Re: [Architecture] [Microgateway] API Manager JWT Token Revocation Feature
lity) with a near real-time impact, which I think is ideal. >>>>>>>>>>> For the >>>>>>>>>>> persistence related issue I think we need to introduce a lightweight >>>>>>>>>>> persistence layer across the microgateways. >>>>>>>>>>> >>>>>>>>>>> [1] - https://github.com/wso2/product-microgateway/issues/298 >>>>>>>>>>> >>>>>>>>>>> On Sat, Feb 9, 2019 at 9:53 PM Fazlan Nazeem >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Sanjeewa, >>>>>>>>>>>> >>>>>>>>>>>> Irrespective of the method we use to implement this, once we >>>>>>>>>>>> choose a mechanism, we will not be able to refer to the JWT tokens >>>>>>>>>>>> as >>>>>>>>>>>> self-contained, isn't it? Because we will have to depend on an >>>>>>>>>>>> external >>>>>>>>>>>> party to decide the validity of a token. >>>>>>>>>>>> >>>>>>>>>>>> AFAIU, I think the pub/sub model and push model has a >>>>>>>>>>>> disadvantage if the process running the topic(in pub/sub model) or >>>>>>>>>>>> the >>>>>>>>>>>> microgateway(in push model) restarted(unless we repopulate the >>>>>>>>>>>> topic or the >>>>>>>>>>>> mgw memory on each restart with JTIs of unexpired revoked tokens). >>>>>>>>>>>> >>>>>>>>>>>> With the Pull model, I don't see this issue. the key manager >>>>>>>>>>>> only needs to store the unexpired revoked token information. >>>>>>>>>>>> >>>>>>>>>>>> I also feel that we need to introduce a config to switch on >>>>>>>>>>>> enabling/disabling this feature so that we can also use the >>>>>>>>>>>> microgateways >>>>>>>>>>>> in the current mode. >>>>>>>>>>>> >>>>>>>>>>>> On Thu, Feb 7, 2019 at 3:58 PM Sanjeewa Malalgoda < >>>>>>>>>>>> sanje...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi All, >>>>>>>>>>>>> I'm initiating this mail thread to discuss more about JWT >>>>>>>>>>>>> token revocation feature we are planning to implement for API >>>>>>>>>>>>> Manager >>>>>>>>>>>>> micro-gateway. In API Manager micro-gateway we do support both >>>>>>>>>>>>> oauth access >>>>>>>>>>>>> tokens and JWT access tokens. When we use OAuth access tokens we >>>>>>>>>>>>> can revoke >>>>>>>>>>>>> them and make it effect immediately. Since all OAuth tokens geting >>>>>>>>>>>>> validated with key manager revoked tokens will fail validation. >>>>>>>>>>>>> When we use >>>>>>>>>>>>> JWT token we do token validation within gateway itself without >>>>>>>>>>>>> calling key >>>>>>>>>>>>> manager or external party. Since JWT is self contained one we are >>>>>>>>>>>>> basically >>>>>>>>>>>>> trust its content as long as token not expired and signature >>>>>>>>>>>>> valid. Then it >>>>>>>>>>>>> will be a problem. >>>>>>>>>>>>> >>>>>>>>>>>>> So we will need to have some mechanism to propagate revoked >>>>>>>>>>>>> token details to micro-gateways as well. Since self contained >>>>>>>>>>>>> token >>>>>>>>>>>>> revocation is ineffective(there can be mul
Re: [Architecture] Cloud Tenant deletion caching issue
> >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Sep 5, 2014 at 8:00 PM, Nirmal Fernando < >>>>>>>>>>>> nir...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Can't we use a tenant event listener and remove the entry from >>>>>>>>>>>>> the map on a tenant deletion event? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Sep 5, 2014 at 7:50 PM, Godwin Amila Shrimal < >>>>>>>>>>>>> god...@wso2.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> We are working on tenant deletion implementation, once we >>>>>>>>>>>>>> perform the current tenant deletion operation in >>>>>>>>>>>>>> *TenantMgtAdminService* it deletes registry, user store etc. >>>>>>>>>>>>>> data. But it doesn't allow to create a tenant again with the >>>>>>>>>>>>>> same tenant >>>>>>>>>>>>>> domain name until restart the server. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Reason for above situation is tenant domain and id is keeping >>>>>>>>>>>>>> in a map(*tenantDomainIdMap*) inside the *JDBCTenantManager*. >>>>>>>>>>>>>> When perform delete operation it check the availability from >>>>>>>>>>>>>> this map. >>>>>>>>>>>>>> >>>>>>>>>>>>>> As per the discussion we can see following solutions for this. >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Solution1* >>>>>>>>>>>>>> Check the tenant availability from database not from memory >>>>>>>>>>>>>> data, but this will be costly if it is a frequently perform >>>>>>>>>>>>>> operation. >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Solution2* >>>>>>>>>>>>>> We can give a public access to delete the particular key in >>>>>>>>>>>>>> the map, this will be a security issue which people can pass >>>>>>>>>>>>>> tenant domain >>>>>>>>>>>>>> and perform deletion. >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Solution3* >>>>>>>>>>>>>> Run a periodic operation which check the availability of the >>>>>>>>>>>>>> tenant in the database and delete from map which are not exist. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> We are looking for a feedback on this. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> Godwin >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>>>>>>> Senior Software Engineer >>>>>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>>> >>>>>>>>>>>>>> mobile: *+94772264165* >>>>>>>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>>>>>>> >>>>>>>>>>>>>> ___ >>>>>>>>>
Re: [Architecture] [Dev] [IS] Architecture - API to Retrieve Authentication Session Information
> *Solution* >>>>>>>>> >>>>>>>>> Develop an API to provide following functionalities. >>>>>>>>> >>>>>>>>>- Retrieve information of currently logged in and recently used >>>>>>>>>sessions since last password changes. >>>>>>>>>- Retrieve Time, location, OS and browser details of each >>>>>>>>>session Logged in and recently used. >>>>>>>>>- Terminate a particular logged in account. >>>>>>>>> >>>>>>>>> >>>>>>>>> *Retrieve session information* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> * - User can view his currently logged in details and recently >>>>>>>>> used session information. In each session, information about last time >>>>>>>>> used, location, browser and OS details.- To view information, user >>>>>>>>> has to >>>>>>>>> request HTTP GET request with SessionID and can query by >>>>>>>>> ServiceProvider >>>>>>>>> detail for particular account. Then API will query alive UserID for >>>>>>>>> given >>>>>>>>> details and produce required information for user.* >>>>>>>>> >>>>>>>>> >>>>>>>>> *Terminate a particular account* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>- If a user or admin wants to logged out from a logged in >>>>>>>>>account, he can terminate particular account session. >>>>>>>>> - If Identity Provider/ Service Provider/ User Account is >>>>>>>>>deleted by admin, session will be automatically terminated by event >>>>>>>>>listeners. >>>>>>>>> - *To terminate an account, user has to request HTTP POST request >>>>>>>>>with SessionID and can query by ServiceProvider detail for >>>>>>>>> particular >>>>>>>>>account. Then API will query alive UserID for given details and >>>>>>>>> terminate >>>>>>>>>account.* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *Database design* >>>>>>>>> >>>>>>>>> >>>>>>>>>- *UserID* which is mapped to* IDP, IDP UserID* and *Service >>>>>>>>>Provider* is used to identify unique account. >>>>>>>>>- Through *UserID*, information of particular account will be >>>>>>>>>provided. >>>>>>>>>- In *Session* table, details of *Browser, OS* and *Location* >>>>>>>>>will not be used in query. So we can store this information as >>>>>>>>> JSON object. >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Chuhaashanan >>>>>>>>> Intern - Software Engineering >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Ruwan Abeykoon* >>>>>>>> *Associate Director/Architect**,* >>>>>>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>>>>>> *lean.enterprise.middleware.* >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Chuhaashanan >>>>>>> Intern - Software Engineering >>>>>>> >>>>>>> >>>>>>> ___ >>>>>>> Dev mailing list >>>>>>> d...@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Dulanja Liyanage >>>>>> Lead, Platform Security Team >>>>>> WSO2 Inc. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Chuhaashanan >>>>> Intern - Software Engineering >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Dulanja Liyanage >>>> Lead, Platform Security Team >>>> WSO2 Inc. >>>> >>> >>> >>> >>> -- >>> Chuhaashanan >>> Intern - Software Engineering >>> >>> >> >> >> -- >> Thanks & Regards, >> Dulanja Liyanage >> Lead, Platform Security Team >> WSO2 Inc. >> > > > -- > > *Ruwan Abeykoon* > *Associate Director/Architect**,* > *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * > *lean.enterprise.middleware.* > > ___ > Dev mailing list > d...@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC2
> *Darshana Gunawardana*Technical Lead >>>> WSO2 Inc.; http://wso2.com >>>> >>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >>>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . >>>> Middleware >>>> >>> >>> >>> >>> -- >>> >>> Best Regards, >>> >>> Nuwandi Wickramasinghe >>> >>> Senior Software Engineer >>> >>> WSO2 Inc. >>> >>> Web : http://wso2.com >>> >>> Mobile : 0719214873 <071%20921%204873> >>> >>> ___ >>> Dev mailing list >>> d...@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> >> >> >> *Kind Regards,Nipuni Bhagya* >> >> *Software Engineering Intern* >> *WSO2* >> >> >> >> *Mobile : +94 0779028904 <+94%2077%20767%201807>* >> >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Dinali Rosemin Dabarera* > Software Engineer > WSO2 Lanka (pvt) Ltd. > Web: http://wso2.com/ > Email : gdrdabar...@gmail.com > LinkedIn <https://lk.linkedin.com/in/dinalidabarera> > Mobile: +94770198933 <077%20019%208933> > > > > > <https://lk.linkedin.com/in/dinalidabarera> > > > > > > > > > > > > > > > ___ > Dev mailing list > d...@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1
Hi, Thanks for the information Darshana. Didn't know it was decided to be rectified in an RC2. Thanks for the fix. On Thu, Mar 15, 2018 at 1:39 AM, Omindu Rathnaweera <omi...@wso2.com> wrote: > Hi Lanka, > > This issue is now fixed in the latest oauth version (v5.6.63) and will be > available with RC2. > > Regards, > Omindu. > > > On Wed, Mar 14, 2018 at 10:32 PM, Darshana Gunawardana <darsh...@wso2.com> > wrote: > >> Hi Lanka, >> >> As you already know, we are working on rectifying this NPE in the RC2. >> >> Thanks, >> >> On Wed, Mar 14, 2018 at 10:25 PM, Pushpalanka Jayawardhana < >> la...@wso2.com> wrote: >> >>> Hi, >>> >>> On Wed, Mar 14, 2018 at 10:14 PM, Pushpalanka Jayawardhana < >>> la...@wso2.com> wrote: >>> >>>> >>>> >>>> On Wed, Mar 14, 2018 at 10:09 PM, Pushpalanka Jayawardhana < >>>> la...@wso2.com> wrote: >>>> >>>>> Hi All, >>>>> >>>>> Tested OIDC hybrid flow with "code idtoken" response type. This is >>>>> breaking with "Invalid response type" error message. >>>>> Could do a bit of debugging and it seems that at [1], it failing to >>>>> identify the existing key for "code idtoken" type. >>>>> >>>>> In the HashTable returned at >>>>> OAuthServerConfiguration.getInstance().getSupportedResponseTypeValidators() >>>>> execution, "code idtoken" key has the hashCode of '-1819461976' while >>>>> input key 'code idtoken' produce the hashcode of '-732188021'. In plain >>>>> Java code, if we generate the hashCode for 'code idtoken' it also >>>>> generates >>>>> this. This result in not identifying the sending response type properly. >>>>> Appreciate if this can be further investigated. >>>>> >>>>> [1] - https://github.com/wso2-extensions/identity-inbound-auth-o >>>>> auth/blob/5.6.x/components/org.wso2.carbon.identity.oauth/sr >>>>> c/main/java/org/wso2/carbon/identity/oauth2/model/CarbonOAut >>>>> hAuthzRequest.java#L49 >>>>> >>>> >>>> Please ignore this, just realised it should be id_token. Sorry for the >>>> noise. >>>> >>> Even with this fix the flow is failing with below error, >>> >>> java.lang.NullPointerException >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.getIdTokenFromRedirectURL(OAuth2AuthzEndpoint.java:2321) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.storeSidClaim(OAuth2AuthzEndpoint.java:2225) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.manageOIDCSessionState(OAuth2AuthzEndpoint.java:2050) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleSuccessfulAuthentication(OAuth2AuthzEndpoint.java:607) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleAuthenticationResponse(OAuth2AuthzEndpoint.java:574) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:199) >>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> java.lang.reflect.Method.invoke(Method.java:498) >>> >>> org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188) >>> >>> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104) >>> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204) >>> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101) >>> >>> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) >>> >>> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94) >>> >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) >>> >>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >>> >>> org.apache.cxf.transport.http.
