On Tue, May 16, 2017 at 7:38 PM, Hasanthi Purnima Dissanayake < [email protected]> wrote:
> Hi All, > In our current OIDC implementation we support below four grant types and > issue id tokens and user info claims for all the below grant type. > > - authorization_code > - implicit > - client_credential > - password > > What about extension grant types like SAML2BearerGrant, JWTBearer or any other custom grant type we write? AFAIR we do issue id_tokens to any grant type when "openid" scope is present. > Among those 4 grant types that we have implemented, OIDC spec discusses > about only implict and authorization_code grant types. According to the > spec "openid" scope value is a must to Inform the Authorization Server > that the client is making an OpenID Connect request. So we have introduced > a new property in identity.xml as below and we have implemented a scope > validator to validate whether the grant types are authorization_code , > implicit or password if the scope is openid. > > <ScopeValidators> > <OAuthScopeValidatorclass="org.wso2.carbon.identity.oauth2.validators. > JDBCScopeValidator"/> > <OIDCScopeValidator class="org.wso2.carbon.identity.oauth2.validators. > OIDCScopeValidator"/> > </ScopeValidators> > > So with the above property and the implementation OIDC grant types that we > are supporting will be authorization_code , implicit and password grant > types. > If our current implementation allows id_token generation for all types wouldn't this break existing clients? If our motive is to stop issuing id_token for client_credential grant type (which makes sense since id_token for client_credentials lacks a semantic value), I feel we should use a blacklisting approach in the OIDCScopeValidator and not issue id_token by checking if the request comes from the grant_type client_credentials. WDYT? > Thanks, > > Hasanthi Dissanayake > > Software Engineer | WSO2 > > E: [email protected] > M :0718407133| http://wso2.com <http://wso2.com/> >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
