+1 for the following suggestion also role based scopes are not working for assertion based grant types - can we add support for that too?
Thanks & regards, -Prabath On Wed, Dec 14, 2016 at 7:29 AM, Rajith Vitharana <[email protected]> wrote: > Hi IS team, > > In [1] when getting the user, it doesn't validate whether the user is in > a user store or not. (This happens in saml2-bearer grant type and IS trust > the saml assertion. It's totally valid not doing this) > > but can we give the user the freedom to choose whether to validate the > user in saml assertion against a given user store or not? In which case it > will actually have a valid user and correct user domain in the token table, > in which case he can generate jwt tokens with required claims for that > user. Is this a valid scenario? if so can we support this? > > Note that since we are taking the user domain from the username(subject) > in [1], we can send username(saml assertion subject) with correct > domain(ex: Secondary/username1) in which case it will save the correct > domain in token table. Hence jwt flow works fine. But I feel like it's kind > of a hack for this. > > I have created a public jira for this in [2] > > [1] - https://github.com/wso2/carbon-identity/blob/master/ > components/oauth/org.wso2.carbon.identity.oauth/src/ > main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L637 > > [2] - https://wso2.org/jira/browse/IDENTITY-5483 > > > Thanks > > -- > Rajith Vitharana > > Senior Software Engineer, > WSO2 Inc. : wso2.com > Mobile : +94715883223 > Blog : http://lankavitharana.blogspot.com/ > <http://wso2.com/signature> > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