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1
Hi, On Wed, Mar 14, 2018 at 10:14 PM, Pushpalanka Jayawardhana <la...@wso2.com> wrote: > > > On Wed, Mar 14, 2018 at 10:09 PM, Pushpalanka Jayawardhana <la...@wso2.com > > wrote: > >> Hi All, >> >> Tested OIDC hybrid flow with "code idtoken" response type. This is >> breaking with "Invalid response type" error message. >> Could do a bit of debugging and it seems that at [1], it failing to >> identify the existing key for "code idtoken" type. >> >> In the HashTable returned at >> OAuthServerConfiguration.getInstance().getSupportedResponseTypeValidators() >> execution, "code idtoken" key has the hashCode of '-1819461976' while >> input key 'code idtoken' produce the hashcode of '-732188021'. In plain >> Java code, if we generate the hashCode for 'code idtoken' it also generates >> this. This result in not identifying the sending response type properly. >> Appreciate if this can be further investigated. >> >> [1] - https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/blob/5.6.x/components/org.wso2.carbon.identity. >> oauth/src/main/java/org/wso2/carbon/identity/oauth2/model/C >> arbonOAuthAuthzRequest.java#L49 >> > > Please ignore this, just realised it should be id_token. Sorry for the > noise. > Even with this fix the flow is failing with below error, java.lang.NullPointerException org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.getIdTokenFromRedirectURL(OAuth2AuthzEndpoint.java:2321) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.storeSidClaim(OAuth2AuthzEndpoint.java:2225) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.manageOIDCSessionState(OAuth2AuthzEndpoint.java:2050) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleSuccessfulAuthentication(OAuth2AuthzEndpoint.java:607) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleAuthenticationResponse(OAuth2AuthzEndpoint.java:574) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:199) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188) org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104) org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204) org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101) org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94) org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249) org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289) org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214) javax.servlet.http.HttpServlet.service(HttpServlet.java:624) org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) org.wso2.carbon.webapp.mgt.filter.AuthorizationHeaderFilter.doFilter(AuthorizationHeaderFilter.java:85) org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53) org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124) This is only when the user login is performed in the flow. If the authorization request is sent in a browser where user is already loggedin, the issue is not occurring and flow works fine. > >> >> >> On Wed, Mar 14, 2018 at 7:52 PM, Sagara Gunathunga <sag...@wso2.com> >> wrote: >> >>> >>&
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1
On Wed, Mar 14, 2018 at 10:09 PM, Pushpalanka Jayawardhana <la...@wso2.com> wrote: > Hi All, > > Tested OIDC hybrid flow with "code idtoken" response type. This is > breaking with "Invalid response type" error message. > Could do a bit of debugging and it seems that at [1], it failing to > identify the existing key for "code idtoken" type. > > In the HashTable returned at > OAuthServerConfiguration.getInstance().getSupportedResponseTypeValidators() > execution, "code idtoken" key has the hashCode of '-1819461976' while > input key 'code idtoken' produce the hashcode of '-732188021'. In plain > Java code, if we generate the hashCode for 'code idtoken' it also generates > this. This result in not identifying the sending response type properly. > Appreciate if this can be further investigated. > > [1] - https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/5.6.x/components/org.wso2.carbon. > identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/model/ > CarbonOAuthAuthzRequest.java#L49 > Please ignore this, just realised it should be id_token. Sorry for the noise. > > > > On Wed, Mar 14, 2018 at 7:52 PM, Sagara Gunathunga <sag...@wso2.com> > wrote: > >> >> >> On Wed, Mar 14, 2018 at 7:46 PM, Jayanga Kaushalya <jayan...@wso2.com> >> wrote: >> >>> Hi Sagara, >>> >>> Yes I have suggested other teams also to follow the IS convention in >>> [1]. APIM team told me offline that they already changed. Hope others will >>> do the same. >>> >> >> Great. >> >> Thanks ! >> >>> >>> [1] [GDPR] Anonymization Tool default configurations/references are >>> differed over the Products >>> >>> Thanks! >>> >>> *Jayanga Kaushalya* >>> Senior Software Engineer >>> Mobile: +94777860160 <+94%2077%20786%200160> >>> WSO2 Inc. | http://wso2.com >>> lean.enterprise.middleware >>> >>> >>> >>> On Wed, Mar 14, 2018 at 7:37 PM, Sagara Gunathunga <sag...@wso2.com> >>> wrote: >>> >>>> >>>> >>>> On Wed, Mar 14, 2018 at 7:27 PM, Sathya Bandara <sat...@wso2.com> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> We are calling-off this vote as we have found an issue, >>>>> >>>>>- for user-mgt ui component in EI product >>>>>- in Windows environment >>>>> >>>>> Since we want to align same component versions among EI & IS, we will >>>>> fix this and update versions in IS as well. Additionally we will fix the >>>>> issue in README.txt along with this. >>>>> >>>> Ruwan/Jayanga, shall we also look into the suggestion made by Lanka in >>>> the "GDPR compliance for WSO2 products" thread ? >>>> >>>> Thanks ! >>>> >>>>> We will do a RC2 and call for a vote soon. >>>>> >>>>> [1] https://github.com/wso2/product-ei/issues/2004 >>>>> >>>>> On Wed, Mar 14, 2018 at 6:29 PM, Nilasini Thirunavukkarasu < >>>>> nilas...@wso2.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have tested the following flows in mysql. >>>>>> >>>>>>- User management, role management (Primary + Secondary user >>>>>>store) >>>>>>- OIDC flow (password grant, authorization code)(Primary + >>>>>>Secondary user store) >>>>>>- consent management with SAML SSO for primary and secondary >>>>>>users. >>>>>>- SAML assertion encryption and response signing. >>>>>> >>>>>> >>>>>> I have tested the following flow with h2 >>>>>> >>>>>>- federated scenario with two IS >>>>>> >>>>>> +1 to go ahead and release >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Nila. >>>>>> >>>>>> >>>>>> On Wed, Mar 14, 2018 at 6:15 PM, Darshana Gunawardana < >>>>>> darsh...@wso2.com> wrote: >>>>>> >>>>>>> Hi Dilini, >>>>>>> >>>>>>> We will fix this, if we noted any blocker for RC1 release.. If not, >>>>>
Re: [Architecture] Implementing consent receipt specification in WSO2 Identity Server
means to WSO2 server. >>>> >>>> >>>> With our current implementation in Identity Server we maintain a >>>> scope-claim mapping in the registry level. For a scope a single or multiple >>>> claims can be mapped and we can define any custom or scope or claim. So >>>> IIUC here we can map PII category with scope. So indirectly we can map PII >>>> category with claims. But at the moment we don't store those scope - claim >>>> mapping in our database. So if we are to map PII category with the scopes >>>> we need to store the scopes in the db level. >>>> >>>> Thanks, >>>> >>>> Hasanthi Dissanayake >>>> >>>> Software Engineer | WSO2 >>>> >>>> E: hasan...@wso2.com >>>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> >>>> >>>> On Wed, Sep 20, 2017 at 9:09 AM, Pushpalanka Jayawardhana < >>>> la...@wso2.com> wrote: >>>> >>>>> Hi Shan, >>>>> >>>>> Along with these detail we save in these tables, we need to keep a >>>>> mapping to what each PII category means to WSO2 server. >>>>> In that case we can think of a PII category as a collection of claims. >>>>> >>>>> In IS we already have this concept of collection of claims, where we >>>>> categorize them into a scope. WSO2 APIM already make use of these scopes >>>>> to >>>>> provide role based access to resources. We can try to make use of scopes >>>>> in >>>>> the place of PII category to establish this mapping with server claims >>>>> which are actually PII keys. In the 'PII_CATEGORY' table we can keep track >>>>> of this. >>>>> >>>>> Thanks, >>>>> >>>>> On Wed, Sep 13, 2017 at 2:45 PM, Shan Jayathilaka <sh...@wso2.com> >>>>> wrote: >>>>> >>>>>> There is a new regulation called the EU General Data Protection >>>>>> Regulation (GDPR) which replaces the Data Protection Directive 95/46/EC >>>>>> and >>>>>> was designed to harmonize data privacy laws across Europe. GDPR was >>>>>> passed >>>>>> as a regulation on 27th April 2016 and will be effective from 25th May >>>>>> 2018. Regarding to this regulation any organization who is collecting >>>>>> user >>>>>> data must collect data according to the user's consent. Also if an user >>>>>> request about his/her consents about the user data, the data collecting >>>>>> organization must provide those consents regarding to the user. In here >>>>>> we >>>>>> have to record what are the consents of the user to a database. I >>>>>> designed >>>>>> an [1]ER diagram for the database which collects the user consent. Also I >>>>>> attached [2] GDPR Regulation document ,[3] a blog to understand the GDPR >>>>>> and [4] Kantara Consent Receipt Management to this email. I hope they >>>>>> will >>>>>> be helpful to all. >>>>>> >>>>>> *Brief explanation about the database tables* >>>>>> >>>>>> >>>>>>- TRANSACTION_DETAILS: Contains details about the consent receipt >>>>>> id and user identification. >>>>>> >>>>>> >>>>>>- DATA_CONTROLLER: Contains details about the organization which >>>>>>collects the user data. >>>>>>- SERVICES: Contains details about the services provided to the >>>>>>user data. >>>>>>- PURPOSES: Contains details about the purposes to collect the >>>>>>user data. >>>>>>- THIRD_PARTY: Contains details about the third party >>>>>>organizations which take the user data shared by the data controllers. >>>>>>- PII_CATEGORY: Contains details about the personally >>>>>>identifiable information (pii) categories. >>>>>> >>>>>> [1] >>>>>> project_gdpr_new_erd.png >>>>>> <https://mail.google.com/mail/ca/u/1/?ui=2=2b82ec457b=att=15e7a6f581a803f6=0.1=safe=f_j7ise> >>>>>> (140K) >>>>>> <https://mail.google.com/mail/
Re: [Architecture] OIDC request object support
Hi Hasanthi, On Wed, Oct 11, 2017 at 11:10 PM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi Pushpalanka, > > Since scope concept is no longer effective in this approach, I assume we >> will have to capture user consent claim by claim in this case similar to >> how we handle consent for scopes. > > > Yes we should use the same way to capture the consent claim by claim but > with the authorization request. Anyway we need to pass the 'openid' scope > along with the request in order to make this an oidc request right? > Yes, the specification specially mentions that. Yes, consent needs to captured with the authorization request as you mentioned. As the request object is a part of authorization request, we have to address it here. This section of specification [1] will help in understanding. > > > Are we introducing a new table to store this? > > I'm wondering whether we need to introduce a new table to store the claims > and consents with this implementation. Can't we use the same table which > we are introducing in consent management and then request consent, claim by > claim here as well? > The newly introducing tables to store consent are domain specific, as it comes for the solution. Consent for claims served by IS according to request object will need to be handled through IS data source as this governs what IS expose through userinfo endpoint and IDtoken. > >> We also need to take into the consideration that the request object can >> be signed(JWS) and we need to do the signature validation before it's >> handed over to next layer. >> > > +1. Yes we need to do. > > >>1. Define custom claims for those and use claim retrieving extensions >>to handle the value >>2. Provide an extension at this layer so that we filter out the >>claims handled by IS and seperate others to be handled in custom ways. >> >> +1 for option 2 > > BTW, are we planing to implement consent management with IS 5.3.0 WUM > update? If so, can we do schema changes as a WUM update? Otherwise how do > we plan to release consent management feature? > Consent management we refer here is much specific to the domain. So that will not introduce a schema change to product db script. We will make use of the extension to be introduced at request object level and use the storage from solution. [1] - http://openid.net/specs/openid-connect-core-1_0.html#RequestParameter > > Thanks, > > Hasanthi Dissanayake > > Software Engineer | WSO2 > > E: hasan...@wso2.com > M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> > > On Wed, Oct 11, 2017 at 6:38 PM, Pushpalanka Jayawardhana <la...@wso2.com> > wrote: > >> Hi Hasanthi, >> >> On Wed, Oct 11, 2017 at 4:41 PM, Hasanthi Purnima Dissanayake < >> hasan...@wso2.com> wrote: >> >>> >>> >>> Hasanthi Dissanayake >>> >>> Software Engineer | WSO2 >>> >>> E: hasan...@wso2.com >>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> >>> >>> On Wed, Oct 11, 2017 at 4:35 PM, Hasanthi Purnima Dissanayake < >>> hasan...@wso2.com> wrote: >>> >>>> Hi All, >>>> >>>> In order to support 'Request Object' we need to support two parameters. >>>> 1. request parameter >>>> 2. request_uri parameter >>>> >>>> >>>> >>>> *1. request_parameter* >>>> The purpose of this parameter is for supporting to request some claims >>>> other than the default Userinfo and IdToken claim set which is associated >>>> with the requested scope. >>>> >>>> So if we consider a sample request with above parameter, >>>> >>>> https://localhost:9443/oauth2/authorize? >>>> response_type=code%20id_token >>>> _id=X >>>> _uri=http://localhost:8080/playground >>>> =openid >>>> =af0ifjsldkj >>>> =n-0S6_WzA2Mj >>>> ={ >>>> "iss": "s6BhdRkqt3", >>>> "aud": "https://server.example.com;, >>>> "response_type": "code id_token", >>>> "client_id": "s6BhdRkqt3", >>>> "redirect_uri": "https://client.example.org/cb;, >>>> "scope": "openid", >>>> "state": "af0ifjsldkj", >>>> "nonce": "n-0S6_WzA2Mj", >>>> "max_age": 86400, >>>> >>&g
Re: [Architecture] OIDC request object support
Hi Hasanthi, On Wed, Oct 11, 2017 at 4:41 PM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > > > Hasanthi Dissanayake > > Software Engineer | WSO2 > > E: hasan...@wso2.com > M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> > > On Wed, Oct 11, 2017 at 4:35 PM, Hasanthi Purnima Dissanayake < > hasan...@wso2.com> wrote: > >> Hi All, >> >> In order to support 'Request Object' we need to support two parameters. >> 1. request parameter >> 2. request_uri parameter >> >> >> >> *1. request_parameter* >> The purpose of this parameter is for supporting to request some claims >> other than the default Userinfo and IdToken claim set which is associated >> with the requested scope. >> >> So if we consider a sample request with above parameter, >> >> https://localhost:9443/oauth2/authorize? >> response_type=code%20id_token >> _id=X >> _uri=http://localhost:8080/playground >> =openid >> =af0ifjsldkj >> =n-0S6_WzA2Mj >> ={ >> "iss": "s6BhdRkqt3", >> "aud": "https://server.example.com;, >> "response_type": "code id_token", >> "client_id": "s6BhdRkqt3", >> "redirect_uri": "https://client.example.org/cb;, >> "scope": "openid", >> "state": "af0ifjsldkj", >> "nonce": "n-0S6_WzA2Mj", >> "max_age": 86400, >> >> "claims": { >> "userinfo": { >> "given_name": { >> "essential": true >> }, >> "nickname": null, >> "email": { >> "essential": true >> }, >> >> "id_token": { >> "gender": null, >> "birthdate": { >> "essential": true >> }, >> "acr": { >> "values": [ >> "urn:mace:incommon:iap:silver" >> ] >> } >> } >> } >> } >> >> >> The expected behavior of Identity server will be as follows. >> >> 1.Consider the claims "given_name" and "email" which are marked as >> 'essential:true' for 'userinfo' member. Even if they are not mapped with >> the openid scope in the registry, if these claims are requested claims, >> then 'given_name' and 'email' will be returned from the Userinfo endpoint. >> So as a summary the claims which have marked as 'essential : true' only get >> controlled by the requested claims and ignore the requested scopes. If the >> server can not provide those essential claims there wont be any failure or >> error message returning from the server. >> > Since scope concept is no longer effective in this approach, I assume we will have to capture user consent claim by claim in this case similar to how we handle consent for scopes. Are we introducing a new table to store this? We also need to take into the consideration that the request object can be signed(JWS) and we need to do the signature validation before it's handed over to next layer. Also in different domains the request object format get slightly modified. Additionally not all coming under claims will be delivered claims from IS user base. There can be disparate logics and sources to derive the values for this. To cater for this we have options, 1. Define custom claims for those and use claim retrieving extensions to handle the value 2. Provide an extension at this layer so that we filter out the claims handled by IS and seperate others to be handled in custom ways. Having option 2 will provide more freedom and efficient in handling cases where none of the incoming are claims handled directly from IS user base. Also it will let us handle any attributes introduced to outer layer from claims. Apart from mentioning 'essential:true', in different domains there can be cases where the claims become essential given a condition. For example: If user wish to have SMS OTP as an authentication factor then mobile number is essential. We can adopt such minor modifications by keeping extendability here. > >> 2. The claims like "nickname" it will act as a default claim and will >> control by both requested scopes and the requested claims. >> >> This behavior is common to the id token as well. >> >> >> >> *2. request_uri parameter* >> In this case the url will be a pre-registered url by the RP for use at >
Re: [Architecture] Implementing consent receipt specification in WSO2 Identity Server
Hi Shan, Along with these detail we save in these tables, we need to keep a mapping to what each PII category means to WSO2 server. In that case we can think of a PII category as a collection of claims. In IS we already have this concept of collection of claims, where we categorize them into a scope. WSO2 APIM already make use of these scopes to provide role based access to resources. We can try to make use of scopes in the place of PII category to establish this mapping with server claims which are actually PII keys. In the 'PII_CATEGORY' table we can keep track of this. Thanks, On Wed, Sep 13, 2017 at 2:45 PM, Shan Jayathilaka <sh...@wso2.com> wrote: > There is a new regulation called the EU General Data Protection Regulation > (GDPR) which replaces the Data Protection Directive 95/46/EC and was > designed to harmonize data privacy laws across Europe. GDPR was passed as > a regulation on 27th April 2016 and will be effective from 25th May 2018. > Regarding to this regulation any organization who is collecting user data > must collect data according to the user's consent. Also if an user request > about his/her consents about the user data, the data collecting > organization must provide those consents regarding to the user. In here we > have to record what are the consents of the user to a database. I designed > an [1]ER diagram for the database which collects the user consent. Also I > attached [2] GDPR Regulation document ,[3] a blog to understand the GDPR > and [4] Kantara Consent Receipt Management to this email. I hope they will > be helpful to all. > > *Brief explanation about the database tables* > > >- TRANSACTION_DETAILS: Contains details about the consent receipt id >and user identification. > > >- DATA_CONTROLLER: Contains details about the organization which >collects the user data. >- SERVICES: Contains details about the services provided to the user >data. >- PURPOSES: Contains details about the purposes to collect the user >data. >- THIRD_PARTY: Contains details about the third party organizations >which take the user data shared by the data controllers. >- PII_CATEGORY: Contains details about the personally identifiable >information (pii) categories. > > [1] > project_gdpr_new_erd.png > <https://mail.google.com/mail/ca/u/1/?ui=2=2b82ec457b=att=15e7a6f581a803f6=0.1=safe=f_j7ise> > (140K) > <https://mail.google.com/mail/ca/u/1/?ui=2=2b82ec457b=att=15e7a6f581a803f6=0.1=safe=f_j7ise> > > [2] > http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 > > [3] > https://medium.facilelogin.com/understanding-gdpr-9201e1356418 > > [4] > https://kantarainitiative.org/confluence/display/ > infosharing/Consent+Receipt+Specification?preview=/ > 76447870/90604248/DRAFT%20Recommendation%20Consent% > 20Receipt%20Specification%201_0_0.docx > > Appreciate your feedback. > > Regards, > > Shan Chathusanda Jayathilaka > Software Engineer (Intern) > WSO2 > > Mobile : +94702062877 <070%20206%202877> > Email : sh...@wso2.com > LinkedIn : www.linkedin.com/in/shanchathusanda/ > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Distinguish between local and federated users in oauth tables
On Wed, May 17, 2017 at 10:37 AM, Prabath Siriwardena <prab...@wso2.com> wrote: > > > On Tue, May 16, 2017 at 10:04 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> >> >> On Wed, May 17, 2017 at 10:26 AM, Prabath Siriwardena <prab...@wso2.com> >> wrote: >> >>> Also - related to JWT/SAML grant types - do we have an option to JIT >>> provision the user...? >>> >> This is not available in the current implementation. >> >>> The expectation is - when you enable JIT provisioning under the trusted >>> IdP - and pick the userstore to provision the users - then the user should >>> be JIT provisioned... >>> >> If we need to support OIDC with JWT/SAML grant types we need to have this >> this feature. even though OIDC spec does not talk about supporting OIDC >> with custom grant types >> this can be treated as token exchange mechanism And +1 for supporting >> this. >> > > In fact this not related directly related ODIC - just the JWT grant type > (JWT grant type for OAuth 2.0).. > > if this is not supported then - in API M - how do we generate the JWT for > the backend - when users come from a federate JWT..? > In IS JWTTokenGenerator we check whether the user exists in local user store and get the claims. Else no claims are sent in the JWT in token validation. AFAIK API M has written a different token generator for this case. > > Thanks & regards, > -Prabath > > > >> >> -Ishara >> >>> >>> Thanks & regards, >>> -Prabath >>> >>> >>> On Tue, May 16, 2017 at 8:58 PM, Pushpalanka Jayawardhana < >>> la...@wso2.com> wrote: >>> >>>> >>>> >>>> On Tue, May 16, 2017 at 11:15 PM, Ishara Karunarathna <isha...@wso2.com >>>> > wrote: >>>> >>>>> >>>>> >>>>> On Tue, May 16, 2017 at 10:25 PM, Prabath Siriwardena < >>>>> prab...@wso2.com> wrote: >>>>> >>>>>> How do you figure out users from different idps? >>>>>> >>>>> In this way we can only identify whether use is federated or local >>>>> user. >>>>> >>>>> But we can use a convention to keep IDP name as well if we need to go >>>>> without schema changes >>>>> Ex FEDERATED:IDP1 >>>>> >>>> >>>> Is this to address any future issues or cater for features? >>>> >>>> I can see a conceptual fault saving same domain name for different >>>> IDPs, along with the unique key constraint we have. This can lead to treat >>>> two identities as same, since we will only know they are federated. >>>> >>>> CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID, >>>> *USER_DOMAIN*,USER_TYPE,TOKEN_SCOPE_HASH, >>>> >>>>TOKEN_STATE,TOKEN_STATE_ID) >>>> >>>> What will be the places we will make use of the knowledge of >>>> authenticated IDP? >>>> >>>>> >>>>> -Ishara >>>>> >>>>>> >>>>>> Thanks & regards, >>>>>> -Prabath >>>>>> >>>>>> On Tue, May 16, 2017 at 7:23 AM, Pushpalanka Jayawardhana < >>>>>> la...@wso2.com> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> We have below 3 issues that are caused mainly because we don't have >>>>>>> a clear way to distinguish local and federated users in oauth related >>>>>>> tables (authorization code and access token storage). >>>>>>> There are few more issues related to sending subject claim in proper >>>>>>> format in IDtoken, that needs to identify the user as federated or >>>>>>> local. >>>>>>> >>>>>>> In order to address these issues we need to check whether user is >>>>>>> from a federated IDP. To fix this without having DB schema changes, >>>>>>> IsharaK >>>>>>> came up with this idea to use 'UserStoreDomain' column, >>>>>>> to store the value 'FEDERATED' as user store domain for tokens and >>>>>>> authorization codes issued to federated users. The relevant >>>>>>> authenticators >>>>>>
Re: [Architecture] Distinguish between local and federated users in oauth tables
On Tue, May 16, 2017 at 11:15 PM, Ishara Karunarathna <isha...@wso2.com> wrote: > > > On Tue, May 16, 2017 at 10:25 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> How do you figure out users from different idps? >> > In this way we can only identify whether use is federated or local user. > > But we can use a convention to keep IDP name as well if we need to go > without schema changes > Ex FEDERATED:IDP1 > Is this to address any future issues or cater for features? I can see a conceptual fault saving same domain name for different IDPs, along with the unique key constraint we have. This can lead to treat two identities as same, since we will only know they are federated. CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID, *USER_DOMAIN*,USER_TYPE,TOKEN_SCOPE_HASH, TOKEN_STATE,TOKEN_STATE_ID) What will be the places we will make use of the knowledge of authenticated IDP? > > -Ishara > >> >> Thanks & regards, >> -Prabath >> >> On Tue, May 16, 2017 at 7:23 AM, Pushpalanka Jayawardhana <la...@wso2.com >> > wrote: >> >>> Hi All, >>> >>> We have below 3 issues that are caused mainly because we don't have a >>> clear way to distinguish local and federated users in oauth related tables >>> (authorization code and access token storage). >>> There are few more issues related to sending subject claim in proper >>> format in IDtoken, that needs to identify the user as federated or local. >>> >>> In order to address these issues we need to check whether user is from >>> a federated IDP. To fix this without having DB schema changes, IsharaK came >>> up with this idea to use 'UserStoreDomain' column, >>> to store the value 'FEDERATED' as user store domain for tokens and >>> authorization codes issued to federated users. The relevant authenticators >>> and grant handlers are responsible to set 'isFederatedUser' flag to true, >>> whenever they are creating and passing an authenticated user to >>> messageContext. OAuth storage will read and store it as the userStoreDomain >>> value with 'FEDERATED'. This domain is never expected to be sent out from >>> server as a user attribute or property or as part of username. >>> >>> In order to avoid any conflicts, we will avoid users from creating user >>> store domains with the name 'FEDERATED'. >>> If you see any pitfalls with this approach, please raise. We are >>> proceeding with implementation as above. >>> >>> [1] - https://wso2.org/jira/browse/IDENTITY-5939 >>> [2] - https://wso2.org/jira/browse/IDENTITY-4880 >>> [3] - https://wso2.org/jira/browse/IDENTITY-4512 >>> >>> Thanks, >>> -- >>> Pushpalanka. >>> -- >>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>> Mobile: +94779716248 >>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >>> ushpalanka/ | Twitter: @pushpalanka >>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 <%28650%29%20625-7950> >> >> http://facilelogin.com >> > > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 <071%20799%206791> > > > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Distinguish between local and federated users in oauth tables
