On Friday, April 5, 2019, Sathya Bandara <[email protected]> wrote: > Hi Farasath, > > For federated users, we are setting the SP's tenant domain as user tenant > domain. However userstore domain will be null. Therefore we can pass only > the tenant domain in the realm. WDYT? > Ok that seems fine.
How are we planning to handle the case where the id_token builder has been customized? One possible way is to keep the old logic for customized id_token builders and id_tokens without "realm" claim. > > On Fri, Apr 5, 2019 at 9:36 AM Farasath Ahamed <[email protected]> wrote: > >> Hi Devs, >> >> Also what about the value of " *realm*" claim when the user is a >> federated one? >> >> Regards, >> Farasath >> >> On Fri, Apr 5, 2019 at 9:32 AM Hasini Witharana <[email protected]> wrote: >> >>> Hi Ruwan/Sathya, >>> >>> There are some standard claims defined in the OIDC specification[1], >>> none of them can be used instead of "realm", "tenant_domain". >>> However, the spec also says that it is okay to add any other claims to >>> id_token[2]. >>> >>> [1] - https://openid.net/specs/openid-connect-core-1_0.html# >>> StandardClaims >>> [2] - https://openid.net/specs/openid-connect-core-1_0.html#IDToken >>> >>> Thank You. >>> Hasini >>> >>> On Fri, Apr 5, 2019 at 6:30 AM Ruwan Abeykoon <[email protected]> wrote: >>> >>>> Hi Sathya, >>>> I do not see any issue adding the info-set to the id-token, as >>>> conceptually it carries more information about the users identity. >>>> Did we checked if there an standard claims in id token we could use, >>>> instead of "realm", "tenant_domain", etc. >>>> >>>> Cheers, >>>> Ruwan A >>>> >>>> On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara <[email protected]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> In OIDC logout flow, we send the ID token as a user identification >>>>> method similar to following request. >>>>> >>>>> https://localhost:9443/oidc/logout?id_token_hint=<id_ >>>>> token>&post_logout_redirect_uri=http://localhost:8080/ >>>>> playground2/oauth2client&state=1 >>>>> >>>>> when validating the ID token, we are trying to get tenant domain from >>>>> subject claim of the id token hint [1] in the default flow. This will only >>>>> work if '*append tenant domain to subject identifier'* is selected in >>>>> the SP configuration. In other scenarios it fails with the error >>>>> "access_denied ID token signature validation failed." This is because if >>>>> subject does not contain the tenant domain, we try to validate the id >>>>> token >>>>> with super tenant's keystore. Further this fails when subject identifier >>>>> is >>>>> set as email claim, and email contains a different domain such as >>>>> [email protected] <[email protected]> >>>>> >>>>> We have a config to enable/disable signing ID token with SP's keystore >>>>> identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by >>>>> default, ID token will be signed and validated using user's tenant domain >>>>> leading to above issue. >>>>> >>>>> As a possible solution, we have decided to include user tenant domain >>>>> and userstore domain as claims in the id token generated by IS. This can >>>>> be >>>>> disabled by a config however in the default pack it will be enabled by >>>>> default. Sample id token will be as follows. >>>>> >>>>> { >>>>> "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ", >>>>> "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa", >>>>> "sub": "sathya", >>>>> >>>>> >>>>> >>>>> * "realm": { "tenant_domain: "wso2.com <http://wso2.com>", >>>>> "userstore_domain: "PRIMARY" }*, >>>>> "iss": "https://localhost:9443/oauth2/token";, >>>>> "exp": 1554367465, >>>>> "iat": 1554363865, >>>>> } >>>>> >>>>> Also 'SignJWTWithSPKey' property will be enabled by default in the >>>>> product, honoring service provider's tenant domain when obtaining keys for >>>>> signing and validating id tokens. >>>>> >>>>> Highly appreciate your suggestions and concerns on this. >>>>> >>>>> [1] https://github.com/wso2-extensions/identity-inbound- >>>>> auth-oauth/blob/master/components/org.wso2.carbon. >>>>> identity.oidc.session/src/main/java/org/wso2/carbon/ >>>>> identity/oidc/session/servlet/OIDCLogoutServlet.java#L331 >>>>> Thanks, >>>>> Sathya >>>>> -- >>>>> Sathya Bandara >>>>> Senior Software Engineer >>>>> Blog: https://medium.com/@technospace >>>>> WSO2 Inc. http://wso2.com >>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>> >>>>> <+94%2071%20411%205032> >>>>> >>>> >>>> >>>> -- >>>> >>>> *Ruwan Abeykoon* >>>> *Associate Director/Architect**,* >>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>> *lean.enterprise.middleware.* >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>> >>> >>> -- >>> *Hasini Witharana | **Software Engineer | **WSO2 Inc >>> <https://wso2.com/>* >>> *(m) 0766435725 | (w) 0713850143 | (e) [email protected] >>> <[email protected]>* >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >> >> >> -- >> Farasath Ahamed >> Senior Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: https://farasath.blogspot.com / https://medium.com/@farasath >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> > > > -- > Sathya Bandara > Senior Software Engineer > Blog: https://medium.com/@technospace > WSO2 Inc. http://wso2.com > Mobile: (+94) 715 360 421 <+94%2071%20411%205032> > > <+94%2071%20411%205032> > -- Farasath Ahamed Senior Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: https://farasath.blogspot.com / https://medium.com/@farasath Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
