Yes, Farasath. As for the offline discussions with Drashana, I came to the same conclusion and exploring the SAML sample app right now.
Although I'm not sure about signing JWE. I couldn't find anything specific about that in the RFC. Also, the API in Nimbus only expects the claims set and the public key of the client to create and encrypt a JWE. Please do let me know if you find something else. On Fri, Feb 9, 2018 at 4:34 PM, Farasath Ahamed <farasa...@wso2.com> wrote: > > > On Friday, February 9, 2018, Vihanga Liyanage <viha...@wso2.com> wrote: > >> [- Engineering, Strategy] >> [+ Architecture, Dev] >> >> Thanks, >> Vihanga >> >> On Fri, Feb 9, 2018 at 8:56 AM, Vihanga Liyanage <viha...@wso2.com> >> wrote: >> >>> Hi Farasath, >>> >>> For the above two points IMO it would be better to provide an option at >>>> Service Provider OAuth/OIDC configuration. This will be similar to what we >>>> have done for SAML. >>>> >>> >>> That is the initial idea came to me as well. But shouldn't the clients >>> have a choice of deciding that as well? May be through a request parameter. >>> To use either JWS or JWE, the client have to support them right? >>> >> > By enabling the option to encrypt id_token in the service provider configs > the client is acknowledging that it can support encrypted id_tokens. > > AFAIK even for JWE we need to first sign and then encrypt. Also I couldn't > find any reference on a standard approach to allow clients to switch > between JWS and JWE via a request parameter. > > If we take a look at how we handle this is SAML, we have an option in the > SAML configs to say whether the assertion needs to be encrypted or not. > Once the option to encrypt assertion is enabled SAML assertions will always > be encrypted for the particular service provider (ie. There is no > requirement to switch between signed or encrypted assertions) > > IMO we can follow the same approach. WDYT? > > >>>> On a separate note, any specific reason why we are discussing this in >>>> strategy and not in Dev and architecture mailing lists? >>>> >>>> I feel that we need to discuss this feature in architecture mailing >>>> list to get the input from community. >>>> >>> >>> No such specific reason at all. On the previous project I did, the mail >>> was asked to sent to engineering and strategy. So I followed the same >>> protocol. I'll change that now. >>> >>>> >>>> >>>>> >>>>> Thanks, >>>>> Vihanga. >>>>> >>>>> -- >>>>> >>>>> Vihanga Liyanage >>>>> >>>>> Software Engineer | WS*O₂* Inc. >>>>> >>>>> M : +*94710124103* | http://wso2.com >>>>> >>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>> >>>>> >>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> >>>>> Virus-free. >>>>> www.avast.com >>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link> >>>>> <#m_6964541531375253954_m_-4836321406318245336_m_-5520087002137875506_m_-4545884336410447238_m_6821664179648888237_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "WSO2 Engineering Group" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to engineering-group+unsubscr...@wso2.com. >>>>> For more options, visit https://groups.google.com/a/wso2.com/d/optout. >>>>> >>>> >>>> >>>> -- >>>> Farasath Ahamed >>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> <http://wso2.com/signature> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> >>> Vihanga Liyanage >>> >>> Software Engineer | WS*O₂* Inc. >>> >>> M : +*94710124103* | http://wso2.com >>> >>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>> >> >> >> >> -- >> >> Vihanga Liyanage >> >> Software Engineer | WS*O₂* Inc. >> >> M : +*94710124103* | http://wso2.com >> >> [image: http://wso2.com/signature] <http://wso2.com/signature> >> > > > -- > Farasath Ahamed > Senior Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > > -- Vihanga Liyanage Software Engineer | WS*O₂* Inc. M : +*94710124103* | http://wso2.com [image: http://wso2.com/signature] <http://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev