Re: [Dev] Tenant OIDC logout fails with 'ID token signature validation failed.' error

2019-04-04 Thread Farasath Ahamed 
Hi Devs,

Also what about the value of " *realm*" claim when the user is a federated
one?

Regards,
Farasath

On Fri, Apr 5, 2019 at 9:32 AM Hasini Witharana  wrote:

> Hi Ruwan/Sathya,
>
> There are some standard claims defined in the OIDC specification[1], none
> of them can be used instead of "realm", "tenant_domain".
> However, the spec also says that it is okay to add any other claims to
> id_token[2].
>
> [1] - https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
> [2] - https://openid.net/specs/openid-connect-core-1_0.html#IDToken
>
> Thank You.
> Hasini
>
> On Fri, Apr 5, 2019 at 6:30 AM Ruwan Abeykoon  wrote:
>
>> Hi Sathya,
>> I do not see any issue adding the info-set to the id-token, as
>> conceptually it carries more information about the users identity.
>> Did we checked if there an standard claims in id token we could use,
>> instead of "realm", "tenant_domain", etc.
>>
>> Cheers,
>> Ruwan A
>>
>> On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara  wrote:
>>
>>> Hi all,
>>>
>>> In OIDC logout flow, we send the ID token as a user identification
>>> method similar to following request.
>>>
>>> https://localhost:9443/oidc/logout?id_token_hint=
>>> _logout_redirect_uri=
>>> http://localhost:8080/playground2/oauth2client=1
>>>
>>> when validating the ID token, we are trying to get tenant domain from
>>> subject claim of the id token hint [1] in the default flow. This will only
>>> work if '*append tenant domain to subject identifier'* is selected in
>>> the SP configuration. In other scenarios it fails with the error
>>> "access_denied ID token signature validation failed." This is because if
>>> subject does not contain the tenant domain, we try to validate the id token
>>> with super tenant's keystore. Further this fails when subject identifier is
>>> set as email claim, and email contains a different domain such as
>>> sat...@wso2.com 
>>>
>>> We have a config to enable/disable signing ID token with SP's keystore
>>> identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by
>>> default, ID token will be signed and validated using user's tenant domain
>>> leading to above issue.
>>>
>>> As a possible solution, we have decided to include user tenant domain
>>> and userstore domain as claims in the id token generated by IS. This can be
>>> disabled by a config however in the default pack it will be enabled by
>>> default. Sample id token will be as follows.
>>>
>>> {
>>>   "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ",
>>>   "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa",
>>>   "sub": "sathya",
>>>
>>>
>>>
>>> *  "realm": {"tenant_domain: "wso2.com ",
>>> "userstore_domain: "PRIMARY"  }*,
>>>   "iss": "https://localhost:9443/oauth2/token;,
>>>   "exp": 1554367465,
>>>   "iat": 1554363865,
>>> }
>>>
>>> Also 'SignJWTWithSPKey' property will be enabled by default in the
>>> product, honoring service provider's tenant domain when obtaining keys for
>>> signing and validating id tokens.
>>>
>>> Highly appreciate your suggestions and concerns on this.
>>>
>>> [1]
>>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331
>>> Thanks,
>>> Sathya
>>> --
>>> Sathya Bandara
>>> Senior Software Engineer
>>> Blog: https://medium.com/@technospace
>>> WSO2 Inc. http://wso2.com
>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>>
>>> <+94%2071%20411%205032>
>>>
>>
>>
>> --
>>
>> *Ruwan Abeykoon*
>> *Associate Director/Architect**,*
>> *WSO2, Inc. http://wso2.com  *
>> *lean.enterprise.middleware.*
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
> *Hasini Witharana | **Software Engineer | **WSO2 Inc *
> *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com *
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: https://farasath.blogspot.com / https://medium.com/@farasath
Twitter: @farazath619 

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Tenant OIDC logout fails with 'ID token signature validation failed.' error

2019-04-04 Thread Hasini Witharana 
Hi Ruwan/Sathya,

There are some standard claims defined in the OIDC specification[1], none
of them can be used instead of "realm", "tenant_domain".
However, the spec also says that it is okay to add any other claims to
id_token[2].

[1] - https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
[2] - https://openid.net/specs/openid-connect-core-1_0.html#IDToken

Thank You.
Hasini

On Fri, Apr 5, 2019 at 6:30 AM Ruwan Abeykoon  wrote:

> Hi Sathya,
> I do not see any issue adding the info-set to the id-token, as
> conceptually it carries more information about the users identity.
> Did we checked if there an standard claims in id token we could use,
> instead of "realm", "tenant_domain", etc.
>
> Cheers,
> Ruwan A
>
> On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara  wrote:
>
>> Hi all,
>>
>> In OIDC logout flow, we send the ID token as a user identification method
>> similar to following request.
>>
>> https://localhost:9443/oidc/logout?id_token_hint=
>> _logout_redirect_uri=
>> http://localhost:8080/playground2/oauth2client=1
>>
>> when validating the ID token, we are trying to get tenant domain from
>> subject claim of the id token hint [1] in the default flow. This will only
>> work if '*append tenant domain to subject identifier'* is selected in
>> the SP configuration. In other scenarios it fails with the error
>> "access_denied ID token signature validation failed." This is because if
>> subject does not contain the tenant domain, we try to validate the id token
>> with super tenant's keystore. Further this fails when subject identifier is
>> set as email claim, and email contains a different domain such as
>> sat...@wso2.com 
>>
>> We have a config to enable/disable signing ID token with SP's keystore
>> identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by
>> default, ID token will be signed and validated using user's tenant domain
>> leading to above issue.
>>
>> As a possible solution, we have decided to include user tenant domain and
>> userstore domain as claims in the id token generated by IS. This can be
>> disabled by a config however in the default pack it will be enabled by
>> default. Sample id token will be as follows.
>>
>> {
>>   "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ",
>>   "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa",
>>   "sub": "sathya",
>>
>>
>>
>> *  "realm": {"tenant_domain: "wso2.com ",
>> "userstore_domain: "PRIMARY"  }*,
>>   "iss": "https://localhost:9443/oauth2/token;,
>>   "exp": 1554367465,
>>   "iat": 1554363865,
>> }
>>
>> Also 'SignJWTWithSPKey' property will be enabled by default in the
>> product, honoring service provider's tenant domain when obtaining keys for
>> signing and validating id tokens.
>>
>> Highly appreciate your suggestions and concerns on this.
>>
>> [1]
>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331
>> Thanks,
>> Sathya
>> --
>> Sathya Bandara
>> Senior Software Engineer
>> Blog: https://medium.com/@technospace
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>
>
> --
>
> *Ruwan Abeykoon*
> *Associate Director/Architect**,*
> *WSO2, Inc. http://wso2.com  *
> *lean.enterprise.middleware.*
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
*Hasini Witharana | **Software Engineer | **WSO2 Inc *
*(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Tenant OIDC logout fails with 'ID token signature validation failed.' error

2019-04-04 Thread Ruwan Abeykoon 
Hi Sathya,
I do not see any issue adding the info-set to the id-token, as conceptually
it carries more information about the users identity.
Did we checked if there an standard claims in id token we could use,
instead of "realm", "tenant_domain", etc.

Cheers,
Ruwan A

On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara  wrote:

> Hi all,
>
> In OIDC logout flow, we send the ID token as a user identification method
> similar to following request.
>
> https://localhost:9443/oidc/logout?id_token_hint=
> _logout_redirect_uri=
> http://localhost:8080/playground2/oauth2client=1
>
> when validating the ID token, we are trying to get tenant domain from
> subject claim of the id token hint [1] in the default flow. This will only
> work if '*append tenant domain to subject identifier'* is selected in the
> SP configuration. In other scenarios it fails with the error "access_denied
> ID token signature validation failed." This is because if subject does not
> contain the tenant domain, we try to validate the id token with super
> tenant's keystore. Further this fails when subject identifier is set as
> email claim, and email contains a different domain such as sat...@wso2.com
> 
>
> We have a config to enable/disable signing ID token with SP's keystore
> identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by
> default, ID token will be signed and validated using user's tenant domain
> leading to above issue.
>
> As a possible solution, we have decided to include user tenant domain and
> userstore domain as claims in the id token generated by IS. This can be
> disabled by a config however in the default pack it will be enabled by
> default. Sample id token will be as follows.
>
> {
>   "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ",
>   "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa",
>   "sub": "sathya",
>
>
>
> *  "realm": {"tenant_domain: "wso2.com ",
> "userstore_domain: "PRIMARY"  }*,
>   "iss": "https://localhost:9443/oauth2/token;,
>   "exp": 1554367465,
>   "iat": 1554363865,
> }
>
> Also 'SignJWTWithSPKey' property will be enabled by default in the
> product, honoring service provider's tenant domain when obtaining keys for
> signing and validating id tokens.
>
> Highly appreciate your suggestions and concerns on this.
>
> [1]
> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331
> Thanks,
> Sathya
> --
> Sathya Bandara
> Senior Software Engineer
> Blog: https://medium.com/@technospace
> WSO2 Inc. http://wso2.com
> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>
> <+94%2071%20411%205032>
>


-- 

*Ruwan Abeykoon*
*Associate Director/Architect**,*
*WSO2, Inc. http://wso2.com  *
*lean.enterprise.middleware.*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Tenant OIDC logout fails with 'ID token signature validation failed.' error

2019-04-04 Thread Sathya Bandara 
Hi all,

In OIDC logout flow, we send the ID token as a user identification method
similar to following request.

https://localhost:9443/oidc/logout?id_token_hint=
_logout_redirect_uri=
http://localhost:8080/playground2/oauth2client=1

when validating the ID token, we are trying to get tenant domain from
subject claim of the id token hint [1] in the default flow. This will only
work if '*append tenant domain to subject identifier'* is selected in the
SP configuration. In other scenarios it fails with the error "access_denied
ID token signature validation failed." This is because if subject does not
contain the tenant domain, we try to validate the id token with super
tenant's keystore. Further this fails when subject identifier is set as
email claim, and email contains a different domain such as sat...@wso2.com


We have a config to enable/disable signing ID token with SP's keystore
identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by
default, ID token will be signed and validated using user's tenant domain
leading to above issue.

As a possible solution, we have decided to include user tenant domain and
userstore domain as claims in the id token generated by IS. This can be
disabled by a config however in the default pack it will be enabled by
default. Sample id token will be as follows.

{
  "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ",
  "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa",
  "sub": "sathya",



*  "realm": {"tenant_domain: "wso2.com ",
"userstore_domain: "PRIMARY"  }*,
  "iss": "https://localhost:9443/oauth2/token;,
  "exp": 1554367465,
  "iat": 1554363865,
}

Also 'SignJWTWithSPKey' property will be enabled by default in the product,
honoring service provider's tenant domain when obtaining keys for signing
and validating id tokens.

Highly appreciate your suggestions and concerns on this.

[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331
Thanks,
Sathya
-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Best Practice - calling stored procedure from WSO2 EI 6.2.0

2019-04-04 Thread Sanjay Bawri 
Hi Team,

I see that there are multiple approaches to call a stored procedure from
WSO2 ESB/EI layer.

1. Using the DBReport mediators
2. Using the Data Services concept.

My scenario is simple - my proxy service will get a message over a queue,
and i need to invoke the stored procedure to insert data into a database.

I am not sure what could be a better approach to go with - either create a
data source and then use the mediators (so all code in one proxy service
itself), Or use the data service approach, and have my proxy call this data
service to do the job.

I understand if there are multiple proxy services that need to invoke the
same stored procedure, then it might be better to have a common data
service. But i am not sure what more advantage does it add?

Can you please list the prons and cons of both approaches and what might be
the scenarios when mediators approach would be more beneficial over going
with the data service approach?

-- 
Best regards,
Sanjay Bawri
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Need help for csv to json

2019-04-04 Thread Prabushi Samarakoon 
Hi Arushi,

You can use WSO2 EI Data-mapper mediator [1]
 to process CSV
to JSON data transformations. Please refer [1]
 and [2]

for
more details.

Thanks & Best Regards,
Prabushi

[1] - https://docs.wso2.com/display/EI640/Data+Mapper+Mediator
[2] -
https://medium.com/@dilsimchandrasena/convert-csv-to-json-using-a-data-mapper-47728f837a23

On Thu, Apr 4, 2019 at 11:57 AM  wrote:

> Hi,
>
> I am trying to convert csv file to json in wso2. I am stuck and don't know
> how to proceed. Can you please help. Below is the code and result has data
> in csv format.
>
> 
> http://ws.apache.org/ns/synapse;>
> 
>
> file://home/wso2carbon/wso2ei-6.4.0/repository/logs/csvfiles/DS001_Operating_System_01012018.csv
> text/plain
> .csv
> 
> 
> 
> 
>  scope="default" type="STRING"/>
>  scope="default" type="STRING"/>
> 
>
>
> File contents are like :;
>
> "Host_Name","Parent_Type","Store_Number","Environment","Operating_system","Comment","End_of_Patch","Target_Patch_Level","Current_Patch_Level","Patches_deployed_Month","Device_Type","Company","Patch_Frequency","Date","File_Name"
> "atlntaj60","Corporate - Availability","Not
> applicable","PROD","Microsoft(R) Windows(R) Server
> 2003","Legacy","Yes","-2","-6","5/1/2015 00:00:00","Corporate-Windows
> Server","LCL","Monthly","3/5/2018
> 00:00:00","DS001_Operating_System_03052018.csv"
> "harnthr62","Corporate - Availability","Not
> applicable","PROD","Microsoft(R) Windows(R) Server
> 2003","Legacy","Yes","-2","-6","5/1/2015 00:00:00","Corporate-Windows
> Server","LCL","Monthly","3/5/2018
> 00:00:00","DS001_Operating_System_03052018.csv"
>
>
> _
> Sent from http://wso2-oxygen-tank.10903.n7.nabble.com
>
>

-- 
*Prabushi Samarakoon*
Mobile: +94715434580
Email: prabus...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev