Hi Devs, Also what about the value of " *realm*" claim when the user is a federated one?
Regards, Farasath On Fri, Apr 5, 2019 at 9:32 AM Hasini Witharana <hasi...@wso2.com> wrote: > Hi Ruwan/Sathya, > > There are some standard claims defined in the OIDC specification[1], none > of them can be used instead of "realm", "tenant_domain". > However, the spec also says that it is okay to add any other claims to > id_token[2]. > > [1] - https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims > [2] - https://openid.net/specs/openid-connect-core-1_0.html#IDToken > > Thank You. > Hasini > > On Fri, Apr 5, 2019 at 6:30 AM Ruwan Abeykoon <ruw...@wso2.com> wrote: > >> Hi Sathya, >> I do not see any issue adding the info-set to the id-token, as >> conceptually it carries more information about the users identity. >> Did we checked if there an standard claims in id token we could use, >> instead of "realm", "tenant_domain", etc. >> >> Cheers, >> Ruwan A >> >> On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara <sat...@wso2.com> wrote: >> >>> Hi all, >>> >>> In OIDC logout flow, we send the ID token as a user identification >>> method similar to following request. >>> >>> https://localhost:9443/oidc/logout?id_token_hint= >>> <id_token>&post_logout_redirect_uri= >>> http://localhost:8080/playground2/oauth2client&state=1 >>> >>> when validating the ID token, we are trying to get tenant domain from >>> subject claim of the id token hint [1] in the default flow. This will only >>> work if '*append tenant domain to subject identifier'* is selected in >>> the SP configuration. In other scenarios it fails with the error >>> "access_denied ID token signature validation failed." This is because if >>> subject does not contain the tenant domain, we try to validate the id token >>> with super tenant's keystore. Further this fails when subject identifier is >>> set as email claim, and email contains a different domain such as >>> sat...@wso2.com <sat...@gmail.com> >>> >>> We have a config to enable/disable signing ID token with SP's keystore >>> identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by >>> default, ID token will be signed and validated using user's tenant domain >>> leading to above issue. >>> >>> As a possible solution, we have decided to include user tenant domain >>> and userstore domain as claims in the id token generated by IS. This can be >>> disabled by a config however in the default pack it will be enabled by >>> default. Sample id token will be as follows. >>> >>> { >>> "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ", >>> "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa", >>> "sub": "sathya", >>> >>> >>> >>> * "realm": { "tenant_domain: "wso2.com <http://wso2.com>", >>> "userstore_domain: "PRIMARY" }*, >>> "iss": "https://localhost:9443/oauth2/token";, >>> "exp": 1554367465, >>> "iat": 1554363865, >>> } >>> >>> Also 'SignJWTWithSPKey' property will be enabled by default in the >>> product, honoring service provider's tenant domain when obtaining keys for >>> signing and validating id tokens. >>> >>> Highly appreciate your suggestions and concerns on this. >>> >>> [1] >>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331 >>> Thanks, >>> Sathya >>> -- >>> Sathya Bandara >>> Senior Software Engineer >>> Blog: https://medium.com/@technospace >>> WSO2 Inc. http://wso2.com >>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>> >>> <+94%2071%20411%205032> >>> >> >> >> -- >> >> *Ruwan Abeykoon* >> *Associate Director/Architect**,* >> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >> *lean.enterprise.middleware.* >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> > > > -- > *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* > *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com <hasi...@wso2.com>* > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Farasath Ahamed Senior Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: https://farasath.blogspot.com / https://medium.com/@farasath Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
