Also if the discovery endpoint is secured with the authorization valve then cross tenant restriction is enforced at the valve itself. That is if the authenticating user's tenant domain is not matching with the resource's tenant domain, unless we have enabled cross tenant access in the valve it must throw an error.
*@Hasanthi*: Is the valve enabled for cross tenant access by default? Can you how it is able to pass the valve and go? Regards, Johann. On Tue, Sep 19, 2017 at 10:17 AM, Maduranga Siriwardena <[email protected]> wrote: > Hi Hasanthi, > > To start discovery of OpenID endpoints, the End-User supplies an > Identifier to the Relying Party. The RP applies normalization rules to the > Identifier to determine the Resource and Host. One form of resource is > "userinfo@host" format. If the resource is in this format, RP needs to > prefix acct: to identifier string as scheme (see the normalization steps in > [1]). So in our samples "admin@localhost" says userinfo is "admin" and > host is "localhost". > > Specification clearly explains the formats of the resource value and so we > can't just use the tenant domain as a resource. > > I think we need to validate username also before sending the response. > > [1] https://openid.net/specs/openid-connect-discovery-1_0. > html#NormalizationSteps > > On Tue, Sep 19, 2017 at 9:24 AM, Hasanthi Purnima Dissanayake < > [email protected]> wrote: > >> Also Why do we append "acct:" in-front of the user name here? I think >> we need to mention all those things in te documentation as well. >> >> Thanks >> >> Hasanthi Dissanayake >> >> Software Engineer | WSO2 >> >> E: [email protected] >> M :0718407133| http://wso2.com <http://wso2.com/> >> >> On Mon, Sep 18, 2017 at 11:16 PM, Gayan Gunawardana <[email protected]> >> wrote: >> >>> >>> >>> On Mon, Sep 18, 2017 at 10:58 PM, Hasanthi Purnima Dissanayake < >>> [email protected]> wrote: >>> >>>> Hi All, >>>> I need to clarify few points on OIDC discovery with wso2 IS 5.3.0. If >>>> we consider a sample request to webfinger as below: >>>> >>>> Super tenant: >>>> curl -v -k --user admin:admin https://localhost:9443/.well-k >>>> nown/webfinger?resource='acct:admin@localhost&rel=http://ope >>>> nid.net/specs/connect/1.0/issuer' >>>> >>>> Other tenants: >>>> curl -v -k --user admin:admin https://localhost:9443/.well-k >>>> nown/webfinger?resource='acct:hasanthi%40wso2.com@localhost&rel= >>>> http://openid.net/specs/connect/1.0/issuer' >>>> >>> Why we use super tenant credentials for authentication in tenanted case >>> ? >>> >>>> >>>> Here if we consider the tenant case, even if there is no user as >>>> 'hasanthi' presents in the tenant domain 'wso2.com' it returns a >>>> successful result. >>>> >>>> The spec explains the resource as below: >>>> resource : >>>> Identifier for the target End-User that is the subject of the discovery >>>> request. >>>> >>>> As this endpoint can be used publicly may be we are not validating the >>>> user as it exposes too much data to the out side. So we may only validate >>>> user here. But I am wondering why we don't just use the tenant domain as >>>> the resource name here without using a dummy user name which has no value. >>>> Is there any reason for that? >>>> >>>> Also Can someone please explain why do we need to append @localhost at >>>> the end of the resource name. I think we should explain the reason for this >>>> in our docs as well. >>>> >>>> Thanks, >>>> >>>> >>>> Hasanthi Dissanayake >>>> >>>> Software Engineer | WSO2 >>>> >>>> E: [email protected] >>>> M :0718407133| http://wso2.com <http://wso2.com/> >>>> >>> >>> >>> >>> -- >>> Gayan Gunawardana >>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> >> >> > > > -- > Maduranga Siriwardena > Senior Software Engineer > WSO2 Inc; http://wso2.com/ > > Email: [email protected] > Mobile: +94718990591 <+94%2071%20899%200591> > Blog: *https://madurangasiriwardena.wordpress.com/ > <https://madurangasiriwardena.wordpress.com/>* > <http://wso2.com/signature> > -- Thanks & Regards, *Johann Dilantha Nallathamby* Senior Lead Solutions Engineer WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
