On Friday, February 9, 2018, Vihanga Liyanage <viha...@wso2.com> wrote:

> [- Engineering, Strategy]
> [+ Architecture, Dev]
>
> Thanks,
> Vihanga
>
> On Fri, Feb 9, 2018 at 8:56 AM, Vihanga Liyanage <viha...@wso2.com> wrote:
>
>> Hi Farasath,
>>
>> For the above two points IMO it would be better to provide an option at
>>> Service Provider OAuth/OIDC configuration. This will be similar to what we
>>> have done for SAML.
>>>
>>
>> That is the initial idea came to me as well. But shouldn't the clients
>> have a choice of deciding that as well? May be through a request parameter.
>> To use either JWS or JWE, the client have to support them right?
>>
>
By enabling the option to encrypt id_token in the service provider configs
the client is acknowledging that it can support encrypted id_tokens.

AFAIK even for JWE we need to first sign and then encrypt. Also I couldn't
find any reference on a standard approach to allow clients to switch
between JWS and JWE via a request parameter.

If we take a look at how we handle this is SAML, we have an option in the
SAML configs to say whether the assertion needs to be encrypted or not.
Once the option to encrypt assertion is enabled SAML assertions will always
be encrypted for the particular service provider (ie. There is no
requirement to switch between signed or encrypted assertions)

IMO we can follow the same approach. WDYT?


>>> On a separate note, any specific reason why we are discussing this in
>>> strategy and not in Dev and architecture mailing lists?
>>>
>>> I feel that we need to discuss this feature in architecture mailing list
>>> to get the input from community.
>>>
>>
>> No such specific reason at all. On the previous project I did, the mail
>> was asked to sent to engineering and strategy. So I followed the same
>> protocol. I'll change that now.
>>
>>>
>>>
>>>>
>>>> Thanks,
>>>> Vihanga.
>>>>
>>>> --
>>>>
>>>> Vihanga Liyanage
>>>>
>>>> Software Engineer | WS*O₂* Inc.
>>>>
>>>> M : +*94710124103* | http://wso2.com
>>>>
>>>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>>>
>>>>
>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
>>>>  Virus-free.
>>>> www.avast.com
>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>>>> <#m_-4836321406318245336_m_-5520087002137875506_m_-4545884336410447238_m_6821664179648888237_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "WSO2 Engineering Group" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to engineering-group+unsubscr...@wso2.com.
>>>> For more options, visit https://groups.google.com/a/wso2.com/d/optout.
>>>>
>>>
>>>
>>> --
>>> Farasath Ahamed
>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com
>>> Mobile: +94777603866
>>> Blog: blog.farazath.com
>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>> <http://wso2.com/signature>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>> Vihanga Liyanage
>>
>> Software Engineer | WS*O₂* Inc.
>>
>> M : +*94710124103* | http://wso2.com
>>
>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>
>
>
>
> --
>
> Vihanga Liyanage
>
> Software Engineer | WS*O₂* Inc.
>
> M : +*94710124103* | http://wso2.com
>
> [image: http://wso2.com/signature] <http://wso2.com/signature>
>


-- 
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 <https://twitter.com/farazath619>
<http://wso2.com/signature>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to