subject:"\[Architecture\] Dropping Unregistered Scope\(s\) from OAuth Request in IS."

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

2020-03-10 Thread Sarubi Thillainathan

Hi Johann/All,

We had a couple of discussions with the team, there we decided to *not** to
drop the unregistered scopes from OAuth Request in IS*. But as mentioned
earlier, from IS 5.10.0, we'll be more descriptive and show the display
name of the scope and it's the description as well when we are getting the
consent from the user. Also, if the scope is not registered under the
OAuth2 scope or OIDC scope in the IS, then we will display with the
provided scope name in the consent page. Please find the corresponding
improvement of PR [1].

Note in such case, scopes which are not registered will display with the
provided scope name and scopes which are registered will displayed with
their corresponding display name and description in the consent page.

[1] https://github.com/wso2/identity-apps/pull/521

On Tue, Mar 10, 2020 at 1:54 PM Johann Nallathamby  wrote:

> Hi Sarubi,
>
> As Asela pointed out there are use cases for differentiating the access
> token not just based on client or user or registered scopes but based on
> other environmental attributes. The easiest way of representing these
> environmental attributes in OAuth2 and getting unique access tokens in WSO2
> IS is using scopes. This is the reason why WSO2 API Manager also uses
> whitelabeled scope prefixes.
>
> For example APIM customers using this feature to get unique access tokens
> per device. They might be not able to register the devices before hand. @Nuwan
> Dias  and @Sanjeewa Malalgoda  may be
> able to comment more on this.
>
> Regards,
> Johann.
>
> On Thu, Feb 13, 2020 at 5:32 PM Asela Pathberiya  wrote:
>
>>
>>
>> On Thu, Feb 13, 2020 at 11:15 AM Sarubi Thillainathan 
>> wrote:
>>
>>>
>>>
>>> On Thu, Feb 13, 2020 at 10:50 AM Asela Pathberiya 
>>> wrote:
>>>

 On Thu, Feb 13, 2020 at 10:48 AM Sarubi Thillainathan 
 wrote:

> Hi Asela,
>
> Just to be clear,  Can we register scope values as regex patterns ?
>> In APIM there is scope white listing capabilities which can be sent
>> any scope value related to the given regex, "device_*"  such scope.
>>
> Nope, in IS we don't have this capability.
> The only thing that we enforce is can't have space in the scope name.
>

 There are cases in which application needs to send some random scope to
 identify the devices.  Can't we handle such cases by default ?

>>> Yes, we can't handle such cases default. I would like to know why those
>>> needs to be random? If it is for identifying the device then can't we
>>> register those beforehand?
>>>
>>
>> Just thought of similar to this [1] as we are not supporting multiple
>> access token for given user/application
>>
>> [1]
>> https://apim.docs.wso2.com/en/3.0.0/Learn/APISecurity/OAuth2/OAuth2Scopes/scope-whitelisting/
>>
>>
>>>
>>>

>>> Thanks,
 Asela.

> Thanks,
> Sarubi.
>
> On Wed, Feb 12, 2020 at 6:06 PM Asela Pathberiya 
> wrote:
>
>>
>>
>> On Wed, Feb 12, 2020 at 5:44 PM Sarubi Thillainathan 
>> wrote:
>>
>>>
>>>
>>>
>>> On Wed, Feb 12, 2020 at 5:38 PM Sarubi Thillainathan <
>>> sar...@wso2.com> wrote:
>>>
 Hi All,

 Currently in IS, whenever a token request comes with a list of
 scopes we'll be showing all the scopes and get the consent from the 
 user
 regardless of that scopes are requested or not in the Identity Server.
 But by going forward with IS 5.10.0, we'll be more descriptive and
 decided to show the display name of the scope and it's the description 
 as
 well when we are getting the consent from the user. Also, if the scope 
 is
 not registered under the OAuth2 scope or OIDC scope in the IS, then we
 decided to skip that particular scope from the consent page also in the
 response as a default behaviour.

