Thanks Dinusha ! You are correct. In a typical enterprise subscription scenario we can set <AddClaimsSelectively> to true and move forward without zero changes.
On Thu, Jun 30, 2016 at 5:03 PM, Dinusha Senanayaka <[email protected]> wrote: > Hi Rushmin, > > If I remember correctly, we have two options in JWT generation. > If <AddClaimsSelectively> option is set to true then the claims are taken > from SAML Response and populate the JWT. If that property is set to false, > then we take the all claims from user store where it can cause the issue > that you have pointed. > > +1 for checking user existence before retrieving claims from user store. > > On a side note, applications that having multiple authenticators have to > provision the user if application is depend on some claims from our user > store. > > Regards, > Dinusha. > > On Thu, Jun 30, 2016 at 4:43 PM, Rushmin Fernando <[email protected]> > wrote: > >> [+ dev@] >> >> On Thu, Jun 30, 2016 at 4:41 PM, Rushmin Fernando <[email protected]> >> wrote: >> >>> One thing we can do is, check whether the user is available using >>> userStoreManager.isExistingUser() method call before the line [1] >>> >>> >>> [1] >>> https://github.com/wso2/carbon-appmgt/blob/master/components/org.wso2.carbon.appmgt.impl/src/main/java/org/wso2/carbon/appmgt/impl/token/DefaultClaimsRetriever.java#L91 >>> >>> On Thu, Jun 30, 2016 at 4:31 PM, Rushmin Fernando <[email protected]> >>> wrote: >>> >>>> >>>> Sajith / Dinusha, >>>> >>>> In our default JWT implementation it tries to get the claims of the >>>> user from the gateway node's user store. >>>> >>>> But when it comes to the enterprise subscription scenario, the >>>> authenticated user doesn't exist in the node's user store ( because the >>>> user is authenticated by a third party IDP like google ) >>>> >>>> The impact is, we can't enable enterprise subscription since it gives >>>> an error while generating the JWT >>>> >>>> Is this something we have discussed before ? >>>> >>>> >>> > >> >>>> >>>> >>>> -- >>>> *Best Regards* >>>> >>>> *Rushmin Fernando* >>>> *Technical Lead* >>>> >>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>> >>>> mobile : +94772891266 >>>> >>>> >>>> >>> >>> >>> -- >>> *Best Regards* >>> >>> *Rushmin Fernando* >>> *Technical Lead* >>> >>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>> >>> mobile : +94772891266 >>> >>> >>> >> >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94772891266 >> >> >> > > > -- > Dinusha Dilrukshi > Associate Technical Lead > WSO2 Inc.: http://wso2.com/ > Mobile: +94725255071 > Blog: http://dinushasblog.blogspot.com/ > -- *Best Regards* *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware mobile : +94772891266
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
