Re: [Dev] iat, exp and nbf values of token introspection when 'token_string' is a JWT
Hi Omindu, Please find my thoughts on this. According to " OAuth 2.0 Token Introspection" specification [1] these value should be based on original access token, And *exp, iat, nbf* values should use the format, defined in the "JSON Web Token (JWT)" specification [2]. When we create a JWT out of this, yes there is a confusion. Because [2] JWT spec define these value specific to the new JWT token that we create. Combining these two I interpret in this way. 1. With the *exp, iat, nbf *in JWT spec define the time frame which this JWT token is valid. 2. All the date in this JWT token is only valid till the original access token is valid. 3. Then the validity of the JWT should be within the validity of original access token. So I think. *iat : *should be the new JWT issuing time. *nbf* : JWT issuing time or original nbf, if this is a future value. *exp* : should be calculated with original exp time. Thanks, Ishara [1] https://tools.ietf.org/html/rfc7662#page-6 [2] https://tools.ietf.org/html/rfc7519 On Wed, Sep 5, 2018 at 8:17 AM Omindu Rathnaweera wrote: > Hi Team, > > During token introspection we can request the user information related to > the access token in a form of a JWT. This JWT is sent under the parameter ' > token_string'. > > Ex: > > { >"token_string":"eyJ4NXQiO... (JWT)", >"active":true, >"token_type":"Bearer", >"exp":1536076577, >"iat":1536072977, >"nbf":1536072977, >"client_id":"5qqc07uvtnnouDYzxe63jLlnjOEa", >"username":"admin@carbon.super" > } > > The exp (Expiration Time), iat (Issued At), nbf (Not Before) values in the > above response is based on the original token issue time and this the > expected outcome as per the specification [1]. > > > However there's a confusion when it comes to setting these values in the > JWT sent with 'token_string'. > > The current behavior is that 'iat' in the JWT is calculated based on the > issued time of the introspecting access token but the 'exp' value is > calculated based on the creation time of the JWT. > > I would like you know your opinion on what these values should based on. > Should it be same as the access tokens iat, exp, and nbf or should they be > based on the generation time the JWT it self ? > > [1] - https://tools.ietf.org/html/rfc7662#page-6 > > Thanks, > Omindu > -- > Omindu Rathnaweera > Senior Software Engineer, WSO2 Inc. > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] [VOTE] Release of WSO2 Identity Server 5.6.0 RC3
;>>>>>> >>>>>>> >>>>>>> On Tue, Jun 19, 2018 at 12:26 PM, Vihanga Liyanage >>>>>> > wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> I've tested following scenarios on the IS 5.6.0-RC3 pack with >>>>>>>> default database setup. >>>>>>>> >>>>>>>>- Enable user self-registration and self-register a new user. >>>>>>>>- Add multiple consent purposes with multiple PII categories. >>>>>>>>- Login to dashboard and see whether we can see the default >>>>>>>>consent and above added PII categories. >>>>>>>>- Confirm claims are getting filtered based on consents. >>>>>>>>- Configure a service provider with OpenID Connect and acquire >>>>>>>>access tokens via Authorization Code, Implicit, Client Credential >>>>>>>> and >>>>>>>>Password grant types. >>>>>>>>- Enable ID token encryption for the service provider and test >>>>>>>>the flow with decryption for all grant types. >>>>>>>>- Delete the self-signed up user, create another user with the >>>>>>>>exact same username, log in to the dashboard and see what are the >>>>>>>>consents shown. >>>>>>>>- Revoke consents of the user via the dashboard and try >>>>>>>>accessing the SP to verify the consents are asked again. >>>>>>>>- Delete the SP, login to the dashboard and see whether the >>>>>>>>consents are deleted for that SP. >>>>>>>> >>>>>>>> No blocking issues are found. >>>>>>>> >>>>>>>> [+] Stable - go ahead and release. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Vihanga. >>>>>>>> >>>>>>>> On Fri, Jun 15, 2018 at 6:29 PM Madawa Soysa >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> We are pleased to announce the third release candidate of WSO2 >>>>>>>>> Identity Server 5.6.0. >>>>>>>>> >>>>>>>>> This release fixes the following issues >>>>>>>>> >>>>>>>>>- 5.6.0-RC Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/40?closed=1> >>>>>>>>>- 5.6.0-Beta Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/39?closed=1> >>>>>>>>>- 5.6.0-Alpha2 Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/43?closed=1> >>>>>>>>>- 5.6.0-Alpha Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/38?closed=1> >>>>>>>>>- 5.6.0-M7 Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/37?closed=1> >>>>>>>>>- 5.6.0-M6 Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/36?closed=1> >>>>>>>>>- 5.6.0-M5 Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/35?closed=1> >>>>>>>>>- 5.6.0-M4 Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/34?closed=1> >>>>>>>>>- 5.6.0-M3 Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/33?closed=1> >>>>>>>>>- 5.6.0-M2 Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/31?closed=1> >>>>>>>>>- 5.6.0-M1 Fixes >>>>>>>>><https://github.com/wso2/product-is/milestone/30?closed=1> >>>>>>>>> >>>>>>>>> Source and distribution, >>>>>>>>> Runtime - >>>>>>>>> https://github.com/wso2/product-is/releases/tag/v5.6.0-rc3 >>>>>>>>> Analytics - >>>>>>>>>
Re: [Dev] [Architecture] [VOTE] Release WSO2 Identity Server 5.5.0 RC2
HI, Tested the consent mgt feature with SAML SSO. and basic user mgt features. No blocking issues found. [+] Stable - Go ahead and release -Ishara On Thu, Mar 15, 2018 at 1:08 PM, Pulasthi Mahawithana <pulast...@wso2.com> wrote: > Tested below scenarios and no blocking issues found., > >- Adding multi-Step workflow definitions >- Adding workflow associations and Multi step approval for user add >operation >- Federation with twitter >- Login analytics >- Session Analytics > > No blocking issues found. > > [+] Stable - Go ahead and release > > On Thu, Mar 15, 2018 at 12:33 PM, Hasintha Indrajee <hasin...@wso2.com> > wrote: > >> Tested below scenarios with MySQL database >> >> Authentication data publishing. >> Custom OAuth client authenticators (Private key JWT client authenticator.) >> >> Self registration with consents (for super and non super tenants) >> SSO with missing mandatory claims and consents for SaaS apps. (SAML, with >> and without mandatory claims) >> Updating and revoking consents through dashboard for super tenant and non >> super tenant users. >> Consent erasure while apps (for SaaS scenarios) are deleted and users are >> deleted. >> >> No blocking issues found and +1 to proceed with release. >> >> >> On Thu, Mar 15, 2018 at 5:19 AM, Darshana Gunawardana <darsh...@wso2.com> >> wrote: >> >>> Hi all, >>> >>> We are pleased to announce the second release candidate of WSO2 Identity >>> Server 5.5.0. >>> >>> This release fixes the following issues, >>> >>>- >>>- 5.5.0-RC2 fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-RC2> >>>- 5.5.0-RC1 fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-RC1> >>>- 5.5.0-Beta fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-beta> >>>- 5.5.0-Alpha3 fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha3> >>>- 5.5.0-Alpha2 fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha2> >>>- 5.5.0-Alpha fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha> >>>- 5.5.0-M4 fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M4> >>>- 5.5.0-M3 fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M3> >>>- 5.5.0-M2 fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M2> >>>- 5.5.0-M1 fixes >>> >>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M1> >>> >>> >>> Source and distribution >>> >>> Runtime - https://github.com/wso2/product-is/releases/v5.5.0-rc2 >>> Analytics - https://github.com/wso2/analytics-is/releases/v5.5.0-rc2 >>> >>> >>> Please download, test the product and vote. >>> >>> [+] Stable - go ahead and release >>> [-] Broken - do not release (explain why) >>> >>> >>> Thanks, >>> - WSO2 Identity and Access Management Team - >>> >>> -- >>> Regards, >>> >>> >>> *Darshana Gunawardana*Technical Lead >>> WSO2 Inc.; http://wso2.com >>> >>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >>> *Mobile: +94718566859 <071%20856%206859>*Lean . Enterprise . Middleware >>> >> >> >> >> -- >> Hasintha Indrajee >> WSO2, Inc. >> Mobile:+94 771892453 <+94%2077%20189%202453> >> >> >> ___ >> Architecture mailing list >> architect...@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Pulasthi Mahawithana* > Associate Technical Lead > WSO2 Inc., http://wso2.com/ > Mobile: +94-71-5179022 <+94%2071%20517%209022> > Blog: https://medium.com/@pulasthi7/ > > <https://wso2.com/signature> > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Setting commonAuth Cookie even after failing authorization in a fresh login attempt.