On Tue, May 16, 2017 at 10:19 PM, Nuwan Dias <nuw...@wso2.com> wrote: > How is this going to impact migrating clients? For the data that's already > available in the DB, I guess we won't be changing their user store domains. > So I guess they will still be treated in the old way? > Yes, as of now we save domain as PRIMARY for externally authenticated users as well. We won't be migrating those, hence treated in old way. If there are authenticators that has been already setting this flag ' isFederatedUser' to true, now on their user store domain will be saved as FEDERATED, fixing the mentioned bugs we had in the flow. > > On Tue, May 16, 2017 at 7:53 PM, Pushpalanka Jayawardhana <la...@wso2.com> > wrote: > >> Hi All, >> >> We have below 3 issues that are caused mainly because we don't have a >> clear way to distinguish local and federated users in oauth related tables >> (authorization code and access token storage). >> There are few more issues related to sending subject claim in proper >> format in IDtoken, that needs to identify the user as federated or local. >> >> In order to address these issues we need to check whether user is from a >> federated IDP. To fix this without having DB schema changes, IsharaK came >> up with this idea to use 'UserStoreDomain' column, >> to store the value 'FEDERATED' as user store domain for tokens and >> authorization codes issued to federated users. The relevant authenticators >> and grant handlers are responsible to set 'isFederatedUser' flag to true, >> whenever they are creating and passing an authenticated user to >> messageContext. OAuth storage will read and store it as the userStoreDomain >> value with 'FEDERATED'. This domain is never expected to be sent out from >> server as a user attribute or property or as part of username. >> >> In order to avoid any conflicts, we will avoid users from creating user >> store domains with the name 'FEDERATED'. >> If you see any pitfalls with this approach, please raise. We are >> proceeding with implementation as above. >> >> [1] - https://wso2.org/jira/browse/IDENTITY-5939 >> [2] - https://wso2.org/jira/browse/IDENTITY-4880 >> [3] - https://wso2.org/jira/browse/IDENTITY-4512 >> >> Thanks, >> -- >> Pushpalanka. >> -- >> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >> Mobile: +94779716248 >> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >> ushpalanka/ | Twitter: @pushpalanka >> >> > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : nuw...@wso2.com > Phone : +94 777 775 729 <077%20777%205729> > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] Distinguish between local and federated users in oauth tables
Hi All, We have below 3 issues that are caused mainly because we don't have a clear way to distinguish local and federated users in oauth related tables (authorization code and access token storage). There are few more issues related to sending subject claim in proper format in IDtoken, that needs to identify the user as federated or local. In order to address these issues we need to check whether user is from a federated IDP. To fix this without having DB schema changes, IsharaK came up with this idea to use 'UserStoreDomain' column, to store the value 'FEDERATED' as user store domain for tokens and authorization codes issued to federated users. The relevant authenticators and grant handlers are responsible to set 'isFederatedUser' flag to true, whenever they are creating and passing an authenticated user to messageContext. OAuth storage will read and store it as the userStoreDomain value with 'FEDERATED'. This domain is never expected to be sent out from server as a user attribute or property or as part of username. In order to avoid any conflicts, we will avoid users from creating user store domains with the name 'FEDERATED'. If you see any pitfalls with this approach, please raise. We are proceeding with implementation as above. [1] - https://wso2.org/jira/browse/IDENTITY-5939 [2] - https://wso2.org/jira/browse/IDENTITY-4880 [3] - https://wso2.org/jira/browse/IDENTITY-4512 Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Define Username Claim in Domain Level
Hi Thanuja, On Tue, Mar 21, 2017 at 11:47 AM, Thanuja Jayasinghe <than...@wso2.com> wrote: > > > On Sun, Mar 19, 2017 at 2:10 PM, Gayan Gunawardana <ga...@wso2.com> wrote: > >> >> >> On Wed, Mar 15, 2017 at 6:50 AM, Thanuja Jayasinghe <than...@wso2.com> >> wrote: >> >>> Hi Nuwandi, >>> >>> On Tue, Mar 14, 2017 at 1:54 PM, Nuwandi Wickramasinghe < >>> nuwan...@wso2.com> wrote: >>> >>>> >>>> >>>> On Tue, Mar 14, 2017 at 12:42 PM, Thanuja Jayasinghe <than...@wso2.com> >>>> wrote: >>>> >>>>> Hi Gayan, >>>>> >>>>> Yes. We need to specially handle username claim(" >>>>> http://wso2.org/claims/username;). >>>>> >>>> So, it will always be http://wso2.org/claims/username, not >>>> configurable? >>>> >>> >>> I see following performance related concerns if we marked some claim as >>> the username claim using a property, >>> >>> >>> >>>- In every operation which we are going to specially handle for >>>username claim, we need to check that property >>>- If we want to get the username claim value, first we need to go >>>through claims to identify the username claim and then retrieve the value >>>for that claim >>> >>> Also, it will be much easier for the User object to retrieve username >>> claim from a claim URI rather than a property. (We don't have the API >>> support for retrieving claim value from a property) >>> >>> In a case like "email as username", we can still map the username claim >>> to the email attribute. Then we can map the same email attribute to email >>> claim to avoid the confusion. >>> >> if "http://wso2.org/claims/username; represent username claim always we >> do not need to define it separately in domain-config.yaml right ? >> > Yes. > > @Pushpalanka: Are we planning to provide the capability to change root > claim dialect? > This is still under consideration at thread'[IS 6.0.0] Making native claim dialect configurable'. If that answers yes, still can we interpret this as 'root claim dialect claim URI+* username*'? Still, with little medications, we can have the mentioned optimizations, as I see. > >>> >>>>> Shall we add a method to User[1] class to retrieve username? >>>>> >>>> +1 to have a method in User.java >>>> >>>>> >>>>> [1] - https://github.com/wso2/carbon-identity-mgt/blob/master/com >>>>> ponents/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/ >>>>> carbon/identity/mgt/User.java >>>>> >>>>> Thanks, >>>>> Thanuja >>>>> >>>>> On Tue, Mar 14, 2017 at 12:12 PM, Gayan Gunawardana <ga...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> Don't we have to provide an API to get username claim from domain >>>>>> level. >>>>>> I am suggesting to have some thing like >>>>>> >>>>>> org.wso2.carbon.identity.mgt.User userStoreUser = identityStore. >>>>>> getUser(userId); >>>>>> userStoreUser.getUsernameClaim(); >>>>>> >>>>>> Currently we handle username claim as just an another claim but it >>>>>> should be treated as special claim because username is the human friendly >>>>>> unique identifier for users. >>>>>> >>>>>> In domain-config.yaml we can define username claim for each domain. >>>>>> >>>>>> Also another requirement is when we get username from out side >>>>>> application, we need to retrieve corresponding user from identity store >>>>>> so >>>>>> we need to set value got from out side to appropriate claim. In that case >>>>>> there should be a way to identify username claim. >>>>>> >>>>>> WDYT? >>>>>> >>>>>> Thanks, >>>>>> Gayan >>>>>> >>>>>> >>>>>> -- >>>>>> Gayan Gunawardana >>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>> Email: ga...@wso2.com >>>>>> Mobile: +94 (71) 8020933 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Thanuja Lakmal* >>>>> Senior Software Engineer >>>>> WSO2 Inc. http://wso2.com/ >>>>> *lean.enterprise.middleware* >>>>> Mobile: +94715979891 +94758009992 >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Best Regards, >>>> >>>> Nuwandi Wickramasinghe >>>> >>>> Software Engineer >>>> >>>> WSO2 Inc. >>>> >>>> Web : http://wso2.com >>>> >>>> Mobile : 0719214873 <071%20921%204873> >>>> >>> >>> Thanks, >>> Thanuja >>> >>> -- >>> *Thanuja Lakmal* >>> Senior Software Engineer >>> WSO2 Inc. http://wso2.com/ >>> *lean.enterprise.middleware* >>> Mobile: +94715979891 +94758009992 >>> >> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: ga...@wso2.com >> Mobile: +94 (71) 8020933 >> > > > > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] [C5][IS 6.0.0] Add and Update Group UI for IS 6.0.0
Hi All, I am working on implementing 'add group' and 'update group' UIs for IS 6.0.0 as per the wire-frames [1] and [2]. In group addition, user experience will be as, in the 'General' tab user provides name and description of the role. User can either conclude the group addition flow here or go to 'Users' tab to select users who will be in this group. User can either conclude the flow here or go to 'Roles' tab to select the roles to be assigned to all the users in the newly added group. Same goes with the update flow. Claims will be defined for the group, to keep track of the attributes of the group, such as group description. Any thoughts are welcome to improve the flow or design. [1] - https://github.com/wso2-dev-ux/product-is/blob/master/Wireframes/admin-portal/v3/4.2%20Add%20group%20-%20general%20info.png [2] - https://github.com/wso2-dev-ux/product-is/blob/master/Wireframes/admin-portal/v3/4.8%20Edit%20group%20-%20general%20info.png Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Dev] Username Recovery Feature in IS 6.0.0
Hi All, On Sat, Jan 21, 2017 at 1:35 PM, Isura Karunaratne <is...@wso2.com> wrote: > Hi Dinali, > > On Sat, Jan 21, 2017 at 12:33 PM, Dinali Dabarera <din...@wso2.com> wrote: > >> Hi all, >> >> We are working on implementing username recovery feature for IS 6.0.0 >> >> *The admin has to enable the Username Recovery* >> >> >> *When Username Recovery enabled:* >> >>- User portal user can click on the forget username option. >>- The User can enter his details of the default profile. >>- The System will match the entered details with the claims available >>and if they matched, the relevant username will email to his email address >>and prompt a notification saying that an email is sent to his mail. >>- If it doesn't match, the user will notify telling that relevant >>user is not registered in the system. >> >> We need to inform user, if multiple users matching to the given criteria. > Then the user can fiill additional details to recover username. > We should have a mechanism like captcha verification here, to avoid possible brute force attack. > > >> *When Username Recovery is disabled:* >> >>- User portal user may not be able to recover his username. >>- The User needs to contact the admin of the system to recover his >>username. >> >> The admin enables the username recovery in the identity.yaml file for >> the users in the domain. Since we have different user stores available in >> IS 6.0.0, >> *Does the admin need to enable username recovery in user store >> wise or Does he need to configure it for the whole domain at once?* >> >> > We need to have a global configuration identity.yaml file for all the > domains. It is better to have domain/roles/group wise configuration for all > the identity managment scenarios like account lock, password policy, > password recovery, idle account suspenstion, force password reset, user > onbording with ask paassword. > > > Thanks > Isura. > >> >> Please provide us your comments on this point. >> >> Thanks, >> >> Dina. >> -- >> *Dinali Rosemin Dabarera* >> Software Engineer >> WSO2 Lanka (pvt) Ltd. >> Web: http://wso2.com/ >> Email : gdrdabar...@gmail.com >> LinkedIn <https://lk.linkedin.com/in/dinalidabarera> >> Mobile: +94770198933 <+94%2077%20019%208933> >> >> >> >> >> <https://lk.linkedin.com/in/dinalidabarera> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Grouping Identity server configurations.
Hi All, As I could deduce from the discussion so far, we are looking for 2 main purposes to be achieved with security circles. 1. Bulk configuration of service providers 2. Limiting the session sharing between service providers *Bulk configuration of service providers* This will be beneficial in cases, Many service providers are present in the environment while all have similar configurations to be applied In updating of service provider configurations which needs same modification . Value addition will be less in below cases, Service provider configuration not a frequent operation Most use cases having ~10 service providers If service providers does not share similar configurations If we are moving forward with file based configuration of service providers, bulk configuration/update means file modification applied to several files. We can loosen the requirement for service providers to have same configuration, by letting service providers override it as IsharaK mentioned. Another option is to treat claim config, provisioning config, authentication flow as different small circles. Depending on the configuration patterns, we may create new bigger circles using these small circles. With this granularity re-usability of a one set of configuration will be high, but only beneficial if there is a big number of service providers. In this sense IDP can also be treated within a circle. *Limiting the session sharing between service providers* Assume a service provider is no allowed to be present in two security circles as that would violate the session sharing limitation for rest of the service providers in the related circles. Let's take 3 service providers A.B and C. B needs to share the session with A C needs to share the session with A But B and C should not share the session. (not transitive) As I understood so far, this is not possible with security circles. Thanks, Pushpalanka On Mon, Nov 7, 2016 at 10:59 AM, Dimuthu Leelarathne <dimut...@wso2.com> wrote: > > > On Sun, Oct 16, 2016 at 11:37 AM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi All, >> >> With the current IS implementation We have individual SP configurations >> and we associate authentication chains, claim, provisioning configurations >> etc.. to that service provider configuration. >> As a improvement to this we can group these configurations lets say a >> security circle. >> >> For a security circle [SC]. >> We can configure set of service providers within a SC. >> Associate Userstores to that SC >> Define Authentication chain, Provision config etc.. >> Configre Administration policies Ex: only users in wso2admin can manage >> the wso2 security circle. >> > > According to new security model, I hope we can associate admins for SCs to > achieve the exact Enterprise usecase defined in "[C5 IS] Multi-tenancy in > C5 based IS". > > thanks, > Dimuthu > > >> Group authorization policies belong to this circle. >> Once we configure those it will be applicable to all service providers >> and can override with SP level configurations. >> We can have different login sessions to each circle. >> >> How can we use this. >> Achieve Enterprise SaaS application use case discussed in [1] >> No need to configure same configurations in each SP level can inherit >> from SC configurations. >> Since we are going with container base Multi tenancy in C5, If a user >> does not like, that can be handle with this security circle. >> >> Thanks, >> Ishara >> [1] "[C5 IS] Multi-tenancy in C5 based IS" >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> >> >> >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Dimuthu Leelarathne > Director, Solutions Architecture > > WSO2, Inc. (http://wso2.com) > email: dimut...@wso2.com > Mobile: +94773661935 > Blog: http://muthulee.blogspot.com > > Lean . Enterprise . Middleware > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation
Hi All, On Fri, Jun 3, 2016 at 5:46 PM, Prabath Siriwardana <prab...@wso2.com> wrote: > > > On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi, >> I am working on implementing regeneration of client secret/key of an >> oauth app and revocation of an oauth app for the next milestone release of >> Identity Server. Appreciate your feedbacks on the following approaches I >> have taken. >> >> A trusted client would need to update the client secret/key, in order to >> prevent the abuse of revealed client secret/key. So for addressing that, I >> am working on adding two options as *Regenerate Client Secret *and >> *Regenerate >> Consumer Key* for oauth applications in IS. After a client secret/key >> get regenerated, that will immediately invalidate any active authorization >> code, access token or refresh token, issued to the respective client. >> >> *Will it be necessary to add two options for revoking client secret and >> key or better to go for a different approach?* >> > > I guess (as discussed in this thread already) - having the ability to > change the consumer secret would be enough. Changing the consumer key is > bit challanging too - we would have all the analytics data against the > consumer key. > On a side note which is not directly relevant to consumer key revocation, I have seen occasions where customers wanted to decide the consumer key than generating them. Use case: Eg: When they are already having plenty of applications(may be mobile apps) which have embedded consumer key or/and secret, and then moving from current authorization server to WSO2 Identity Server they need to update consumer credentials in all these applications to use WSO2 generated ones, which they are reluctant to do. While we may be able to support above use case via a extension point, won't it be good to have a highly secured API to do it? Analytics, we may have to handle using the old to new consumer key mapping. > > Also - consumer key is not something - someone would remember and use - so > I don't think its same as the username - so I don't see any need to change > > >> >> >> >> And apart from that planning for the implementation of *Revoking an >> oauth app*. In there the oauth app will be revoked and that also will >> immediately invalidate any active authorization code, access token or >> refresh token, issued to the respective client. In order to activate the >> oauth app again, need to regenerate the client secret. >> >> >> *In there to activate the app, better to regenerate "both client key and >> secret" or "either client key or secret"?* >> > > Revoking an app means - mostly the revoking of its consumer secret (the > previous scenario). > > Another couple of use cases we can address with this: > > 1. Blocking an app temporary - Deactivate the App - and the Activate it > after sometime - nothing to do with the consumer secret revocation. > > 2. Ability to revoke an access token (s) issued on behalf of a user for a > particular app. > > 3. Ability to revoke all the access tokens issued on behalf of a user > across all the apps. > > Thanks & regards, > -Prabath > > >> >> >> Really value your ideas/suggestions on improving this feature. >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Emailindu...@wso2.com >> >> >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] WSO2 Identity Server 5.2.0 Beta Released
ustom Response Type Validator class is not read under SupportedGrantTypes in Identity.xml - IDENTITY-4381 <https://wso2.org/jira/browse/IDENTITY-4381> NullPointerException could happen in e.getCause().getCause() - IDENTITY-4377 <https://wso2.org/jira/browse/IDENTITY-4377> Session Hijacking vulnerability at Identity Server's PassiveSTS endpoint - IDENTITY-4371 <https://wso2.org/jira/browse/IDENTITY-4371> InfoRecoverySample build breaks - IDENTITY-4361 <https://wso2.org/jira/browse/IDENTITY-4361> Error when adding default bps profile when database is DB2 - IDENTITY-4333 <https://wso2.org/jira/browse/IDENTITY-4333> validating the Refresh Token with database Oracle - IDENTITY-4314 <https://wso2.org/jira/browse/IDENTITY-4314> IDENTITY-3729 Features for nested.category must use "perfect" match - IDENTITY-4305 <https://wso2.org/jira/browse/IDENTITY-4305> Provide a target date to share the finalized 2016 IS roadmap - IDENTITY-4255 <https://wso2.org/jira/browse/IDENTITY-4255> IDENTITY-3729 Define importFeatureDef with version match rule in carbon-identity - IDENTITY-3948 <https://wso2.org/jira/browse/IDENTITY-3948> Required validations are not done for Callback URL for Oauth as Service Provider - IDENTITY-3894 <https://wso2.org/jira/browse/IDENTITY-3894> [Request Path Authentication] User credential prompted even after sending right access token - IDENTITY-3730 <https://wso2.org/jira/browse/IDENTITY-3730> IDENTITY-3729 POMs of "wso2-rampart", "wso2-wss4j", "balana" and "charon" need to be reviewed and fixed for WSO2 best practices - IDENTITY-3648 <https://wso2.org/jira/browse/IDENTITY-3648> Update OpenSAML version to 2.6.4. Improvements - IDENTITY-4497 <https://wso2.org/jira/browse/IDENTITY-4497> Add PKCE Support Detection - IDENTITY-4459 <https://wso2.org/jira/browse/IDENTITY-4459> Add the session data persistence pool size to the identity.xml - IDENTITY-4442 <https://wso2.org/jira/browse/IDENTITY-4442> Users can disable their own accounts via the MC and Dashboard New Features - IDENTITY-4453 <https://wso2.org/jira/browse/IDENTITY-4453> - Add PKCE Support for OAuth 2.0 Authorization Code Grant Type - IDENTITY-4096 <https://wso2.org/jira/browse/IDENTITY-4096> - SAML 2.0 token support for WS-Federation (Passive) Patches - IDENTITY-4449 <https://wso2.org/jira/browse/IDENTITY-4449> Data persistence is not working properly for AuthorizationGrantCache - IDENTITY-4443 <https://wso2.org/jira/browse/IDENTITY-4443> Identity server Tenant management servlet failure - IDENTITY-4440 <https://wso2.org/jira/browse/IDENTITY-4440> SCIM bulk update error masked by null pointer exception - IDENTITY-4398 <https://wso2.org/jira/browse/IDENTITY-4398> Authorization code can be sent in to get access token multiple times - IDENTITY-4395 <https://wso2.org/jira/browse/IDENTITY-4395> Identity Server URL must be configured inside EndpointConfig.properties - IDENTITY-4393 <https://wso2.org/jira/browse/IDENTITY-4393> Openid connect is failing when using implicit grant with custom claims. - IDENTITY-4386 <https://wso2.org/jira/browse/IDENTITY-4386> When role list have more than a single page, user can't select roles from 2 pages. - IDENTITY-4319 <https://wso2.org/jira/browse/IDENTITY-4319> Database read inside sync block in SecurityDeploymentInterceptor Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Decoupling client_id/client_secret based OAuth 2.0 client authentication from the token endpoint
+1. SCIM endpoint supports Basic Auth and OAuth for security through a handler interface defined specifically for SCIM. When implementing DCR (Dynamic client registration) specification this same need occurred. If the the security handlers defined inside SCIM(which serve for a generic purpose) can be placed in a seperate more generic package, that can be reused in occasionas like this. [1] - https://github.com/wso2/carbon-identity/tree/master/components/scim/org.wso2.carbon.identity.scim.provider/src/main/java/org/wso2/carbon/identity/scim/provider/auth Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Mon, Feb 22, 2016 at 1:42 PM, Johann Nallathamby <joh...@wso2.com> wrote: > +1. > > Also these set of authenticators should be used to secure any REST > endpoint that we expose, not only OAuth2. WDYT? E.g. in SCIM endpoint the > authentication is baked into the SCIM code, although it has a concept of > handlers. I think all these restful authentication mechanisms must unify > and come under a single framework. > > > On Mon, Feb 22, 2016 at 11:24 AM, Prabath Siriwardana <prab...@wso2.com> > wrote: > >> At the moment we are coupled into HTTP basic authentication >> with client_id/client_secret , which is not right.. >> >> Can we decouple this from the token endpoint..? And we should able to >> develop these authenticators as independent connectors.. >> >> WDYT...? >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://blog.facilelogin.com >> http://blog.api-security.org >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+9476950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] An API to get the count of users
Hi All, We are in the process of addressing following requirements related to getting the user count of user store. *Requirement* Mainly(in prority order), 1. *Get the count of users in a userstore domain* 2. Get the count of users within a tenant space 3. Get the count of users having a specific claim value (count the results matching a specific claim value. eg: Number of users been locked, Number of users from a specific country) Additionally following functionalities would be good to have, 1. Get the count of users across tenants *Approaches* 1. Keep a seperate database table to track the user count. Incrementally update it each time a new user is added. - When plugging an existing user store, the table needs to be populated initially for once with existing user. - PR at [1] creates a table 'IDN_UID_USER' to same user when user name is renamed. It will be possible to use that table for this same requirement. - This approach does *NOT* address 3rd requirement. 2. Execute a count query at user store manager level (This will be an API addition to carbon kernel user core) - This will cater for all the main requirements - The LDAP protocol does not have a specific mentioning about an API for count - Different implementations have different approaches to achieve this. - OpenDS, Sundirectory server - https://blogs.oracle.com/Ludo/entry/ldap_tip_counting_the_number - OpenLDAP - http://www.openldap.org/its/index.cgi/Archive.Incoming?id=4161 - Implementing this in LDAP seems to be comparatively harder than JDBC with having to manually go through the trees. - With user stores having millions of users, the operation will be very time consuming. (UI might be less responsive, if the API is used via mgt console) Appreciate your thoughts, inputs regarding this. @Kernel team : Appreciate your feed back on feasible time lines of releasing this new API integrated with user.core, if required to do so. [1] - Rename user https://github.com/wso2/carbon-identity/pull/437 <https://github.com/wso2/carbon-identity/pull/437> [2] - LDAP Protocol - https://tools.ietf.org/html/rfc4511 Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] An API to get the count of users
Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Tue, Feb 9, 2016 at 4:42 PM, Selvaratnam Uthaiyashankar <shan...@wso2.com > wrote: > Why do we need to know the count? What are the user stories? The requirement has been raised when users are migrated from one user store to another, to check how many users have been migrated. While this information can be generated by the administrator by running a direct query on user store, an API is good to have for others to retrieve this information. One other user story I could think of is, combined with disabled user accounts, to know the active user base of an enterprise. > > Also, this is for C4 based products? If so, IMO, this feature is not > something urgent to add to C4. > This is committed for IS 5.2.0. > > > On Tuesday, February 9, 2016, Pushpalanka Jayawardhana <la...@wso2.com> > wrote: > >> Hi All, >> >> We are in the process of addressing following requirements related to >> getting the user count of user store. >> >> *Requirement* >> Mainly(in prority order), >> >>1. *Get the count of users in a userstore domain* >>2. Get the count of users within a tenant space >>3. Get the count of users having a specific claim value (count the >>results matching a specific claim value. eg: Number of users been locked, >>Number of users from a specific country) >> >> >> Additionally following functionalities would be good to have, >> >>1. Get the count of users across tenants >> >> >> >> >> >> *Approaches* >> >>1. Keep a seperate database table to track the user count. Incrementally >>update it each time a new user is added. >> - When plugging an existing user store, the table needs to be >> populated initially for once with existing user. >> - PR at [1] creates a table 'IDN_UID_USER' to same user when >> user name is renamed. It will be possible to use that table for >> this same >> requirement. >> - This approach does *NOT* address 3rd requirement. >> 2. Execute a count query at user store manager level (This will be >>an API addition to carbon kernel user core) >> - This will cater for all the main requirements >> - The LDAP protocol does not have a specific mentioning about >> an API for count >> - Different implementations have different approaches to >> achieve this. >>- OpenDS, Sundirectory server - >> >> https://blogs.oracle.com/Ludo/entry/ldap_tip_counting_the_number >> - OpenLDAP - >> >> http://www.openldap.org/its/index.cgi/Archive.Incoming?id=4161 >>- Implementing this in LDAP seems to be comparatively >> harder than JDBC with having to manually go through the trees. >> - With user stores having millions of users, the operation >> will be very time consuming. (UI might be less responsive, if >> the API is >> used via mgt console) >> >> Appreciate your thoughts, inputs regarding this. >> @Kernel team : Appreciate your feed back on feasible time lines of >> releasing this new API integrated with user.core, if required to do so. >> >> [1] - Rename user https://github.com/wso2/carbon-identity/pull/437 >> <https://github.com/wso2/carbon-identity/pull/437> >> [2] - LDAP Protocol - https://tools.ietf.org/html/rfc4511 >> >> >> Thanks, >> Pushpalanka. >> -- >> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >> Mobile: +94779716248 >> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >> >> > > -- > S.Uthaiyashankar > VP Engineering > WSO2 Inc. > http://wso2.com/ - "lean . enterprise . middleware" > > Phone: +94 714897591 > > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [IS] [Secondary User Store] Securing passwords in secondary userstore configurations
Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Sun, Nov 2, 2014 at 10:55 PM, Firzhan Naqash firz...@wso2.com wrote: Hi All, 1. Yes, we are to only encrypt the property value. Adding more information, as I know the plan is to define something like below in the file to be encrypted. Property name=ConnectionPassword *encrypted=true* admin/Property After encrypting the value it will be saved back as, When we are encrypting from GUI, we use the fields mentioned to be encrypted in Property objects. Therefore in order to maintain the consistency, we can use those fields rather than explicitly defining property called true. That's clean and simple. So now the developer of the user store manager controls which properties should be encrypted rather than the admin. I think it's fine as most of the time it's the password only. WDYT? Regards, Firzhan On Wed, Oct 29, 2014 at 10:46 AM, Pushpalanka Jayawardhana la...@wso2.com wrote: Hi, On Wed, Oct 29, 2014 at 1:02 AM, Udara Liyanage ud...@wso2.com wrote: Hi, Isn't is better to encrypt fields of the file rather than the whole file like we do in secure vault. Please correct me if I am wrong since I am not well aware of the exact use case 1. Yes, we are to only encrypt the property value. Adding more information, as I know the plan is to define something like below in the file to be encrypted. Property name=ConnectionPassword *encrypted=false* admin/Property After encrypting the value it will be saved back as, Property name=ConnectionPassword *encrypted=true* Wxy635hxahftafafetk8dsnnHkw/Property It would be great if there is a better way to imply which properties should be encrypted and after encrypting, to imply that the value is encrypted. 2. An indication in the file name is added to imply whether it carries property values to be encrypted. Otherwise all the properties should be scanned blindly and checked for the encryption which seemed a waste. The is a trade-off between this cost of scanning and another convention added to the file name. I prefer prefix rather than appending since appending enc does not help someone to figure it out as a secured file at first glance. In OSes like Linux file extension does not matter much. Is it possible for someone to have a file name like 'sec-con' (without any extension) Touched, not typed. Erroneous words are a feature, not a typo. Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [IS] [Secondary User Store] Securing passwords in secondary userstore configurations
Hi, On Wed, Oct 29, 2014 at 1:02 AM, Udara Liyanage ud...@wso2.com wrote: Hi, Isn't is better to encrypt fields of the file rather than the whole file like we do in secure vault. Please correct me if I am wrong since I am not well aware of the exact use case 1. Yes, we are to only encrypt the property value. Adding more information, as I know the plan is to define something like below in the file to be encrypted. Property name=ConnectionPassword *encrypted=false* admin/Property After encrypting the value it will be saved back as, Property name=ConnectionPassword *encrypted=true* Wxy635hxahftafafetk8dsnnHkw/Property It would be great if there is a better way to imply which properties should be encrypted and after encrypting, to imply that the value is encrypted. 2. An indication in the file name is added to imply whether it carries property values to be encrypted. Otherwise all the properties should be scanned blindly and checked for the encryption which seemed a waste. The is a trade-off between this cost of scanning and another convention added to the file name. I prefer prefix rather than appending since appending enc does not help someone to figure it out as a secured file at first glance. In OSes like Linux file extension does not matter much. Is it possible for someone to have a file name like 'sec-con' (without any extension) Touched, not typed. Erroneous words are a feature, not a typo. Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Role Based Access Control (RBAC) for RDBMS based environment provisioning
Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Mon, Aug 18, 2014 at 10:40 PM, Dhanuka Ranasinghe dhan...@wso2.com wrote: *Dhanuka Ranasinghe* Senior Software Engineer WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 715381915 On Sat, Aug 16, 2014 at 4:32 AM, Manfred Herrmann herrmann.manf...@googlemail.com wrote: +1 ... for providing this capability my comments inline: 2014-08-15 8:15 GMT+02:00 Sumedha Rubasinghe sume...@wso2.com: +1 for providing the capability. Are we going to define permissions per environment or are there going to be static set of environments? There is a similar mail for Cassandra in [Architecture] Supporting multiple environments for Cassandra. This mail should be answered http://markmail.org/message/4bnghbxw6egknfrn ... A consistent usecase/architecture regarding environments is prefered. Currently only support static set of environments, but with SS 1.5.0 we gonna support user define environments and instances. IMO permissions you have mentioned are too high level for this. It's more practical to associate permissions with a specific database. So having only 'Read' permission (for example) would not allow this. Sorry about high level description. Yes, permission is associate with databases. For example permission = database (db1) + Action (create), but again database is located in an instance and that instance located in an Environment. We thought first go ahead with a simple solution and then we can improve it iterativelly. Then if you consider a particular database, real deployment scenarios would want to control who can perform CRUD on that database. This is already supported in existing SS. It control when provisioning a database to a particular user with privilege template. So I feel XACML type of an approach is far more practical and extensible here. +1 for considering XACML as an option. This will allow us to make the permission model more fine grained. In addition to restricting depending the user role, we can consider other attributes like 'within which time period a user is allowed to access the environment' etc., as well with this approach. The extend-ability will come with the cost of some added complexity though. Is this environment-architecture only for access rss meta-data (like users/user-rights/templates...)? Yes partly correct, this solution only apply when users working with SS, and this not apply when users access external databases through JDBC driver. Or is it for all DB-data like access-rights (CRUD...) on/in a specific RSS provisioned DB? On Tue, Aug 12, 2014 at 11:06 AM, Dhanuka Ranasinghe dhan...@wso2.com wrote: Since SS 1.1.0 we do support concepts of environments. There can be multiple database server instances in single environment. So according to above use case, there can be multiple database server instances (RD and maintenance ) for Development environment. At the moment any user can access any environment, configured in SS, but we need to control who and how they gonna access these environment. that is the whole purpose of RBAC. So far we have identified four permissions. 1. Access (Read) 2. Create 3. Modify 4. Delete These permissions should be assigned to user Roles against environments. By doing that we can check whether particular user has permission to access the environment. Cheers, Dhanuka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture -- /sumedha m: +94 773017743 b : bit.ly/sumedha ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Are we missing a common EmailSenderService
Hi, +1. I also recently had a look at this component to find possibilities to send HTML formatted emails. If we can have a separate email sending service it would be better if we add this support as well. This was easily achievable with Apache Commons Emailhttp://commons.apache.org/proper/commons-email/userguide.htmllibrary, keeping the freedom to send alternate plain/text as well. Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10 On Tue, Jan 21, 2014 at 1:07 PM, Ashansa Perera asha...@wso2.com wrote: Do we have a *service* which can be used to send the emails? I found an email sender component under components/stratos. But still it is specific to stratos. Wouldn't it be useful to have a common email sending service where you can give the configuration file as a parameter? We in AppFactory wanted a similar service and we have created a one[1] But as I feel a common email sending service would be useful platform wide. WDYT? [1] https://svn.wso2.org/repos/wso2/scratch/appfactorycc/components/appfac/org.wso2.carbon.appfactory.utilities/1.1.0/src/main/java/org/wso2/carbon/appfactory/utilities/services/EmailSenderService.java -- Thanks Regards, Ashansa Perera Software Engineer WSO2, Inc ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture -- Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 http://c.content.wso2.com/signatures/us.png ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Identity Server] Applications
Hi, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 On Mon, Nov 11, 2013 at 12:43 PM, Venura Kahawala ven...@wso2.com wrote: Hi Johann, On Mon, Nov 11, 2013 at 12:15 PM, Johann Nallathamby joh...@wso2.comwrote: Hi Venura, On Mon, Nov 11, 2013 at 10:46 AM, Venura Kahawala ven...@wso2.comwrote: Hi, Is this a continuation of what we discussed during the custom permissions feature code review? Please see the comments inline... On Mon, Nov 11, 2013 at 9:58 AM, Prabath Siriwardena prab...@wso2.comwrote: Hi Johann, Please find comment inline... On Mon, Nov 11, 2013 at 9:35 AM, Johann Nallathamby joh...@wso2.comwrote: Hi Prabath, +1 for the concept. Some concerns and thoughts inline.. bear with me for my lengthy verbose arguments.. [?] On Mon, Nov 11, 2013 at 3:12 AM, Prabath Siriwardena prab...@wso2.com wrote: 1. What is an Application under the context of Identity Server ? Its a consumer of identity attributes, roles (and groups), authentication methods/ policies and authorization policies. In practice, this could be a web application,mobile application - or even a desktop application. *- Identity attributes* A given user can be allowed to maintain his own set of attributes against different registered Applications. (multiple profiles) This should be a separate thread of discussion, but just so that we are on the same page here, for this we need to have the multiple profiles working with all types user stores. Currently it works with only JDBC. As I understand there are problems with representing multiple values for attributes in a standard manner in all kinds of LDAPs. Am I right? I guess we need to figure out a way of supporting this. Yes. The underlying user store should support this. We can support by default for both LDAP and JDBC. *- Permission / Roles* A given Application can maintain its own set of permissions with the Identity Server. That is, a given application can maintain its own set of resources and actions. For IS - Carbon is just another application - and its permissions / roles will be maintained as it is today. Applications can create their own permissions of course, but do we allow them do define their own roles as well or do they select roles from existing roles of the tenant and assign permissions to them? Yes. Application should be allowed define their own roles Those out side the permission model of Carbon. +1 for this, This has to be done since if roles are not restricted to applications, an unintended user might get access to an application. My notion is that: An application (developer) can restrict access to his/her application based on - user stores - trusted IdPs - roles - users (if this is possible then unwanted users cannot get access to the application) I'm not clear on this approach. What you are telling here is, if I (developer) select a role for my application, then no other application developer should be able to get the same for their applications? If we do that we can avoid changes to the current UI. But we need to identify a method to avoid concurrent modification to the same role. May be this a rare case, but possible. What is the chance of you and me (both application developers) assign the same role to different applications? With what I have understood, I guess this can be solved if we prefix each role that is related with an application, with the appID or something that is unique to that application. We can initiate these roles from existing roles, but after it is related to an application, it will have an independent existence. In AF, they are using this prefixing to keep roles within an application. Allowing the creation of roles in this app-mgt UI would duplicate role-mgt functionality and managing roles should be an independent concern. We do not need to have separate UIs. We have to reuse currently used user management UI. Carbon is once again just another application. Here we can add another parameter to role management UI specifying the application. If we agree with what I have mentioned above we don't need any change in this UI. We only need to list existing userstores, trusted IdPs, roles and user in the new App-Mgt UI and the application developer will choose from that list. To reiterate, managing roles should be a separate concern which won't change from what we have now. Whether
[Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active
Hi, This with regard to the issue [1], which is a known issue in IS 4.5.0. Issue reproduced with following steps. Set up cluster with two IS nodes (Depsync enabled). Create a tenant(wso2.com) Wait till the tenant is unloaded in the worker node Add a secondary user store in master node Add a user(user1) to secondary user store in master node Try to login from master node, it allows Try to login from this user(us...@wso2.com) in worker node, it fails Login as tenant admin and then try to login as user. it allows So as the tenant is unloaded in the worker node, it does not check out the added user store configuration from the SVN repo, hence users in that user store can not login at worker node. Following log can be seen in worker node, {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} - Received [SynchronizeRepositoryRequest{tenantId=3, tenantDomain='win.com', messageId=203837d4-576b-4929-a0a1-e5efccf15b01} INFO {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} - Tenant is not loaded. Is there a possibility to load the tenant at this cluster message receipt (if we can check whether it's to sync user stores, to avoid loading tenant at each receipt of cluster message), so that user stores will be checked out at a fair cost? Great to know any better ways to handle this and know your ideas. [1] - https://wso2.org/jira/browse/IDENTITY-1824 Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active
Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 On Thu, Sep 26, 2013 at 5:26 PM, Prabath Siriwardena prab...@wso2.comwrote: +1 for that.. Only downside - tenant is loaded not on demand.. Another approach is.. Currently the tenant is loaded by looking at the URL.. say for example - if the url says - /t/wso2.com - this will make wso2.com to be loaded if it is not loaded already. The issue with authentication is - we do not know the tenant of the user from the URL. But client (say the UI which accepts user credentials) knows the tenant of the user - by the user name (but the backend cannot derive it - as the user names comes in different places in different scenarios).. So - what client can do is - in authentication calls - we send the tenant domain of the user in an http header - say tenat_domain. Now - the interceptor will look in to the URL (most of the cases) and if no tenant info not there will look in to the tenat_domain http header and load the corresponding tenant.. Thanks a lot for the ideas.. Won't it be late to load the tenant at this moment? As the changes needs to be checked out from the repo , for authentication to be successful, are we to hold the decision using some mechanism till the check out completes? Thanks regards, -Prabath On Thu, Sep 26, 2013 at 5:10 PM, Afkham Azeez az...@wso2.com wrote: Hmm... very interesting problem :) What we could do is this... We can implement a LoadTenant Cluster message. When that is received, all nodes would load the tenants. We can get depsync to follow. That way, every node will properly load the new user stores. IS can send this message. Azeez On Thu, Sep 26, 2013 at 4:56 PM, Pushpalanka Jayawardhana la...@wso2.com wrote: Hi, This with regard to the issue [1], which is a known issue in IS 4.5.0. Issue reproduced with following steps. Set up cluster with two IS nodes (Depsync enabled). Create a tenant(wso2.com) Wait till the tenant is unloaded in the worker node Add a secondary user store in master node Add a user(user1) to secondary user store in master node Try to login from master node, it allows Try to login from this user(us...@wso2.com) in worker node, it fails Login as tenant admin and then try to login as user. it allows So as the tenant is unloaded in the worker node, it does not check out the added user store configuration from the SVN repo, hence users in that user store can not login at worker node. Following log can be seen in worker node, {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} - Received [SynchronizeRepositoryRequest{tenantId=3, tenantDomain='win.com', messageId=203837d4-576b-4929-a0a1-e5efccf15b01} INFO {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} - Tenant is not loaded. Is there a possibility to load the tenant at this cluster message receipt (if we can check whether it's to sync user stores, to avoid loading tenant at each receipt of cluster message), so that user stores will be checked out at a fair cost? Great to know any better ways to handle this and know your ideas. [1] - https://wso2.org/jira/browse/IDENTITY-1824 Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 -- *Afkham Azeez* Director of Architecture; WSO2, Inc.; http://wso2.com Member; Apache Software Foundation; http://www.apache.org/ * http://www.apache.org/** email: **az...@wso2.com* az...@wso2.com* cell: +94 77 3320919 blog: **http://blog.afkham.org* http://blog.afkham.org* twitter: **http://twitter.com/afkham_azeez*http://twitter.com/afkham_azeez * linked-in: **http://lk.linkedin.com/in/afkhamazeez* * * *Lean . Enterprise . Middleware* -- Thanks Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com ___ Architecture mailing list
Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active
Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 On Thu, Sep 26, 2013 at 10:08 PM, Prabath Siriwardena prab...@wso2.comwrote: Won't it be late to load the tenant at this moment? As the changes needs to be checked out from the repo , for authentication to be successful, are we to hold the decision using some mechanism till the check out completes? This is the same behavior you see when you login to management console now. User authenticated and redirected to its tenant /t/wso2.com - now the tenant will be loaded... What I thought was, at tenant loading what it does is building the user store manager chain from the config files that are already there in relevant 'userstores' folder. Depsync will happen after this step, so that the new file is still not checked out. Please correct me if I'm wrong. Thanks regards, -Prabath Thanks regards, -Prabath On Thu, Sep 26, 2013 at 5:10 PM, Afkham Azeez az...@wso2.com wrote: Hmm... very interesting problem :) What we could do is this... We can implement a LoadTenant Cluster message. When that is received, all nodes would load the tenants. We can get depsync to follow. That way, every node will properly load the new user stores. IS can send this message. Azeez On Thu, Sep 26, 2013 at 4:56 PM, Pushpalanka Jayawardhana la...@wso2.com wrote: Hi, This with regard to the issue [1], which is a known issue in IS 4.5.0. Issue reproduced with following steps. Set up cluster with two IS nodes (Depsync enabled). Create a tenant(wso2.com) Wait till the tenant is unloaded in the worker node Add a secondary user store in master node Add a user(user1) to secondary user store in master node Try to login from master node, it allows Try to login from this user(us...@wso2.com) in worker node, it fails Login as tenant admin and then try to login as user. it allows So as the tenant is unloaded in the worker node, it does not check out the added user store configuration from the SVN repo, hence users in that user store can not login at worker node. Following log can be seen in worker node, {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} - Received [SynchronizeRepositoryRequest{tenantId=3, tenantDomain=' win.com', messageId=203837d4-576b-4929-a0a1-e5efccf15b01} INFO {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} - Tenant is not loaded. Is there a possibility to load the tenant at this cluster message receipt (if we can check whether it's to sync user stores, to avoid loading tenant at each receipt of cluster message), so that user stores will be checked out at a fair cost? Great to know any better ways to handle this and know your ideas. [1] - https://wso2.org/jira/browse/IDENTITY-1824 Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 -- *Afkham Azeez* Director of Architecture; WSO2, Inc.; http://wso2.com Member; Apache Software Foundation; http://www.apache.org/ * http://www.apache.org/** email: **az...@wso2.com* az...@wso2.com* cell: +94 77 3320919 blog: **http://blog.afkham.org* http://blog.afkham.org* twitter: **http://twitter.com/afkham_azeez*http://twitter.com/afkham_azeez * linked-in: **http://lk.linkedin.com/in/afkhamazeez* * * *Lean . Enterprise . Middleware* -- Thanks Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com -- Thanks Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Apple push strategy
Hi, In APNS connector the notnoop java-apns jar is packed into the connector zip and uploaded [1]. It can be used once the proper security certificates are given to connect to APNS server at configuration (explained in the docs[2]). At the moment this is not created as an orbit. We can work on making the apns.jar as an orbit bundle. [1] - https://svn.wso2.com/wso2/repo/intern/ipass-cloud-connectors/applepush/new_class_mediator/ [2] - https://svn.wso2.com/wso2/repo/intern/ipass-cloud-connectors/applepush/Documents/ Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10 On Sat, Aug 3, 2013 at 10:37 PM, Dilshan Edirisuriya dils...@wso2.comwrote: Hi, We will be using notnoop [1] for apple push notifications in MDM. This has been discussed in a separate thread (related to ESB cloud connector) and the license was approved to use as well. Not sure whether this has been implemented at the moment. Is there anyway we can make use of this (if this has been created as a orbit) or cant we create a generic module for this to be used by anyone? Right now our plan is to embed this inside MDM Jaggery app as an external jar. [1] - https://github.com/notnoop/java-apns Regards, Dilshan ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Synching Configurations across the clusters
Thanks all for the ideas. Will be moving forward with option 2. repository/conf/userstores/user-mgt.xml repositoty/conf/tenants/1/userstores/user-mgt.xml - configuration for tenant with tenant-id: 1 repositoty/conf/tenants/2/userstores/user-mgt.xml - configuration for tenant with tenant-id: 2 So a product will have 2 locations, inside repository/conf to be synced with dep-sync as, - repositoty/conf/userstores ('userstores' just to avoid syncing all content in conf directory) and - repository/conf/tenants Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10 On Tue, Jun 25, 2013 at 11:46 AM, Dhanuka Ranasinghe dhan...@wso2.comwrote: Hi, I am not much aware about carbon architecture, but have few thoughts to achieve above requirements. 1. Having a high available singleton (HA) service (through MBeans) then make sure it is active only in master node. 2. When the master node down one of other member in cluster become a master node and it's HA service will be activated. 3. All the configurations done and read through that HA service, by doing this whether it's UI or local file system change it will be synch with every time with every member. Cheers, Dhanuka *Dhanuka Ranasinghe* Senior Software Engineer WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 715381915 On Fri, May 31, 2013 at 2:41 PM, Srinath Perera srin...@wso2.com wrote: Hi All, Azeez and myself was chatting, and following are some of the conflicting requirements. 1. like to edit configs from file system, and via UI avoiding two copies if possible (have to avoid case where we edit file, then we edit via UI where we lost the file updates). 2. Need a way to sync configs across the cluster 3. Make the sync model clear and consistent for both configs and artifacts (currently we use dep-sync only with artifacts) 4. Like to sync only one folder in the product with dep-sync ^This will not be achieved, with the option. 5. We should not do product folder structure before major release (C5?) We need to find the best solution out of that. --Srinath On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando sen...@wso2.com wrote: Hi Srinath, IMHO, relying on a dep-sync-based model sounds appropriate here. We can have several strategies for dep-sync (i.e. registry, svn, manual etc), but the server will be driven by what's on the filesystem. IMHO, that's very straightforward. And, I think we need to first of all figure out what and what's going to be sync'ed and what's not. When it comes to some configuration files it might make sense to sync portions and keep some static. In that case, do we need to split those files in two? Also, we need to focus on the things that change across environments and things that don't for the sever configuration as in the CAR-based Governance Story for ESB configurations. Also, the dep-sync's notification model should work like the hierarchical cache invalidation model that Azeez proposed, making sure that things will scale. Thanks, Senaka. On Thu, May 30, 2013 at 4:46 PM, Jeewantha Dharmaparakrama jeewan...@wso2.com wrote: Hi Srinath, If the node which detects the change in its config file redeploys the config in every other node explicitly, we can ensure that every node sees the change since there will always be one node which is responsible in informing the others. I guess thats what depsync does IINM. If the config is stored in a central place, every node will have to pull the change from that place. Here if one node fails to redeploy the change, other nodes will be unaware about it so that the system will be unstable. IMHO we should prefer the former. Jeewantha On Thu, May 30, 2013 at 3:44 PM, Srinath Perera srin...@wso2.comwrote: Hi All, We just finished a review on UI for user stores and figured we are doing this in several ways. Pradeep, Prabath, and myself had a chat, and following are our thoughts. We have different types of configurations with carbon server 1) Some are only apply for one node (e.g. carbon.xml, registry.xml ..) 2) Some might be useful across
Re: [Architecture] Synching Configurations across the clusters
Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10 On Tue, Jun 25, 2013 at 4:00 PM, Amila Suriarachchi am...@wso2.com wrote: On Tue, Jun 25, 2013 at 3:05 PM, Pushpalanka Jayawardhana la...@wso2.comwrote: Thanks all for the ideas. Will be moving forward with option 2. repository/conf/userstores/user-mgt.xml repositoty/conf/tenants/1/userstores/user-mgt.xml - configuration for tenant with tenant-id: 1 repositoty/conf/tenants/2/userstores/user-mgt.xml - configuration for tenant with tenant-id: 2 Technically speaking this is not correct. User-mgt.xml is used to configure UserRealm not only the userstore. So it should be usermanager. But in this case what we want to dep-synch only the userstores. so my suggestion is to put them under userstores folder with the store name. eg. repository/deployment/server/userstores/userstore1.xml repository/deployment/server/userstores/userstore2.xml. For an example if we change one userstore there is not reason to dep-sychn all user-mgt.xml and re initialise all user stores. As I have understood, still we will have to re initialise all user stores, unless we are adding or deleting a secondary user store at the very end of the chain. This is because the order of the secondary user stores matters and at deletion or insertion we need to update with the new order. Correct me if I am wrong. thanks, Amila. So a product will have 2 locations, inside repository/conf to be synced with dep-sync as, - repositoty/conf/userstores ('userstores' just to avoid syncing all content in conf directory) and - repository/conf/tenants Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10 On Tue, Jun 25, 2013 at 11:46 AM, Dhanuka Ranasinghe dhan...@wso2.comwrote: Hi, I am not much aware about carbon architecture, but have few thoughts to achieve above requirements. 1. Having a high available singleton (HA) service (through MBeans) then make sure it is active only in master node. 2. When the master node down one of other member in cluster become a master node and it's HA service will be activated. 3. All the configurations done and read through that HA service, by doing this whether it's UI or local file system change it will be synch with every time with every member. Cheers, Dhanuka *Dhanuka Ranasinghe* Senior Software Engineer WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 715381915 On Fri, May 31, 2013 at 2:41 PM, Srinath Perera srin...@wso2.comwrote: Hi All, Azeez and myself was chatting, and following are some of the conflicting requirements. 1. like to edit configs from file system, and via UI avoiding two copies if possible (have to avoid case where we edit file, then we edit via UI where we lost the file updates). 2. Need a way to sync configs across the cluster 3. Make the sync model clear and consistent for both configs and artifacts (currently we use dep-sync only with artifacts) 4. Like to sync only one folder in the product with dep-sync ^This will not be achieved, with the option. 5. We should not do product folder structure before major release (C5?) We need to find the best solution out of that. --Srinath On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando sen...@wso2.comwrote: Hi
Re: [Architecture] Synching Configurations across the clusters
Hi All, Following is how we are to use dep-sync to sync user store configurations across clusters, with some inputs from Charitha, Prabath and Pradeep. - repository/conf/userstores/user-mgt.xml - configuration of super admin - repositoty/conf/userstores/tenants/1/user-mgt.xml - configuration for tenant with tenant-id: 1 - repositoty/conf/userstores/tenants/2/user-mgt.xml - configuration for tenant with tenant-id: 2likewise 1. This is similar to the structure used in deploying artifacts at repository/tenants/1/ for tenants, as currently existing. 2. So we already have two folders synced with dep-sync in a product. One at repositoy/deployment/server/ and one at repository/tenants/. 3. We are to add one more folder to be synced with dep-sync at repository/conf/userstores/ Correct me, if I have got anything wrong. Glad to know any concerns or thoughts. Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10 On Fri, May 31, 2013 at 2:52 PM, Prabath Siriwardena prab...@wso2.comwrote: I guess dep sync based approach will solve these... Thanks regards, -Prabath On Fri, May 31, 2013 at 2:41 PM, Srinath Perera srin...@wso2.com wrote: Hi All, Azeez and myself was chatting, and following are some of the conflicting requirements. 1. like to edit configs from file system, and via UI avoiding two copies if possible (have to avoid case where we edit file, then we edit via UI where we lost the file updates). 2. Need a way to sync configs across the cluster 3. Make the sync model clear and consistent for both configs and artifacts (currently we use dep-sync only with artifacts) 4. Like to sync only one folder in the product with dep-sync 5. We should not do product folder structure before major release (C5?) We need to find the best solution out of that. --Srinath On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando sen...@wso2.com wrote: Hi Srinath, IMHO, relying on a dep-sync-based model sounds appropriate here. We can have several strategies for dep-sync (i.e. registry, svn, manual etc), but the server will be driven by what's on the filesystem. IMHO, that's very straightforward. And, I think we need to first of all figure out what and what's going to be sync'ed and what's not. When it comes to some configuration files it might make sense to sync portions and keep some static. In that case, do we need to split those files in two? Also, we need to focus on the things that change across environments and things that don't for the sever configuration as in the CAR-based Governance Story for ESB configurations. Also, the dep-sync's notification model should work like the hierarchical cache invalidation model that Azeez proposed, making sure that things will scale. Thanks, Senaka. On Thu, May 30, 2013 at 4:46 PM, Jeewantha Dharmaparakrama jeewan...@wso2.com wrote: Hi Srinath, If the node which detects the change in its config file redeploys the config in every other node explicitly, we can ensure that every node sees the change since there will always be one node which is responsible in informing the others. I guess thats what depsync does IINM. If the config is stored in a central place, every node will have to pull the change from that place. Here if one node fails to redeploy the change, other nodes will be unaware about it so that the system will be unstable. IMHO we should prefer the former. Jeewantha On Thu, May 30, 2013 at 3:44 PM, Srinath Perera srin...@wso2.comwrote: Hi All, We just finished a review on UI for user stores and figured we are doing this in several ways. Pradeep, Prabath, and myself had a chat, and following are our thoughts. We have different types of configurations with carbon server 1) Some are only apply for one node (e.g. carbon.xml, registry.xml ..) 2) Some might be useful across a cluster, but we ask users to copy it to all the nodes (e.g. data sources, xacml policies, keystores ?? ) 3) It is proposed that we will automatically replicate user-store configurations using deployment synchronizer when it is added to one node. To share the same
Re: [Architecture] Synching Configurations across the clusters
Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka On Tue, Jun 25, 2013 at 12:05 AM, Prabath Siriwardena prab...@wso2.comwrote: +1 repository/conf/user-mgt.xml repositoty/conf/tenants/1/user-mgt.xml - configuration for tenant with tenant-id: 1 repositoty/conf/tenants/2/user-mgt.xml - configuration for tenant with tenant-id: 2 OR repository/conf/userstores/user-mgt.xml repositoty/conf/tenants/1/userstores/user-mgt.xml - configuration for tenant with tenant-id: 1 repositoty/conf/tenants/2/userstores/user-mgt.xml - configuration for tenant with tenant-id: 2 If we use the first one, then the folder to sync using dep-sync will be conf directory, which have much more other configuration files, which not yet required to be synced. If it is ok to sync them too,then it's fine. Second option narrow downs what are to sync, but still have two folder to sync 'repository/conf/userstores/' and 'repositoty/conf/tenants'. (With the fact that default user-mgt.xml is also going to be modified and those modifications needs to be populated in the cluster too, in addition to that of tenants.) Thanks regards, -Prabath On Mon, Jun 24, 2013 at 11:55 PM, Pradeep Fernando prad...@wso2.comwrote: --Pradeep sent from my phone On Jun 24, 2013 11:25 PM, Pushpalanka Jayawardhana la...@wso2.com wrote: Hi All, Following is how we are to use dep-sync to sync user store configurations across clusters, with some inputs from Charitha, Prabath and Pradeep. repository/conf/userstores/user-mgt.xml - configuration of super admin repositoty/conf/userstores/tenants/1/user-mgt.xml - configuration for tenant with tenant-id: 1 repositoty/conf/userstores/tenants/2/user-mgt.xml - configuration for tenant with tenant-id: 2likewise Is it possible to have the tenant directory structure independent from the user store directory. In the future there will be few config files with similar requirements I believe... This is similar to the structure used in deploying artifacts at repository/tenants/1/ for tenants, as currently existing. So we already have two folders synced with dep-sync in a product. One at repositoy/deployment/server/ and one at repository/tenants/. We are to add one more folder to be synced with dep-sync at repository/conf/userstores/ Correct me, if I have got anything wrong. Glad to know any concerns or thoughts. Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd Mobile: +94779716248 On Fri, May 31, 2013 at 2:52 PM, Prabath Siriwardena prab...@wso2.com wrote: I guess dep sync based approach will solve these... Thanks regards, -Prabath On Fri, May 31, 2013 at 2:41 PM, Srinath Perera srin...@wso2.com wrote: Hi All, Azeez and myself was chatting, and following are some of the conflicting requirements. 1. like to edit configs from file system, and via UI avoiding two copies if possible (have to avoid case where we edit file, then we edit via UI where we lost the file updates). 2. Need a way to sync configs across the cluster 3. Make the sync model clear and consistent for both configs and artifacts (currently we use dep-sync only with artifacts) 4. Like to sync only one folder in the product with dep-sync 5. We should not do product folder structure before major release (C5?) We need to find the best solution out of that. --Srinath On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando sen...@wso2.com wrote: Hi Srinath, IMHO, relying on a dep-sync-based model sounds appropriate here. We can have several strategies for dep-sync (i.e. registry, svn, manual etc), but the server will be driven by what's on the filesystem. IMHO, that's very straightforward. And, I think we need to first of all figure out what and what's going to be sync'ed and what's not. When it comes to some configuration files it might make sense to sync portions and keep some static. In that case, do we need to split those files in two? Also, we need to focus on the things that change across environments and things that don't for the sever configuration as in the CAR-based Governance Story for ESB configurations. Also, the dep-sync's notification model should work like the hierarchical cache invalidation model that Azeez proposed, making sure that things will scale. Thanks, Senaka. On Thu, May 30, 2013 at 4:46 PM, Jeewantha Dharmaparakrama jeewan
Re: [Architecture] User Store Manager Configuration UI - New Feature
Hi, Please find the slides for today's design review here, https://docs.google.com/a/wso2.com/presentation/d/11lGLIXoeIm8TDV8vKcypLSk8Ksk-p1mrU3sqWHJD-8g/edit?usp=sharing Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image: Blogger]http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F [image: SlideShare]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka Mobile: +94779716248 http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10 On Wed, May 29, 2013 at 1:57 PM, Dimuthu Leelarathne dimut...@wso2.comwrote: +1. Please invite me the review as well. thanks, dimuthu On Tue, May 28, 2013 at 7:47 AM, Srinath Perera srin...@wso2.com wrote: Have we reviewed this? shall I schedule? --Srinath On Mon, May 27, 2013 at 5:42 PM, Amila Suriarachchi am...@wso2.comwrote: On Mon, May 27, 2013 at 5:30 PM, Prabath Siriwardena prab...@wso2.comwrote: On Mon, May 27, 2013 at 5:13 PM, Amila Suriarachchi am...@wso2.comwrote: On Mon, May 27, 2013 at 5:01 PM, Prabath Siriwardena prab...@wso2.com wrote: On Mon, May 27, 2013 at 4:04 PM, Amila Suriarachchi am...@wso2.comwrote: On Mon, May 27, 2013 at 3:06 PM, Prabath Siriwardena prab...@wso2.com wrote: On Fri, May 24, 2013 at 9:51 PM, Amila Suriarachchi am...@wso2.com wrote: - Saving data inserted via UI, at finish - This has few options. Please advice on best to use - Update the RealmService with new configuration and then write the updated Realmconfiguration into user-mgt.xml (This newly created file will trigger the Axis2 deployer as a new file addition, which is not needed ) - Write the updated details into user-mgt.xml. Even if only one UserStoreManager is edited, whole user-mgt.xml has to be read in, place new one in relevant order and update other's order accordingly. Idea is to create a separate file per user store. you can save this file with the userstore name. Then update only that file. I don't think we need to keep files per user store. We can persist the changes to the user-mgt.xml it self and keep different user-mgt.xml files per tenant.. As we discussed last time user-mgt.xml is used to represent realm which consists of user store, authorization manager, clam manager etc ... Since authorization manager, claim manger stuff are already multi tenanted we don't need to have a user-mgt.xml per tenant. Here the requirement is to let users to add their user stores to the system. So adding stores as separate xml files simplify the design. These user stored does not need to support MT since it is specific to a tenant. I think that approach would be more scattered - to have multiple files by user store.. This is the approach we follow for proxy services, cep buckets etc... For an example earlier we had only synapse.xml and cep-config.xml to define all. But now have separate ones. Another advantage is we need to update only one store. For an example if every one edits the same user-mgt.xml then when a user adds one user store, I think all other stores need to update as well. Since for deployment engine it is an update of the file. My argument is - this is different from other service artifacts.. These operations do not happen frequently - so - I guess having a single file would make things simple... IMHO the main point is, it is not the correct design. Please see this reply. As we discussed last time user-mgt.xml is used to represent realm which consists of user store, authorization manager, clam manager etc ... Since authorization manager, claim manger stuff are already multi tenanted we don't need to have a user-mgt.xml per tenant. Anyway lets do a code review after implementing this either way. thanks, Amila. Thanks regards, -Prabath thanks, Amila. Thanks regards, -Prabath thanks, Amila. Thanks regards, -Prabath thanks, Amila. - Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka [image: Twitter]http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka [image: LinkedIn]http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro [image