On Fri, Feb 20, 2015 at 3:55 PM, Dulanja Liyanage <[email protected]> wrote: > IMO we should have a config like "strictClientCredentialValidation". > > true: must validate the credentials, > false: validate only when credentials are available in the request. > > And this check should be done before hitting the BasicAuthClientAuthHandler, > at the authentication manager level. > > We can start from there and then think about integration to the UI, which > would be required especially because for mutitenancy scenarios.
+1 Sometimes we may need to enable/disable it based on the client application... Thanks, Asela. > > On Fri, Feb 20, 2015 at 3:04 PM, Nuwandi Wickramasinghe <[email protected]> > wrote: >> >> Hi, >> >> I have some concerns regarding JIRA issue [1] >> >> If client credentials are unavailable, is it ok to skip client >> authentication process in issue() method >> (org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer) for SAML2 bearer >> type ? >> >> Also should we give an option for user to select whether client >> credentials are optional or not? And fail authentication if no credentials >> are available and user says it's mandatory? >> >> [1] https://wso2.org/jira/browse/IDENTITY-3028 >> -- >> >> Best Regards, >> >> Nuwandi Wickramasinghe >> >> Software Engineer >> >> WSO2 Inc. >> >> Web : http://wso2.com >> >> Mobile : 0719214873 > > > > > -- > Dulanja Liyanage > WSO2 Inc. > M: +94776764717 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Thanks & Regards, Asela ATL Mobile : +94 777 625 933 +358 449 228 979 _______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