>>>
>> Just to be clear,  Can we register scope values as regex patterns ?
>> In APIM there is scope white listing capabilities which can be sent
>> any scope value related to the given regex, "device_*"  such scope.
>>
>> Thanks,
>> Asela.
>>
>>
>>>
 In order to keep the backward compatibility, we'll keep a flag so
 that we can enable it if we want to list the scope which is not 
 registered.
 Note that in that case scopes which are not registered will display 
 with
 the provided scope name and scopes which are registered will displayed 
 with
 their corresponding display name and description in the consent page.

 Highly appreciate your ideas and suggestion on this.

 Thanks,
 Sarubi.
 --
 *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
 (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com

 *[image:

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

2020-03-10 Thread Johann Nallathamby

Hi Sarubi,

As Asela pointed out there are use cases for differentiating the access
token not just based on client or user or registered scopes but based on
other environmental attributes. The easiest way of representing these
environmental attributes in OAuth2 and getting unique access tokens in WSO2
IS is using scopes. This is the reason why WSO2 API Manager also uses
whitelabeled scope prefixes.

For example APIM customers using this feature to get unique access tokens
per device. They might be not able to register the devices before hand. @Nuwan
Dias  and @Sanjeewa Malalgoda  may be
able to comment more on this.

Regards,
Johann.

On Thu, Feb 13, 2020 at 5:32 PM Asela Pathberiya  wrote:

>
>
> On Thu, Feb 13, 2020 at 11:15 AM Sarubi Thillainathan 
> wrote:
>
>>
>>
>> On Thu, Feb 13, 2020 at 10:50 AM Asela Pathberiya  wrote:
>>
>>>
>>>
>>> On Thu, Feb 13, 2020 at 10:48 AM Sarubi Thillainathan 
>>> wrote:
>>>
 Hi Asela,

 Just to be clear,  Can we register scope values as regex patterns ?
> In APIM there is scope white listing capabilities which can be sent
> any scope value related to the given regex, "device_*"  such scope.
>
 Nope, in IS we don't have this capability.
 The only thing that we enforce is can't have space in the scope name.

>>>
>>> There are cases in which application needs to send some random scope to
>>> identify the devices.  Can't we handle such cases by default ?
>>>
>> Yes, we can't handle such cases default. I would like to know why those
>> needs to be random? If it is for identifying the device then can't we
>> register those beforehand?
>>
>
> Just thought of similar to this [1] as we are not supporting multiple
> access token for given user/application
>
> [1]
> https://apim.docs.wso2.com/en/3.0.0/Learn/APISecurity/OAuth2/OAuth2Scopes/scope-whitelisting/
>
>
>>
>>
>>>
>>>
>> Thanks,
>>> Asela.
>>>
>>>
 Thanks,
 Sarubi.

 On Wed, Feb 12, 2020 at 6:06 PM Asela Pathberiya 
 wrote:

>
>
> On Wed, Feb 12, 2020 at 5:44 PM Sarubi Thillainathan 
> wrote:
>
>>
>>
>>
>> On Wed, Feb 12, 2020 at 5:38 PM Sarubi Thillainathan 
>> wrote:
>>
>>> Hi All,
>>>
>>> Currently in IS, whenever a token request comes with a list of
>>> scopes we'll be showing all the scopes and get the consent from the user
>>> regardless of that scopes are requested or not in the Identity Server.
>>> But by going forward with IS 5.10.0, we'll be more descriptive and
>>> decided to show the display name of the scope and it's the description 
>>> as
>>> well when we are getting the consent from the user. Also, if the scope 
>>> is
>>> not registered under the OAuth2 scope or OIDC scope in the IS, then we
>>> decided to skip that particular scope from the consent page also in the
>>> response as a default behaviour.
>>>
>>
> Just to be clear,  Can we register scope values as regex patterns ?
> In APIM there is scope white listing capabilities which can be sent
> any scope value related to the given regex, "device_*"  such scope.
>
> Thanks,
> Asela.
>
>
>>
>>> In order to keep the backward compatibility, we'll keep a flag so
>>> that we can enable it if we want to list the scope which is not 
>>> registered.
>>> Note that in that case scopes which are not registered will display with
>>> the provided scope name and scopes which are registered will displayed 
>>> with
>>> their corresponding display name and description in the consent page.
>>>
>>> Highly appreciate your ideas and suggestion on this.
>>>
>>>
>>>
>>>
>>> Thanks,
>>> Sarubi.
>>> --
>>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
>>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>>
>>> *[image: https://wso2.com/signature] *
>>>
>>
>>
>> --
>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>
>> *[image: https://wso2.com/signature] *
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
> Thanks & Regards,
> Asela
>
> Mobile : +94 777 625 933
>
> http://soasecurity.org/
> http://xacmlinfo.org/
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


