On Fri, Feb 20, 2015 at 3:55 PM, Dulanja Liyanage <[email protected]> wrote:
> IMO we should have a config like "strictClientCredentialValidation". > > true: must validate the credentials, > false*:* validate only when credentials are available in the request. > > And this check should be done before hitting the > BasicAuthClientAuthHandler, at the authentication manager level. > The options are OK. But it cannot be handled at the AccessTokenIssuer class (which is kind of the Manager here). It should be handled inside the ClientAuthenticationHandler itself, so that we can override the methods for any custom implementation if needed. Best is to put the configuration check to an abstract class, extend the client authentication handlers from it, and call the super method and then continue with specific authentication. Also the above mentioned parameters should be configured as properties under the client authentication handler. See how OAuthCallbackHandler class reads properties. You can follow the same approach here. > > We can start from there and then think about integration to the UI, which > would be required especially because for mutitenancy scenarios. > Integrating into the UI is very important for multi tenancy as well as to control on a per application basis. What it means is even if the tenant admin specifies authentication as optional, a client could override it for better protection. But to achieve that we need some database schema changes right now and I don't think this is possible in 5.1.0. So lets just limit to a file based configuration for this release. In future when we are ready to move all file based configs to UI with schema changes this should also automatically be fixed. > > On Fri, Feb 20, 2015 at 3:04 PM, Nuwandi Wickramasinghe <[email protected] > > wrote: > >> Hi, >> >> I have some concerns regarding JIRA issue [1] >> >> If client credentials are unavailable, is it ok to skip client >> authentication process in issue() method >> (org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer) for SAML2 bearer >> type ? >> >> Also should we give an option for user to select whether client >> credentials are optional or not? And fail authentication if no credentials >> are available and user says it's mandatory? >> >> [1] https://wso2.org/jira/browse/IDENTITY-3028 >> -- >> >> Best Regards, >> >> Nuwandi Wickramasinghe >> >> Software Engineer >> >> WSO2 Inc. >> >> Web : http://wso2.com >> >> Mobile : 0719214873 >> > > > > -- > Dulanja Liyanage > WSO2 Inc. > M: +94776764717 > -- Thanks & Regards, *Johann Dilantha Nallathamby* Associate Technical Lead & Product Lead of WSO2 Identity Server Integration Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