On Mon, Jan 29, 2018 at 8:40 PM, Hasintha Indrajee <hasin...@wso2.com> wrote: > So that's because we don't have a proper way of reverting it back. Hence > isn't it better to not to write cookies until a proper access of an > application takes place for this scenario ?. In multi step scenario it's > true that there is an idp session, but still the user is not properly > logged in since one of the steps failed. Hence next time the next step will > be prompted which means he doesn't have a valid session. > > The idea is if we can avoid writing cookies we can unify the post > authentication behaviours (missing mandatory claim handling, authorization, > etc) > As an improvement we can do this. But shared computer scenario is a rare use case. Even if you use a shared computer it's not a good practice to keep the browser session or use remember me option. -Ishara > > On Mon, Jan 29, 2018 at 8:26 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> HI Hsintha, >> >> On Mon, Jan 29, 2018 at 8:19 PM, Hasintha Indrajee <hasin...@wso2.com> >> wrote: >> >>> Multi-step authentication is a different case I think, We don't set >>> cookies in an intermediate state. What if we use "remember me" ? So the >>> cookie will be there even if we close the browswer. isn't it ? >>> >> Think of a authentication steps. >> step1 : Federated authenticator >> step2 : Local authenticator. >> >> Then in the step 1 federated authenticator will create a session where >> 2nd authentication files. So in the 2nd time also user will automatically >> redirect to the federated authenticator and authenticated then fails in 2nd >> case. >> >> -Ishara >> >>> >>> On Mon, Jan 29, 2018 at 8:15 PM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi Hasintha, >>>> >>>> Same can happen in multi-step authentication where a user successfully >>>> login wiht1st authenticator and fail in the 2nd case. >>>> >>>> On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com> >>>> wrote: >>>> >>>>> We have the feature of enabling authorization for service provider >>>>> [1]. Imagine a scenario where we login to an SP for the very first time >>>>> and >>>>> authorization fails due to some violation of authorization policies. Even >>>>> if authorization fails we do set commonAuthId cookie in the response which >>>>> means the user has a valid SSO session from that point onwards. >>>>> >>>>> This can be seen in two perspectives. >>>>> >>>>> 1) The user is authenticated, but authorization fails, Hence we should >>>>> set the cookie for SSO irrespective of authorization decision. >>>>> >>>>> 2) But this may lead to an inconsistant state. Suppose this is the >>>>> only application the user is allowed to login. But due to some policy >>>>> violation, the first login fails. In a case of a shared computer this >>>>> leads >>>>> to a deadlock where the user neither can't properly login nor proper >>>>> logout. We can use the workaround of calling commonAuthLogout=true. But >>>>> this will not do a proper logout. (logging out external idps). Hence in a >>>>> shared computer the user has no option. >>>>> >>>> I think in this case user should close the browser, then he won't get >>>> this issue. this is valid for the multi step authentication as well. >>>> >>>> -Ishara >>>> >>>>> >>>>> Hence I think we can avoid setting cookie until a user successfully >>>>> accesses at least a single application upon successful authentication and >>>>> authorization. So simply even if the user is authenticated for the very >>>>> first time, we will not set the cookie unless the user is authorized to >>>>> access that particular application. (This only applies to the very first >>>>> app the user is trying to login) >>>>> >>>>> WDYT ? >>>>> >>>>> >>>>> [1] https://docs.wso2.com/display/IS530/Configuring+Access+C >>>>> ontrol+Policy+for+a+Service+Provider >>>>> >>>>> >>>>> >>>>> -- >>>>> Hasintha Indrajee >>>>> WSO2, Inc. >>>>> Mobile:+94 771892453 <+94%2077%20189%202453> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 <071%20799%206791> >>>> >>>> >>>> >>> >>> >>> -- >>> Hasintha Indrajee >>> WSO2, Inc. >>> Mobile:+94 771892453 <+94%2077%20189%202453> >>> >>> >> >> >> -- >> Ishara Karunarathna >> Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <071%20799%206791> >> >> >> > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Setting commonAuth Cookie even after failing authorization in a fresh login attempt.
Hi Hasintha, Same can happen in multi-step authentication where a user successfully login wiht1st authenticator and fail in the 2nd case. On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com> wrote: > We have the feature of enabling authorization for service provider [1]. > Imagine a scenario where we login to an SP for the very first time and > authorization fails due to some violation of authorization policies. Even > if authorization fails we do set commonAuthId cookie in the response which > means the user has a valid SSO session from that point onwards. > > This can be seen in two perspectives. > > 1) The user is authenticated, but authorization fails, Hence we should set > the cookie for SSO irrespective of authorization decision. > > 2) But this may lead to an inconsistant state. Suppose this is the only > application the user is allowed to login. But due to some policy violation, > the first login fails. In a case of a shared computer this leads to a > deadlock where the user neither can't properly login nor proper logout. We > can use the workaround of calling commonAuthLogout=true. But this will not > do a proper logout. (logging out external idps). Hence in a shared computer > the user has no option. > I think in this case user should close the browser, then he won't get this issue. this is valid for the multi step authentication as well. -Ishara > > Hence I think we can avoid setting cookie until a user successfully > accesses at least a single application upon successful authentication and > authorization. So simply even if the user is authenticated for the very > first time, we will not set the cookie unless the user is authorized to > access that particular application. (This only applies to the very first > app the user is trying to login) > > WDYT ? > > > [1] https://docs.wso2.com/display/IS530/Configuring+ > Access+Control+Policy+for+a+Service+Provider > > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Setting commonAuth Cookie even after failing authorization in a fresh login attempt.
HI Hsintha, On Mon, Jan 29, 2018 at 8:19 PM, Hasintha Indrajee <hasin...@wso2.com> wrote: > Multi-step authentication is a different case I think, We don't set > cookies in an intermediate state. What if we use "remember me" ? So the > cookie will be there even if we close the browswer. isn't it ? > Think of a authentication steps. step1 : Federated authenticator step2 : Local authenticator. Then in the step 1 federated authenticator will create a session where 2nd authentication files. So in the 2nd time also user will automatically redirect to the federated authenticator and authenticated then fails in 2nd case. -Ishara > > On Mon, Jan 29, 2018 at 8:15 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Hasintha, >> >> Same can happen in multi-step authentication where a user successfully >> login wiht1st authenticator and fail in the 2nd case. >> >> On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com> >> wrote: >> >>> We have the feature of enabling authorization for service provider [1]. >>> Imagine a scenario where we login to an SP for the very first time and >>> authorization fails due to some violation of authorization policies. Even >>> if authorization fails we do set commonAuthId cookie in the response which >>> means the user has a valid SSO session from that point onwards. >>> >>> This can be seen in two perspectives. >>> >>> 1) The user is authenticated, but authorization fails, Hence we should >>> set the cookie for SSO irrespective of authorization decision. >>> >>> 2) But this may lead to an inconsistant state. Suppose this is the only >>> application the user is allowed to login. But due to some policy violation, >>> the first login fails. In a case of a shared computer this leads to a >>> deadlock where the user neither can't properly login nor proper logout. We >>> can use the workaround of calling commonAuthLogout=true. But this will not >>> do a proper logout. (logging out external idps). Hence in a shared computer >>> the user has no option. >>> >> I think in this case user should close the browser, then he won't get >> this issue. this is valid for the multi step authentication as well. >> >> -Ishara >> >>> >>> Hence I think we can avoid setting cookie until a user successfully >>> accesses at least a single application upon successful authentication and >>> authorization. So simply even if the user is authenticated for the very >>> first time, we will not set the cookie unless the user is authorized to >>> access that particular application. (This only applies to the very first >>> app the user is trying to login) >>> >>> WDYT ? >>> >>> >>> [1] https://docs.wso2.com/display/IS530/Configuring+Access+C >>> ontrol+Policy+for+a+Service+Provider >>> >>> >>> >>> -- >>> Hasintha Indrajee >>> WSO2, Inc. >>> Mobile:+94 771892453 <+94%2077%20189%202453> >>> >>> >> >> >> -- >> Ishara Karunarathna >> Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <071%20799%206791> >> >> >> > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] IS Dashboard widgets are not loading due to 'webSocket' issue
.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.mozilla.javascript.EcmaError: ReferenceError: "webSocket" > is not defined. (/dashboard//session_manager.jag#7) > at org.mozilla.javascript.ScriptRuntime.constructError( > ScriptRuntime.java:3687) > at org.mozilla.javascript.ScriptRuntime.constructError( > ScriptRuntime.java:3665) > at org.mozilla.javascript.ScriptRuntime.notFoundError( > ScriptRuntime.java:3750) > at org.mozilla.javascript.ScriptRuntime.name(ScriptRuntime.java:1728) > at org.jaggeryjs.rhino.dashboard.c8._c_script_0(/dashboard// > session_manager.jag:7) > at org.jaggeryjs.rhino.dashboard.c8.call(/dashboard//session_manager.jag) > at org.mozilla.javascript.ContextFactory.doTopCall( > ContextFactory.java:394) > at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) > at org.jaggeryjs.rhino.dashboard.c8.call(/dashboard//session_manager.jag) > at org.jaggeryjs.rhino.dashboard.c8.exec(/dashboard//session_manager.jag) > at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript( > RhinoEngine.java:567) > ... 44 more > > > Found a similar issue in [1] . > > [1] https://wso2.org/jira/browse/IDENTITY-4141 > > Thanks > Sashika > -- > > *Sashika WijesingheSoftware Engineer - QA Team* > Mobile : +94 (0) 774537487 > sash...@wso2.com > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Shouldnt we validate issuer id among users in service providers?
On Thu, Nov 30, 2017 at 1:50 PM, Ushani Balasooriya <ush...@wso2.com> wrote: > Wum updated pack* > Can you please re try this. I just checked the WUM updated pack and didn't see that issue and recently we didn't change anything in that areas so it should not break in 27 wum as well. -Ishara > > On 30 Nov 2017 1:31 pm, "Ushani Balasooriya" <ush...@wso2.com> wrote: > >> Hi Ishara, >> >> 27th Nov win updated pack allowed to add sp with same issuer id. >> >> On 30 Nov 2017 10:36 am, "Ishara Karunarathna" <isha...@wso2.com> wrote: >> >>> Hi Ushani, >>> >>> How did you test this scenarios. It does not allow to register two SPs >>> with same issuer id. >>> >>> -Ishara >>> >>> On Thu, Nov 30, 2017 at 8:22 AM, Ushani Balasooriya <ush...@wso2.com> >>> wrote: >>> >>>> Hi IAM team, >>>> >>>> Please consider the below scenario. >>>> >>>> When I think of a system as an admin and developer personas in a same >>>> tenant, >>>> >>>> 1. Admin registers a service provider as *travelocity* with issuer id >>>> as *travelocity.com <http://travelocity.com>* and assertion consumer >>>> url as http://localhost:8080/travelocity.com/home.jsp and configure >>>> Federated IDP as Google >>>> >>>> 2. Then developer persona registers a service provider as *travelocity.com >>>> <http://travelocity.com>* with same issuer id as *travelocity.com >>>> <http://travelocity.com>* and assertion consumer url as >>>> http://localhost:8080/travelocity.com/home.jsp since it does not >>>> validate issuer id and configure federated IDP as facebook. >>>> >>>> In this scenario, only the *service provider name* will be *validated* >>>> and *issuer id* will *not be validated.* >>>> >>>> Therefore when we try to access service provider, it will federate only >>>> through google. >>>> >>>> This is a very rare negative use case, but when you think of different >>>> personas, I think this should be considered. >>>> >>>> Please correct me if I am wrong. >>>> >>>> Thanks, >>>> -- >>>> *Ushani Balasooriya* >>>> Associate Technical Lead - EE; >>>> WSO2 Inc; http://www.wso2.com/. >>>> Mobile; +94772636796 >>>> >>>> >>> >>> >>> -- >>> Ishara Karunarathna >>> Technical Lead >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>> +94717996791 <+94%2071%20799%206791> >>> >>> >>> -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Shouldnt we validate issuer id among users in service providers?
