---------- Forwarded message ---------- From: Thilina Madumal <[email protected]> Date: Thu, Jun 15, 2017 at 1:37 PM Subject: [IS][DEV][OAUTH][SAML2.0-BEARER] Should ID_TOKEN User Claims Tally with the Requested Scope When Obtaining an OAuth Access-Token with SAML2.0-Bearer Grant Type To: [email protected] Cc: Ishara Karunarathna <[email protected]>, Johann Nallathamby < [email protected]>, Ruwan Abeykoon <[email protected]>, Sagara Gunathunga < [email protected]>, Hasanthi Purnima Dissanayake <[email protected]>, Pushpalanka Jayawardhana <[email protected]>, Isura Karunaratne <[email protected]>, Thanuja Jayasinghe <[email protected]>
Hi, I'm wondering when we issue oauth2 access tokens for SAML2.0-Bearer grant type, how we should provide user claims in ID-Token? In prevailing implementation when building ID-Token we just get the user claims from the Assertion provided and include those in the ID-Token irrespective of the scope requested. Ideally, it should be as same as the openid-connect standard, where we provide the user claims in ID-Token according to the requested scope. Then we can cache those user-attributes against the issued access token, to provide user-claims when 'userInfo' endpoint is called with the issued access token. We can follow the same standard for Assertions Issued by the WSO2-IS either for local users or for federated users because we know the user claim mapping in these cases. But for the Assertions provided by some other Trusted IDP we can't follow this standard, simply because we don't know the user claim mapping. Highly appreciate your help and suggestions. Thanks and Best Regards! -- *Thilina Madumal* *Software Engineer | **WSO2* Email: [email protected] Mobile: *+ <+94%2077%20767%201807>94 774553167* Web: <http://goog_716986954>http://wso2.com <http://wso2.com/signature> -- *Thilina Madumal* *Software Engineer | **WSO2* Email: [email protected] Mobile: *+ <+94%2077%20767%201807>94 774553167* Web: <http://goog_716986954>http://wso2.com <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
