Hi Farasath, For federated users, we are setting the SP's tenant domain as user tenant domain. However userstore domain will be null. Therefore we can pass only the tenant domain in the realm. WDYT?
On Fri, Apr 5, 2019 at 9:36 AM Farasath Ahamed <[email protected]> wrote: > Hi Devs, > > Also what about the value of " *realm*" claim when the user is a > federated one? > > Regards, > Farasath > > On Fri, Apr 5, 2019 at 9:32 AM Hasini Witharana <[email protected]> wrote: > >> Hi Ruwan/Sathya, >> >> There are some standard claims defined in the OIDC specification[1], none >> of them can be used instead of "realm", "tenant_domain". >> However, the spec also says that it is okay to add any other claims to >> id_token[2]. >> >> [1] - >> https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims >> [2] - https://openid.net/specs/openid-connect-core-1_0.html#IDToken >> >> Thank You. >> Hasini >> >> On Fri, Apr 5, 2019 at 6:30 AM Ruwan Abeykoon <[email protected]> wrote: >> >>> Hi Sathya, >>> I do not see any issue adding the info-set to the id-token, as >>> conceptually it carries more information about the users identity. >>> Did we checked if there an standard claims in id token we could use, >>> instead of "realm", "tenant_domain", etc. >>> >>> Cheers, >>> Ruwan A >>> >>> On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara <[email protected]> wrote: >>> >>>> Hi all, >>>> >>>> In OIDC logout flow, we send the ID token as a user identification >>>> method similar to following request. >>>> >>>> https://localhost:9443/oidc/logout?id_token_hint= >>>> <id_token>&post_logout_redirect_uri= >>>> http://localhost:8080/playground2/oauth2client&state=1 >>>> >>>> when validating the ID token, we are trying to get tenant domain from >>>> subject claim of the id token hint [1] in the default flow. This will only >>>> work if '*append tenant domain to subject identifier'* is selected in >>>> the SP configuration. In other scenarios it fails with the error >>>> "access_denied ID token signature validation failed." This is because if >>>> subject does not contain the tenant domain, we try to validate the id token >>>> with super tenant's keystore. Further this fails when subject identifier is >>>> set as email claim, and email contains a different domain such as >>>> [email protected] <[email protected]> >>>> >>>> We have a config to enable/disable signing ID token with SP's keystore >>>> identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by >>>> default, ID token will be signed and validated using user's tenant domain >>>> leading to above issue. >>>> >>>> As a possible solution, we have decided to include user tenant domain >>>> and userstore domain as claims in the id token generated by IS. This can be >>>> disabled by a config however in the default pack it will be enabled by >>>> default. Sample id token will be as follows. >>>> >>>> { >>>> "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ", >>>> "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa", >>>> "sub": "sathya", >>>> >>>> >>>> >>>> * "realm": { "tenant_domain: "wso2.com <http://wso2.com>", >>>> "userstore_domain: "PRIMARY" }*, >>>> "iss": "https://localhost:9443/oauth2/token";, >>>> "exp": 1554367465, >>>> "iat": 1554363865, >>>> } >>>> >>>> Also 'SignJWTWithSPKey' property will be enabled by default in the >>>> product, honoring service provider's tenant domain when obtaining keys for >>>> signing and validating id tokens. >>>> >>>> Highly appreciate your suggestions and concerns on this. >>>> >>>> [1] >>>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331 >>>> Thanks, >>>> Sathya >>>> -- >>>> Sathya Bandara >>>> Senior Software Engineer >>>> Blog: https://medium.com/@technospace >>>> WSO2 Inc. http://wso2.com >>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>> >>>> <+94%2071%20411%205032> >>>> >>> >>> >>> -- >>> >>> *Ruwan Abeykoon* >>> *Associate Director/Architect**,* >>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>> *lean.enterprise.middleware.* >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >> >> >> -- >> *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* >> *(m) 0766435725 | (w) 0713850143 | (e) [email protected] >> <[email protected]>* >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> > > > -- > Farasath Ahamed > Senior Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: https://farasath.blogspot.com / https://medium.com/@farasath > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Sathya Bandara Senior Software Engineer Blog: https://medium.com/@technospace WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