Hi Ushani, How did you test this scenarios. It does not allow to register two SPs with same issuer id. -Ishara On Thu, Nov 30, 2017 at 8:22 AM, Ushani Balasooriya <ush...@wso2.com> wrote: > Hi IAM team, > > Please consider the below scenario. > > When I think of a system as an admin and developer personas in a same > tenant, > > 1. Admin registers a service provider as *travelocity* with issuer id as > *travelocity.com > <http://travelocity.com>* and assertion consumer url as > http://localhost:8080/travelocity.com/home.jsp and configure Federated > IDP as Google > > 2. Then developer persona registers a service provider as *travelocity.com > <http://travelocity.com>* with same issuer id as *travelocity.com > <http://travelocity.com>* and assertion consumer url as > http://localhost:8080/travelocity.com/home.jsp since it does not validate > issuer id and configure federated IDP as facebook. > > In this scenario, only the *service provider name* will be *validated* > and *issuer id* will *not be validated.* > > Therefore when we try to access service provider, it will federate only > through google. > > This is a very rare negative use case, but when you think of different > personas, I think this should be considered. > > Please correct me if I am wrong. > > Thanks, > -- > *Ushani Balasooriya* > Associate Technical Lead - EE; > WSO2 Inc; http://www.wso2.com/. > Mobile; +94772636796 > > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] What is the correct way to display service providers and identity providers for different admin role users
Hi Ushani, On Wed, Nov 29, 2017 at 5:26 PM, Ushani Balasooriya <ush...@wso2.com> wrote: > Hi IAM Team, > > Any update on this? > SP applications are specific to clients and IDP configurations are specific to the Sever. For example lets say you create an application in FB and you can manage it, if needed you assign different users to admin role then only they can mange that application. And FB support for user name password authentication later they decide to add federation authentication support which is an IDP configuration so thats managed by FB server admins. -Ishara > Thanks, > Ushani > > On Wed, Nov 29, 2017 at 11:47 AM, Ushani Balasooriya <ush...@wso2.com> > wrote: > >> Hi Maneesha, >> >> Thanks for the clarification. Appreciate if someone can explain why this >> behavior is different for SP and IDPs? If there is an explanation would be >> great to add it in to docs . >> >> Thanks, >> Ushani >> >> On Wed, Nov 29, 2017 at 11:42 AM, Maneesha Wijesekara <manee...@wso2.com> >> wrote: >> >>> Hi Ushani, >>> >>> As per the current implementation, a service provider only visible to >>> the user who created, at first. When creating service providers, by default >>> a role created as 'Application/{SERVICE_PROVIDER_NAME}. In order to >>> make the service provider available for the selected users, you can assign >>> users to this role and SP will visible to them as well. >>> >>> +1 to add this to the documents. >>> >>> Regards >>> Maneesha >>> >>> On Wed, Nov 29, 2017 at 11:02 AM, Ushani Balasooriya <ush...@wso2.com> >>> wrote: >>> >>>> Hi IAM team, >>>> >>>> Please consider the below example. >>>> >>>> 1. *admin* user belongs to *admin* role creates a SP named *adminsp* >>>> and an IDP named *adminidp* >>>> >>>> 2. *admin1* user belongs to the same *admin* role creates a SP named >>>> *admin1sp* and an IDP names *admin1idp*. >>>> >>>> So the current behavior is, >>>> 1. Both *admin* and *admin1* users can see the existing *IDPs* ( >>>> *adminidp* and *admin1idp*) when they log in to the management >>>> console. >>>> >>>> 2. But they can only see the *SP* created by themselves. E.g., *admin* >>>> can see only *adminsp* and *admin1* can see only *admin1sp*. >>>> >>>> Can you please explain whether this contradicting behavior is expected >>>> or whether this is a bug? >>>> >>>> If not a bug please explain this why and it should go to documents. >>>> >>>> Thanks, >>>> -- >>>> *Ushani Balasooriya* >>>> Associate Technical Lead - EE; >>>> WSO2 Inc; http://www.wso2.com/. >>>> Mobile; +94772636796 >>>> >>>> >>> >>> >>> -- >>> Maneesha Wijesekara >>> Software Engineer - QA Team >>> WSO2 Inc. >>> >>> Email: manee...@wso2.com >>> Linkedin: http://linkedin.com/in/maneeshawijesekara >>> Mobile: +94712443119 >>> >> >> >> >> -- >> *Ushani Balasooriya* >> Associate Technical Lead - EE; >> WSO2 Inc; http://www.wso2.com/. >> Mobile; +94772636796 >> >> > > > -- > *Ushani Balasooriya* > Associate Technical Lead - EE; > WSO2 Inc; http://www.wso2.com/. > Mobile; +94772636796 > > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Stress Test Google Federated Authenticator as IDP
HI Chankami, In this cases these IDPs will identify these request as an attack and block. And I don't think its useful to load the IDP. I think your objective is to check whether IS can handle federation flow. In that case you can use another IS as a IDP and do the test. -Ishara On Wed, Nov 29, 2017 at 3:03 PM, Chankami Maddumage <chank...@wso2.com> wrote: > Hi All > > We have a solution to automate Google federated authenticator as IDP > where travelocity is used as SP. > > I have used Jmeter to automate this scenario. When I access my SP, > travelocity, it redirects to the Federated IDP Google Login page. Ideally > if I login via Google login page, it redirects me to the tavelocity logged > in page. > > When I capture the request, I can see multiple parameters which are > auto-generated from Google side is passed for the login request. > > Also, When we try to load test Google side, they block our requests. > > My question is, since I am in a process to Stress test WSO2 IS federated > authenticator login scenario, please advice me up to which level I should > do the stress testing? > > > Example, should I stress test only up to the login page or is there any > other correct way to proceed with this scenario. > > > This problem is there for other connectors like Facebook, twitter etc > > -- > Best Regards, > > > *Chankami Maddumage* > Software Engineer - QA Team > WSO2 Inc; http://www.wso2.com/. > Mobile: +94 (0) 73096 <%2B94%20%280%29%20773%20381%20250> > > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] SPML Outbound provisioning Use case
HI Ushani, On Tue, Nov 14, 2017 at 10:22 AM, Ushani Balasooriya <ush...@wso2.com> wrote: > > Hi, > > @Farsath - Thanks Farsath for the clear explanation. I just had it > configured since I was validating a scenario for testing purpose. Shouldn't > we remove the SPML connector from the product and documents if it is > deprecated? If we are going to have it in the product, I think document > should provide adequate information. > > @Ishara - I will try SCIM outbound provisioning connector as well in my > latter part of testing. > At the moment SPML is not a high priority item for Identity server so we are not focusing on doing improvement SPML related implementation or Document. And also I'm agree with you since its in the doc we need to clarify it more, but we can do it in future. In practical scenario only users who are interested on SPML will try it, But I'm doubt if there are any. So better to invest time on SCIM since its high priority. Thanks. -Ishara > > Thanks, > Ushani > > On Mon, Nov 13, 2017 at 7:07 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Ushani, >> >> Shall we try with the SCIM outbound provisioning scenario? >> SPML is not widely used provisioning mechanism in the industry but >> testing SCIM is important. >> >> Thanks, >> Ishara >> >> >> On Mon, Nov 13, 2017 at 7:01 PM, Farasath Ahamed <farasa...@wso2.com> >> wrote: >> >>> Hi Ushani, >>> >>> When you configure an outbound provisioning to *Resident Service >>> Provider, *any changes you do to local users will be provisioned to >>> configured outbound provisioning connectors. >>> >>> So, >>> >>> SCIM Call ---> Resident SP --> Provision using SPML. >>> >>> By configuring an outbound provisioning connector you are asking IS to >>> sync any changes(any CRUD operation) you do to a local user (in a user >>> store) with an external entity. You would observe the same behaviour even >>> if you add a user from the management console. >>> >>> Any CRUD to local user ---> Resident SP --> Trigger outbound >>> provisioning connectors. >>> >>> Any particular reason you are trying out SPML since it's a deprecated >>> connector? >>> >>> Thanks, >>> Farasath >>> >>> Farasath Ahamed >>> Software Engineer, WSO2 Inc.; http://wso2.com >>> Mobile: +94777603866 >>> Blog: blog.farazath.com >>> Twitter: @farazath619 <https://twitter.com/farazath619> >>> <http://wso2.com/signature> >>> >>> >>> >>> On Mon, Nov 13, 2017 at 6:31 PM, Ushani Balasooriya <ush...@wso2.com> >>> wrote: >>> >>>> Hi IAM Team, >>>> >>>> >>>> Can you please explain me how does SPML outbound connector works? >>>> >>>> In my scenario, I am adding a user via SCIM and trying to update the >>>> user via SCIM. I have enabled SPML connector and added it under resident >>>> service provider. >>>> >>>> When I add a user via SCIM, I get the below warning. Please explain why >>>> it triggers SPML connector when I add a user via SCIM. >>>> >>>> I cannot find enough information in this doc [1] >>>> >>>> [1] https://docs.wso2.com/display/IS530/Outbound+Provisioning+with+SPML >>>> >>>> [2017-11-13 18:26:39,204] WARN {org.wso2.carbon.identity.prov >>>> isioning.connector.spml.SPMLProvisioningConnector} - Unsupported >>>> provisioning opertaion. >>>> [2017-11-13 18:26:39,212] WARN {org.wso2.carbon.identity.prov >>>> isioning.connector.spml.SPMLProvisioningConnector} - Unsupported >>>> provisioning opertaion. >>>> [2017-11-13 18:26:39,218] WARN {org.wso2.carbon.identity.prov >>>> isioning.connector.spml.SPMLProvisioningConnector} - Unsupported >>>> provisioning opertaion. >>>> [2017-11-13 18:26:39,227] ERROR {org.wso2.carbon.identity.prov >>>> isioning.connector.spml.SPMLProvisioningConnector} - Error while SPML >>>> user updating >>>> >>>> >>>> >>>> Thanks, >>>> -- >>>> *Ushani Balasooriya* >>>> Associate Technical Lead - EE; >>>> WSO2 Inc; http://www.wso2.com/. >>>> Mobile; +94772636796 >>>> >>>> >>> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> > > > -- > *Ushani Balasooriya* > Associate Technical Lead - EE; > WSO2 Inc; http://www.wso2.com/. > Mobile; +94772636796 > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Why do we need to patch authentication.framework.jar when deploying CAS artifacts
