Hi, Currently both consent management and token revocation in IS, lack of scope awareness. Please find the following concerns and it will be better if we include at least some of the improvements for the next IS 5.4.0 release. Note that some of them are actual customer requirements.
*User Consent Management* 1) We are storing the user consent for applications in IDN_OPENID_USER_RPS table [1]. Currently, stored consent is based on user name, tenant and application. *We are not considering the scope when we store consents in IDN_OPENID_USER_RPS*, but I think it should be differ scope wise, so that added a JIRA in [2]. 2) We haven't consider about *consent expiration*. Currently we have to invoke updateApproveAlwaysForAppConsentByResourceOwner of OAuthAdminService and change the state of the consent [3]. Isn't it better to include a *global/application wise configuration* to mention the expiration time of a consent? Or provide a way for a *user to change the expiration of a consent in UI*? 3) Currently we can update the consent of a particular application for a particular user in a particular tenant using OAuthAdminService. So that if the user has selected the consent as "approve always", we can change it and then client will have to ask for the consent again. Shall we also provide ways to: - *revoke all consents given for a particular scope/ particular application/ particular user?* - *get a list of user consents for a particular scope/ particular application/ particular user?* - *get a list of the current OAuth consents with scope and expiration date?* *Token Revocation* 1) Currently in IS, access tokens can be revoked for particular client, user and scope combination if its ACTIVE or EXPIRED. And it can be done using revokeAuthzForAppsByResoureOwner method of OAuthAdminService [4]. When we revoking the tokens, it will revoke the consents for particular client, user and tenant combination. Isn't is better to concern about the following scenarios as well? - *Revoke access token/refresh token based on the consent (Revoke tokens with the consent "approve always")* - *Revoke access token/refresh token for given client and a scope* Appreciate your ideas on this. Add please add if I have missed any other scenarios in consent management and token revocation where the scope should be aware. [1] https://github.com/wso2/carbon-identity-framework/blob/master/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts/mysql-5.7.sql#L146 [2] https://wso2.org/jira/browse/IDENTITY-5899 [3] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminService.java#L679 [4] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminService.java#L570 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email [email protected] Mobile 0772182255
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