 --
 *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
 (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com

 *[image: https://wso2.com/signature] *

>>>
>>>

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

2020-02-13 Thread Asela Pathberiya

On Thu, Feb 13, 2020 at 11:15 AM Sarubi Thillainathan 
wrote:

>
>
> On Thu, Feb 13, 2020 at 10:50 AM Asela Pathberiya  wrote:
>
>>
>>
>> On Thu, Feb 13, 2020 at 10:48 AM Sarubi Thillainathan 
>> wrote:
>>
>>> Hi Asela,
>>>
>>> Just to be clear,  Can we register scope values as regex patterns ?
 In APIM there is scope white listing capabilities which can be sent any
 scope value related to the given regex, "device_*"  such scope.

>>> Nope, in IS we don't have this capability.
>>> The only thing that we enforce is can't have space in the scope name.
>>>
>>
>> There are cases in which application needs to send some random scope to
>> identify the devices.  Can't we handle such cases by default ?
>>
> Yes, we can't handle such cases default. I would like to know why those
> needs to be random? If it is for identifying the device then can't we
> register those beforehand?
>

Just thought of similar to this [1] as we are not supporting multiple
access token for given user/application

[1]
https://apim.docs.wso2.com/en/3.0.0/Learn/APISecurity/OAuth2/OAuth2Scopes/scope-whitelisting/


>
>
>>
>>
> Thanks,
>> Asela.
>>
>>
>>> Thanks,
>>> Sarubi.
>>>
>>> On Wed, Feb 12, 2020 at 6:06 PM Asela Pathberiya  wrote:
>>>


 On Wed, Feb 12, 2020 at 5:44 PM Sarubi Thillainathan 
 wrote:

>
>
>
> On Wed, Feb 12, 2020 at 5:38 PM Sarubi Thillainathan 
> wrote:
>
>> Hi All,
>>
>> Currently in IS, whenever a token request comes with a list of scopes
>> we'll be showing all the scopes and get the consent from the user
>> regardless of that scopes are requested or not in the Identity Server.
>> But by going forward with IS 5.10.0, we'll be more descriptive and
>> decided to show the display name of the scope and it's the description as
>> well when we are getting the consent from the user. Also, if the scope is
>> not registered under the OAuth2 scope or OIDC scope in the IS, then we
>> decided to skip that particular scope from the consent page also in the
>> response as a default behaviour.
>>
>
 Just to be clear,  Can we register scope values as regex patterns ?
 In APIM there is scope white listing capabilities which can be sent any
 scope value related to the given regex, "device_*"  such scope.

 Thanks,
 Asela.


>
>> In order to keep the backward compatibility, we'll keep a flag so
>> that we can enable it if we want to list the scope which is not 
>> registered.
>> Note that in that case scopes which are not registered will display with
>> the provided scope name and scopes which are registered will displayed 
>> with
>> their corresponding display name and description in the consent page.
>>
>> Highly appreciate your ideas and suggestion on this.
>>
>>
>>
>>
>> Thanks,
>> Sarubi.
>> --
>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>
>> *[image: https://wso2.com/signature] *
>>
>
>
> --
> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>
> *[image: https://wso2.com/signature] *
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


 --
 Thanks & Regards,
 Asela

 Mobile : +94 777 625 933

 http://soasecurity.org/
 http://xacmlinfo.org/
 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

>>>
>>>
>>> --
>>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
>>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>>
>>> *[image: https://wso2.com/signature] *
>>>
>>
>>
>> --
>> Thanks & Regards,
>> Asela
>>
>> Mobile : +94 777 625 933
>>
>> http://soasecurity.org/
>> http://xacmlinfo.org/
>>
>
>
> --
> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>
> *[image: https://wso2.com/signature] *
>


-- 
Thanks & Regards,
Asela

Mobile : +94 777 625 933

http://soasecurity.org/
http://xacmlinfo.org/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

2020-02-12 Thread Sarubi Thillainathan

On Thu, Feb 13, 2020 at 10:50 AM Asela Pathberiya  wrote:

>
>
> On Thu, Feb 13, 2020 at 10:48 AM Sarubi Thillainathan 
> wrote:
>
>> Hi Asela,
>>
>> Just to be clear,  Can we register scope values as regex patterns ?
>>> In APIM there is scope white listing capabilities which can be sent any
>>> scope value related to the given regex, "device_*"  such scope.
>>>
>> Nope, in IS we don't have this capability.
>> The only thing that we enforce is can't have space in the scope name.
>>
>
> There are cases in which application needs to send some random scope to
> identify the devices.  Can't we handle such cases by default ?
>
Yes, we can't handle such cases default. I would like to know why those
needs to be random? If it is for identifying the device then can't we
register those beforehand?


>
>
Thanks,
> Asela.
>
>
>> Thanks,
>> Sarubi.
>>
>> On Wed, Feb 12, 2020 at 6:06 PM Asela Pathberiya  wrote:
>>
>>>
>>>
>>> On Wed, Feb 12, 2020 at 5:44 PM Sarubi Thillainathan 
>>> wrote:
>>>



 On Wed, Feb 12, 2020 at 5:38 PM Sarubi Thillainathan 
 wrote:

> Hi All,
>
> Currently in IS, whenever a token request comes with a list of scopes
> we'll be showing all the scopes and get the consent from the user
> regardless of that scopes are requested or not in the Identity Server.
> But by going forward with IS 5.10.0, we'll be more descriptive and
> decided to show the display name of the scope and it's the description as
> well when we are getting the consent from the user. Also, if the scope is
> not registered under the OAuth2 scope or OIDC scope in the IS, then we
> decided to skip that particular scope from the consent page also in the
> response as a default behaviour.
>

>>> Just to be clear,  Can we register scope values as regex patterns ?
>>> In APIM there is scope white listing capabilities which can be sent any
>>> scope value related to the given regex, "device_*"  such scope.
>>>
>>> Thanks,
>>> Asela.
>>>
>>>

> In order to keep the backward compatibility, we'll keep a flag so that
> we can enable it if we want to list the scope which is not registered. 
> Note
> that in that case scopes which are not registered will display with the
> provided scope name and scopes which are registered will displayed with
> their corresponding display name and description in the consent page.
>
> Highly appreciate your ideas and suggestion on this.
>
>
>
>
> Thanks,
> Sarubi.
> --
> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>
> *[image: https://wso2.com/signature] *
>


 --
 *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
 (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com

 *[image: https://wso2.com/signature] *
 ___
 Architecture mailing list
 Architecture@wso2.org
 https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

>>>
>>>
>>> --
>>> Thanks & Regards,
>>> Asela
>>>
>>> Mobile : +94 777 625 933
>>>
>>> http://soasecurity.org/
>>> http://xacmlinfo.org/
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>
>>
>> --
>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>
>> *[image: https://wso2.com/signature] *
>>
>
>
> --
> Thanks & Regards,
> Asela
>
> Mobile : +94 777 625 933
>
> http://soasecurity.org/
> http://xacmlinfo.org/
>


-- 
*Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
(m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com

*[image: https://wso2.com/signature] *
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

2020-02-12 Thread Asela Pathberiya

On Thu, Feb 13, 2020 at 10:48 AM Sarubi Thillainathan 
wrote:

> Hi Asela,
>
> Just to be clear,  Can we register scope values as regex patterns ?
>> In APIM there is scope white listing capabilities which can be sent any
>> scope value related to the given regex, "device_*"  such scope.
>>
> Nope, in IS we don't have this capability.
> The only thing that we enforce is can't have space in the scope name.
>

There are cases in which application needs to send some random scope to
identify the devices.  Can't we handle such cases by default ?

Thanks,
Asela.


