Hi IS team, In [1] when getting the user, it doesn't validate whether the user is in a user store or not. (This happens in saml2-bearer grant type and IS trust the saml assertion. It's totally valid not doing this)
but can we give the user the freedom to choose whether to validate the user in saml assertion against a given user store or not? In which case it will actually have a valid user and correct user domain in the token table, in which case he can generate jwt tokens with required claims for that user. Is this a valid scenario? if so can we support this? Note that since we are taking the user domain from the username(subject) in [1], we can send username(saml assertion subject) with correct domain(ex: Secondary/username1) in which case it will save the correct domain in token table. Hence jwt flow works fine. But I feel like it's kind of a hack for this. I have created a public jira for this in [2] [1] - https://github.com/wso2/carbon-identity/blob/master/components/oauth/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L637 [2] - https://wso2.org/jira/browse/IDENTITY-5483 Thanks -- Rajith Vitharana Senior Software Engineer, WSO2 Inc. : wso2.com Mobile : +94715883223 Blog : http://lankavitharana.blogspot.com/ <http://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev