compatibility, we'll keep a flag so >>>>>>>> that we can enable it if we want to list the scope which is not >>>>>>>> registered. >>>>>>>> Note that in that case scopes which are not registered will display >>>>>>>> with >>>>>>>> the provided scope name and scopes which are registered will displayed >>>>>>>> with >>>>>>>> their corresponding display name and description in the consent page. >>>>>>>> >>>>>>>> Highly appreciate your ideas and suggestion on this. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Sarubi. >>>>>>>> -- >>>>>>>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc. >>>>>>>> (m) +94 (0) 76 684 9101 | (e) [email protected],[email protected] >>>>>>>> >>>>>>>> *[image: https://wso2.com/signature] <https://wso2.com/signature>* >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc. >>>>>>> (m) +94 (0) 76 684 9101 | (e) [email protected],[email protected] >>>>>>> >>>>>>> *[image: https://wso2.com/signature] <https://wso2.com/signature>* >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Asela >>>>>> >>>>>> Mobile : +94 777 625 933 >>>>>> >>>>>> http://soasecurity.org/ >>>>>> http://xacmlinfo.org/ >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc. >>>>> (m) +94 (0) 76 684 9101 | (e) [email protected],[email protected] >>>>> >>>>> *[image: https://wso2.com/signature] <https://wso2.com/signature>* >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Asela >>>> >>>> Mobile : +94 777 625 933 >>>> >>>> http://soasecurity.org/ >>>> http://xacmlinfo.org/ >>>> >>> >>> >>> -- >>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc. >>> (m) +94 (0) 76 684 9101 | (e) [email protected],[email protected] >>> >>> *[image: https://wso2.com/signature] <https://wso2.com/signature>* >>> >> >> >> -- >> Thanks & Regards, >> Asela >> >> Mobile : +94 777 625 933 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | > WSO2 Inc. > (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] > [image: Signature.jpg] > -- *Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc. (m) +94 (0) 76 684 9101 | (e) [email protected],[email protected] *[image: https://wso2.com/signature] <https://wso2.com/signature>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