> Thanks,
> Sarubi.
>
> On Wed, Feb 12, 2020 at 6:06 PM Asela Pathberiya  wrote:
>
>>
>>
>> On Wed, Feb 12, 2020 at 5:44 PM Sarubi Thillainathan 
>> wrote:
>>
>>>
>>>
>>>
>>> On Wed, Feb 12, 2020 at 5:38 PM Sarubi Thillainathan 
>>> wrote:
>>>
 Hi All,

 Currently in IS, whenever a token request comes with a list of scopes
 we'll be showing all the scopes and get the consent from the user
 regardless of that scopes are requested or not in the Identity Server.
 But by going forward with IS 5.10.0, we'll be more descriptive and
 decided to show the display name of the scope and it's the description as
 well when we are getting the consent from the user. Also, if the scope is
 not registered under the OAuth2 scope or OIDC scope in the IS, then we
 decided to skip that particular scope from the consent page also in the
 response as a default behaviour.

>>>
>> Just to be clear,  Can we register scope values as regex patterns ?
>> In APIM there is scope white listing capabilities which can be sent any
>> scope value related to the given regex, "device_*"  such scope.
>>
>> Thanks,
>> Asela.
>>
>>
>>>
 In order to keep the backward compatibility, we'll keep a flag so that
 we can enable it if we want to list the scope which is not registered. Note
 that in that case scopes which are not registered will display with the
 provided scope name and scopes which are registered will displayed with
 their corresponding display name and description in the consent page.

 Highly appreciate your ideas and suggestion on this.




 Thanks,
 Sarubi.
 --
 *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
 (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com

 *[image: https://wso2.com/signature] *

>>>
>>>
>>> --
>>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
>>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>>
>>> *[image: https://wso2.com/signature] *
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>
>>
>> --
>> Thanks & Regards,
>> Asela
>>
>> Mobile : +94 777 625 933
>>
>> http://soasecurity.org/
>> http://xacmlinfo.org/
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>
> *[image: https://wso2.com/signature] *
>


-- 
Thanks & Regards,
Asela

Mobile : +94 777 625 933

http://soasecurity.org/
http://xacmlinfo.org/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

2020-02-12 Thread Sarubi Thillainathan

Hi Asela,

Just to be clear,  Can we register scope values as regex patterns ?
> In APIM there is scope white listing capabilities which can be sent any
> scope value related to the given regex, "device_*"  such scope.
>
Nope, in IS we don't have this capability.
The only thing that we enforce is can't have space in the scope name.

Thanks,
Sarubi.

On Wed, Feb 12, 2020 at 6:06 PM Asela Pathberiya  wrote:

>
>
> On Wed, Feb 12, 2020 at 5:44 PM Sarubi Thillainathan 
> wrote:
>
>>
>>
>>
>> On Wed, Feb 12, 2020 at 5:38 PM Sarubi Thillainathan 
>> wrote:
>>
>>> Hi All,
>>>
>>> Currently in IS, whenever a token request comes with a list of scopes
>>> we'll be showing all the scopes and get the consent from the user
>>> regardless of that scopes are requested or not in the Identity Server.
>>> But by going forward with IS 5.10.0, we'll be more descriptive and
>>> decided to show the display name of the scope and it's the description as
>>> well when we are getting the consent from the user. Also, if the scope is
>>> not registered under the OAuth2 scope or OIDC scope in the IS, then we
>>> decided to skip that particular scope from the consent page also in the
>>> response as a default behaviour.
>>>
>>
> Just to be clear,  Can we register scope values as regex patterns ?
> In APIM there is scope white listing capabilities which can be sent any
> scope value related to the given regex, "device_*"  such scope.
>
> Thanks,
> Asela.
>
>
>>
>>> In order to keep the backward compatibility, we'll keep a flag so that
>>> we can enable it if we want to list the scope which is not registered. Note
>>> that in that case scopes which are not registered will display with the
>>> provided scope name and scopes which are registered will displayed with
>>> their corresponding display name and description in the consent page.
>>>
>>> Highly appreciate your ideas and suggestion on this.
>>>
>>>
>>>
>>>
>>> Thanks,
>>> Sarubi.
>>> --
>>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
>>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>>
>>> *[image: https://wso2.com/signature] *
>>>
>>
>>
>> --
>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>
>> *[image: https://wso2.com/signature] *
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>
>
> --
> Thanks & Regards,
> Asela
>
> Mobile : +94 777 625 933
>
> http://soasecurity.org/
> http://xacmlinfo.org/
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


-- 
*Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
(m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com

*[image: https://wso2.com/signature] *
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

2020-02-12 Thread Asela Pathberiya

On Wed, Feb 12, 2020 at 5:44 PM Sarubi Thillainathan 
wrote:

>
>
>
> On Wed, Feb 12, 2020 at 5:38 PM Sarubi Thillainathan 
> wrote:
>
>> Hi All,
>>
>> Currently in IS, whenever a token request comes with a list of scopes
>> we'll be showing all the scopes and get the consent from the user
>> regardless of that scopes are requested or not in the Identity Server.
>> But by going forward with IS 5.10.0, we'll be more descriptive and
>> decided to show the display name of the scope and it's the description as
>> well when we are getting the consent from the user. Also, if the scope is
>> not registered under the OAuth2 scope or OIDC scope in the IS, then we
>> decided to skip that particular scope from the consent page also in the
>> response as a default behaviour.
>>
>
Just to be clear,  Can we register scope values as regex patterns ?
In APIM there is scope white listing capabilities which can be sent any
scope value related to the given regex, "device_*"  such scope.

Thanks,
Asela.


>
>> In order to keep the backward compatibility, we'll keep a flag so that we
>> can enable it if we want to list the scope which is not registered. Note
>> that in that case scopes which are not registered will display with the
>> provided scope name and scopes which are registered will displayed with
>> their corresponding display name and description in the consent page.
>>
>> Highly appreciate your ideas and suggestion on this.
>>
>>
>>
>>
>> Thanks,
>> Sarubi.
>> --
>> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>
>> *[image: https://wso2.com/signature] *
>>
>
>
> --
> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>
> *[image: https://wso2.com/signature] *
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


-- 
Thanks & Regards,
Asela

Mobile : +94 777 625 933

http://soasecurity.org/
http://xacmlinfo.org/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

2020-02-12 Thread Sarubi Thillainathan

On Wed, Feb 12, 2020 at 5:38 PM Sarubi Thillainathan 
wrote:

> Hi All,
>
> Currently in IS, whenever a token request comes with a list of scopes
> we'll be showing all the scopes and get the consent from the user
> regardless of that scopes are requested or not in the Identity Server.
> But by going forward with IS 5.10.0, we'll be more descriptive and decided
> to show the display name of the scope and it's the description as well
> when we are getting the consent from the user. Also, if the scope is not
> registered under the OAuth2 scope or OIDC scope in the IS, then we decided
> to skip that particular scope from the consent page also in the response as
> a default behaviour.
>
> In order to keep the backward compatibility, we'll keep a flag so that we
> can enable it if we want to list the scope which is not registered. Note
> that in that case scopes which are not registered will display with the
> provided scope name and scopes which are registered will displayed with
> their corresponding display name and description in the consent page.
>
> Highly appreciate your ideas and suggestion on this.
>
>
>
>
> Thanks,
> Sarubi.
> --
> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>
> *[image: https://wso2.com/signature] *
>


-- 
*Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
(m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com

*[image: https://wso2.com/signature] *
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

2020-02-12 Thread Sarubi Thillainathan

Hi All,

Currently in IS, whenever a token request comes with a list of scopes we'll
be showing all the scopes and get the consent from the user regardless of
that scopes are requested or not in the Identity Server.
But by going forward with IS 5.10.0, we'll be more descriptive and decided
to show the display name of the scope and it's the description as well
when we are getting the consent from the user. Also, if the scope is not
registered under the OAuth2 scope or OIDC scope in the IS, then we decided
to skip that particular scope from the consent page also in the response as
a default behaviour.

In order to keep the backward compatibility, we'll keep a flag so that we
can enable it if we want to list the scope which is not registered. Note
that in that case scopes which are not registered will display with the
provided scope name and scopes which are registered will displayed with
their corresponding display name and description in the consent page.

Highly appreciate your ideas and suggestion on this.




Thanks,
Sarubi.
-- 
*Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
(m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com

*[image: https://wso2.com/signature] *
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

Re: [Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

[Architecture] Dropping Unregistered Scope(s) from OAuth Request in IS.

9 matches

Site Navigation

Mail list logo

Footer information