Ok. All of these are extensions anyway. If some IDP sends the same responses as IS the benefit is that we can just plug and play. If there are differences we basically have to write code and deploy as extensions.
On Sun, 14 May 2017 at 12:44 pm, Farasath Ahamed <farasa...@wso2.com> wrote: > On Sun, May 14, 2017 at 12:30 PM, Nuwan Dias <nuw...@wso2.com> wrote: > >> It looks like we may have to use the introspect to validate the token and >> use a proprietary api in IS to get user claims. >> > > Sending username of the authorized user in the introspection response is > not mandatory. IS sends by default. This may not be the same with external > Key Managers. So we might have to consider that as well. > > >> When using an external KM we will have to override the part that gets >> user claims. That's of course if they want to send JWT to target endpoints >> only. >> >> On Sun, 14 May 2017 at 8:57 am, Bhathiya Jayasekara <bhath...@wso2.com> >> wrote: >> >>> Hi Ishara, >>> >>> On Sun, May 14, 2017 at 8:51 AM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi, >>>> >>>> On Sun, May 14, 2017 at 8:42 AM, Ishara Karunarathna <isha...@wso2.com> >>>> wrote: >>>> >>>>> Hi Bhathiya, >>>>> >>>>> On Sun, May 14, 2017 at 8:18 AM, Bhathiya Jayasekara < >>>>> bhath...@wso2.com> wrote: >>>>> >>>>>> Hi Ishara, >>>>>> >>>>>> On Sun, May 14, 2017 at 7:16 AM, Ishara Karunarathna < >>>>>> isha...@wso2.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> In the current implementations you get a JWT token from token >>>>>>> validation service regardless of the grant types. >>>>>>> But this would be a problem when you go with standards only. For >>>>>>> example you may not be able to get and ID token from IDP if its only >>>>>>> supporting specifications. >>>>>>> >>>>>> >>>>>> We thought of using "openid" scope when generating token and then >>>>>> call userinfo after validating (introspect) the token. I expect that >>>>>> should >>>>>> work if the IDP is complient with the specs. WDYT? >>>>>> >>>>> What I'm saying is for all the oauth grant types does not work with >>>>> OIDC >>>>> For example in password grant type you can't use OIDC. OIDC define >>>>> only authorization code and implicit grant types (it has a hybrid flow as >>>>> well ) >>>>> In that case you can't expect to get ID token for all grant types. >>>>> >>>> >>> Oh that's going to be a problem. >>> >>> >>>> So do you need this user information in all the cases ?? >>>> >>> >>> Yes we may need, specially in passwrod grant type. If this is not going >>> to work, we will have to think of a different solution (like the SCIM one >>> you suggested.) >>> >>> Thanks, >>> Bhathiya >>> >>> >>>> >>>> one option that come to my mind is. >>>> in the token introspection response get the user name. >>>> And then call a SCIM endpoint (or any other api to get the user >>>> information) to get user information. >>>> >>>> But this also has a issue, this username is a optional parameter >>>> >>>> >>>>> >>>>> So do you need this user information in all the cases ?? >>>>> >>>>> >>>>>> Thanks, >>>>>> Bhathiya >>>>>> >>>>>> >>>>>>> >>>>>>> so this has to be address case by case. >>>>>>> -Ishara >>>>>>> >>>>>>> On Sat, May 13, 2017 at 10:40 PM, Bhathiya Jayasekara < >>>>>>> bhath...@wso2.com> wrote: >>>>>>> >>>>>>>> Thanks for the explanation Farasath. >>>>>>>> >>>>>>>> So this means we have to do a DCR call and another service call to >>>>>>>> register claims to SP. @Tharindu: looks like we don't have a choice >>>>>>>> here. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Bhathiya >>>>>>>> >>>>>>>> On Sat, May 13, 2017 at 1:49 PM, Farasath Ahamed < >>>>>>>> farasa...@wso2.com> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> On Sat, May 13, 2017 at 1:15 PM, Bhathiya Jayasekara < >>>>>>>>> bhath...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Farasath, >>>>>>>>>> >>>>>>>>>> That's going to be a problem when we use DCR, I guess. Shouldn't >>>>>>>>>> we send the claims given in the spec for each scope by default, >>>>>>>>>> without any >>>>>>>>>> special configurations in SP? >>>>>>>>>> >>>>>>>>> >>>>>>>>> Not really. >>>>>>>>> >>>>>>>>> Even the spec says[1], >>>>>>>>> >>>>>>>>> In some cases, the End-User will be given the option to have the >>>>>>>>>> OpenID Provider decline to provide some or all information requested >>>>>>>>>> by >>>>>>>>>> RPs. To minimize the amount of information that the End-User is >>>>>>>>>> being asked >>>>>>>>>> to disclose, an RP can elect to only request a subset of the >>>>>>>>>> information >>>>>>>>>> available from the UserInfo Endpoint. >>>>>>>>> >>>>>>>>> >>>>>>>>> Simply put we are not bound to provide all the claims a >>>>>>>>> client(Relying party) asks for using a 'scope'. There should be a way >>>>>>>>> to >>>>>>>>> control the claims that are sent out based on the application. This is >>>>>>>>> because the sensitive nature of a claim depends on the application and >>>>>>>>> other factors as well. For example, 'phone number' might be a >>>>>>>>> sensitive >>>>>>>>> claim for some apps. Therefore for such apps, we need to have a way >>>>>>>>> to >>>>>>>>> control a client from getting hold of that claim using scope 'phone'. >>>>>>>>> >>>>>>>>> So we can consider "requested claims" in Service Provider config >>>>>>>>> as our way of allowing an application admin to decide what claims an >>>>>>>>> external client can retrieve and what not. >>>>>>>>> >>>>>>>>> [1] >>>>>>>>> http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>>>>>>>> >>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Bhathiya >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Sat, May 13, 2017 at 1:09 PM, Farasath Ahamed < >>>>>>>>>> farasa...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> Yes. We do support openid scopes (address, email, phone, >>>>>>>>>>> profile). (Refer [1]) >>>>>>>>>>> But as Tharindu has mentioned this too requires the relevant >>>>>>>>>>> claims that fall under these scopes to be configured as requested >>>>>>>>>>> claims in >>>>>>>>>>> the Service Provider. >>>>>>>>>>> >>>>>>>>>>> For example, >>>>>>>>>>> OIDC scope 'address' would return "address" and "street" claims. >>>>>>>>>>> But unless you have these claims as requested claims in the claim >>>>>>>>>>> configuration of the SP. These claims won't be returned although you >>>>>>>>>>> requested the token with a scope value of "openid address" >>>>>>>>>>> >>>>>>>>>>> The idea here is Service Provider requested claims takes >>>>>>>>>>> priority over claims defined for scopes. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> https://docs.wso2.com/display/IS530/Configuring+Claims+for+a+Service+Provider >>>>>>>>>>> (Click to view vital information when configuring claims for an >>>>>>>>>>> OpenID Connect Service Provider) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Farasath Ahamed >>>>>>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>>>>> Mobile: +94777603866 >>>>>>>>>>> Blog: blog.farazath.com >>>>>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Sat, May 13, 2017 at 11:36 AM, Bhathiya Jayasekara < >>>>>>>>>>> bhath...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> @IS team: Do we support these in our current implementation? >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Bhathiya >>>>>>>>>>>> >>>>>>>>>>>> On Sat, May 13, 2017 at 11:34 AM, Bhathiya Jayasekara < >>>>>>>>>>>> bhath...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Tharindu, >>>>>>>>>>>>> >>>>>>>>>>>>> In OIDC there are other standard scopes[1] in addition to >>>>>>>>>>>>> 'openid'. These scopes are there to request specific user claims. >>>>>>>>>>>>> I think >>>>>>>>>>>>> we can use them here. So when generating tokens, these scopes >>>>>>>>>>>>> should be >>>>>>>>>>>>> used as per the requirement. >>>>>>>>>>>>> >>>>>>>>>>>>> [1] >>>>>>>>>>>>> http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Bhathiya >>>>>>>>>>>>> >>>>>>>>>>>>> On Sat, May 13, 2017 at 12:18 AM, Tharindu Dharmarathna < >>>>>>>>>>>>> tharin...@wso2.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>> >>>>>>>>>>>>>> We had a use case on APIM to send the user claims in the JWT >>>>>>>>>>>>>> Header to the backend server. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Currently APIM C4 architecture was Getting the user claims >>>>>>>>>>>>>> and generate JWT from Key manager node. >>>>>>>>>>>>>> >>>>>>>>>>>>>> As in C5 architecture, we have to get the user claims from >>>>>>>>>>>>>> the IS or the third party key manager. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I had observed below two ways of getting user claims into the >>>>>>>>>>>>>> Gateway from IS. >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. Generate token with OpenID scope. >>>>>>>>>>>>>> 2. Call userinfo endpoint with above generated token >>>>>>>>>>>>>> 3. Call OAuth2TokenValidation Service and get the token. >>>>>>>>>>>>>> >>>>>>>>>>>>>> When considering [2] in order to receive user info we have to >>>>>>>>>>>>>> set the requested claims in service provider according to the >>>>>>>>>>>>>> App. >>>>>>>>>>>>>> >>>>>>>>>>>>>> And from Current C4 architecture, we don't mandate to send >>>>>>>>>>>>>> openid token as a scope. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Is there any other alternative ways to achieve above task. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Tharindu Dharmarathna*Senior Software Engineer >>>>>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>>> >>>>>>>>>>>>>> mobile: *+94779109091 <077%20910%209091>* >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> *Bhathiya Jayasekara* >>>>>>>>>>>>> *Associate Technical Lead,* >>>>>>>>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>>>>>>>> >>>>>>>>>>>>> *Phone: +94715478185 <071%20547%208185>* >>>>>>>>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>>>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>>>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>>>>>>>> <https://twitter.com/bhathiyax>* >>>>>>>>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>>>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> *Bhathiya Jayasekara* >>>>>>>>>>>> *Associate Technical Lead,* >>>>>>>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>>>>>>> >>>>>>>>>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>>>>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>>>>>>> <https://twitter.com/bhathiyax>* >>>>>>>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Dev mailing list >>>>>>>>>>>> Dev@wso2.org >>>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Bhathiya Jayasekara* >>>>>>>>>> *Associate Technical Lead,* >>>>>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>>>>> >>>>>>>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>>>>> <https://twitter.com/bhathiyax>* >>>>>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Bhathiya Jayasekara* >>>>>>>> *Associate Technical Lead,* >>>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>>> >>>>>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>>> <https://twitter.com/bhathiyax>* >>>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ishara Karunarathna >>>>>>> Associate Technical Lead >>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>> >>>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, >>>>>>> mobile: +94717996791 <071%20799%206791> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Bhathiya Jayasekara* >>>>>> *Associate Technical Lead,* >>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>> >>>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>> <https://twitter.com/bhathiyax>* >>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Ishara Karunarathna >>>>> Associate Technical Lead >>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>> >>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>>> +94717996791 <+94%2071%20799%206791> >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 <071%20799%206791> >>>> >>>> >>>> >>> >>> >>> -- >>> *Bhathiya Jayasekara* >>> *Associate Technical Lead,* >>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>> >>> *Phone: +94715478185 <+94%2071%20547%208185>* >>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>> <http://www.linkedin.com/in/bhathiyaj>* >>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>> *Blog: http://movingaheadblog.blogspot.com >>> <http://movingaheadblog.blogspot.com/>* >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >> -- >> Nuwan Dias >> >> Software Architect - WSO2, Inc. http://wso2.com >> email : nuw...@wso2.com >> Phone : +94 777 775 729 <+94%2077%20777%205729> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