HI Connector team. Why do we need to do the $subject. and if its a customization where can I find the source code. Thanks, Ishara -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] SPML Outbound provisioning Use case
Hi Ushani, Shall we try with the SCIM outbound provisioning scenario? SPML is not widely used provisioning mechanism in the industry but testing SCIM is important. Thanks, Ishara On Mon, Nov 13, 2017 at 7:01 PM, Farasath Ahamed <farasa...@wso2.com> wrote: > Hi Ushani, > > When you configure an outbound provisioning to *Resident Service > Provider, *any changes you do to local users will be provisioned to > configured outbound provisioning connectors. > > So, > > SCIM Call ---> Resident SP --> Provision using SPML. > > By configuring an outbound provisioning connector you are asking IS to > sync any changes(any CRUD operation) you do to a local user (in a user > store) with an external entity. You would observe the same behaviour even > if you add a user from the management console. > > Any CRUD to local user ---> Resident SP --> Trigger outbound provisioning > connectors. > > Any particular reason you are trying out SPML since it's a deprecated > connector? > > Thanks, > Farasath > > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > On Mon, Nov 13, 2017 at 6:31 PM, Ushani Balasooriya <ush...@wso2.com> > wrote: > >> Hi IAM Team, >> >> >> Can you please explain me how does SPML outbound connector works? >> >> In my scenario, I am adding a user via SCIM and trying to update the user >> via SCIM. I have enabled SPML connector and added it under resident service >> provider. >> >> When I add a user via SCIM, I get the below warning. Please explain why >> it triggers SPML connector when I add a user via SCIM. >> >> I cannot find enough information in this doc [1] >> >> [1] https://docs.wso2.com/display/IS530/Outbound+Provisioning+with+SPML >> >> [2017-11-13 18:26:39,204] WARN {org.wso2.carbon.identity.prov >> isioning.connector.spml.SPMLProvisioningConnector} - Unsupported >> provisioning opertaion. >> [2017-11-13 18:26:39,212] WARN {org.wso2.carbon.identity.prov >> isioning.connector.spml.SPMLProvisioningConnector} - Unsupported >> provisioning opertaion. >> [2017-11-13 18:26:39,218] WARN {org.wso2.carbon.identity.prov >> isioning.connector.spml.SPMLProvisioningConnector} - Unsupported >> provisioning opertaion. >> [2017-11-13 18:26:39,227] ERROR {org.wso2.carbon.identity.prov >> isioning.connector.spml.SPMLProvisioningConnector} - Error while SPML >> user updating >> >> >> >> Thanks, >> -- >> *Ushani Balasooriya* >> Associate Technical Lead - EE; >> WSO2 Inc; http://www.wso2.com/. >> Mobile; +94772636796 >> >> > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Usage of "tocommonauth" property in OAuth2 Authorize Endpoint
Hi Isura, On Fri, Oct 27, 2017 at 7:43 PM, Isura Karunaratne <is...@wso2.com> wrote: > Hi all, > > If the "tocommonauth" property value is true, the authentication response > from the login page will forward to the commonauth endpoint through OAuth2 > Authorize Endpoint. > > >- IIRC, this was done to reduce the number of redirection in OAuth >flow, but I think it is better to handle all the login response from the >commonauth endpoint. > > This is used in SAML flow as well to reduce the redirections. > >- Do we need to continue supporting this or shall we remove this? > > > At the moment In IS components we are not setting this parameter, but there are some other components Eg App manager using this (may be customers might have implemented authenticators with this parameter). Do you see any issues supporting this ? If not I think its better to keep this. -Ishara > String isToCommonOauth = > request.getParameter(FrameworkConstants.RequestParams.TO_COMMONAUTH); > > if ("true".equals(isToCommonOauth) && flowStatus == null) { > try { > return sendRequestToFramework(request, response); > } catch (ServletException | IOException e) { > log.error("Error occurred while sending request to authentication > framework."); > return > Response.status(HttpServletResponse.SC_INTERNAL_SERVER_ERROR).build(); > } > } > > > > Thanks > Isura. > > -- > > *Isura Dilhara Karunaratne* > Associate Technical Lead | WSO2 > Email: is...@wso2.com > Mob : +94 772 254 810 <+94%2077%20225%204810> > Blog : http://isurad.blogspot.com/ > > > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Have we tested the new DCR on IS 5.4.0 Alpha2?
HI Nuwan, On Fri, Sep 15, 2017 at 7:14 AM, Nuwan Dias <nuw...@wso2.com> wrote: > Hi Hasintha, > > Isn't this the old DCR implementation? This one doesn't mention about > DCRM. Where can I get information on using DCRM? > > I was under the impression the new DCR implementation was documented at > [3]. This doc mentions about DCRM too, hence why I thought that should be > the new implementation of DCR/M. > > Yes that is old implementation and you should use [3]. But this sample request in the yaml need to be chnaged, no longer we supported for ext_param_owne property, insted we get it from the authenticated user. S o request should be Payload: {"redirect_uris":["https://client.example.org/callback"],"client_name": "application_3","grant_types": ["password"]} Thanks, Ishara [3] - https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/master/components/org.wso2.carbon. > identity.oauth.dcr.endpoint/src/main/resources/api. > identity.oauth.dcr.endpoint.yaml > > Thanks, > NuwanD. > > On Fri, Sep 15, 2017 at 5:39 AM, Hasintha Indrajee <hasin...@wso2.com> > wrote: > >> For IS endpoint should be https://localhost:9443/iden >> tity/connect/register. Refer [1][2] >> >> [1] http://openid.net/specs/openid-connect-registration-1_0.html >> [2] https://docs.wso2.com/display/IS540/OpenID+Connect+Dynam >> ic+Client+Registration >> > > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : nuw...@wso2.com > Phone : +94 777 775 729 <+94%2077%20777%205729> > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] SCIM 2.0 as default in IS 5.4.0
HI Pulasthi, Initially, industry adoption to SCIM 2.0 was less compare to SCIM 1.1, But seems to be its getting to the track[1] so +1 let's make SCIM 2.0 as default. -Ishara [1] http://www.simplecloud.info/ On Mon, Sep 11, 2017 at 5:34 PM, Pulasthi Mahawithana <pulast...@wso2.com> wrote: > Hi, > > Shall we make $subject instead of SCIM 1.1? Any known issues on having it > as default? Users who are migrating from older versions will still have > SCIM 1.1 configs and won't be affected as they would keep the old configs. > > > -- > *Pulasthi Mahawithana* > Senior Software Engineer > WSO2 Inc., http://wso2.com/ > Mobile: +94-71-5179022 <+94%2071%20517%209022> > Blog: https://medium.com/@pulasthi7/ > > <https://wso2.com/signature> > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] [SCIM] Why Can't We Enable Both SCIM1 and SCIM2 at the Same Time?
HI, On Thu, Aug 31, 2017 at 7:26 AM, Sagara Gunathunga <sag...@wso2.com> wrote: > > > On Thu, Aug 31, 2017 at 12:12 AM, Vindula Jayawardana < > vindula...@cse.mrt.ac.lk> wrote: > >> Hi, >> >> IMO, should be able to enable both at the same time. What is the issue >> you faced when enabling both? >> >> Achieving interoperability between 1.1 consumers and 2.0 providers can >> have two practical approaches. One approach is to have a multi-protocol >> ability in the SCIM service provider’s end. This could be potentially done >> through unique URL structure (https://localhost:9443/wso2/scim/Users and >> https://localhost:9443/scim2/Users). That means the provider can accept >> both 1.1 and 2.0 consumers. On the other hand, SCIM consumer can be >> modified to support the 1.1 and 2.0 protocols. However, since SCIM >> specifications are focusing on keeping things simple and easy at the >> consumer end, I would rather suggest the first approach. That’s why we >> should be able to enable both the protocols at the same time. >> >> *Vindula Jayawardana* >> Computer Science and Engineering Dept. >> University of Moratuwa >> mobile : +713462554 >> Email : vindula...@cse.mrt.ac.lk >> >> <https://www.facebook.com/vindula.jayawardana> >> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b> >> <https://plus.google.com/u/0/+VindulaJayawardana/posts> >> <https://twitter.com/vindulajay> >> >> *“Respect is how to treat everyone, not just those you want to impress. "* >> >> >> *-Richard Branson-* >> >> >> >> On 30 August 2017 at 18:33, Sathya Bandara <sat...@wso2.com> wrote: >> >>> Hi Thilina, >>> >>> If we enable both SCIM1 and SCIM2 listeners at the same time two >>> different SCIM IDs will be generated for the same user when adding a new >>> user through SCIM. Also both SCIM1 and SCIM2 claims are mapped to the same >>> LDAP user attributes. Even though both listeners get triggered only the >>> SCIM1 ID is mapped to the user ID attribute. But the SCIM2 user creation >>> response will contain the SCIM ID generated by SCIM2 listener. >>> >> > This is not a SCIM related problem instead a limitation of our > implementation, SCIM is just a interface or wrapping layer for our > user/role management layer. Ideally it should not perform tasks such as > ID generation by it's own, instead once the SCIM protocol specific > processing is completed both SCIM1 and SCIM2 implementations should > delegate requests into a common layer, in that way we can provide > interoperability between SCIM1 and SCIM2. > > +1 for Vindula's suggestion on multi-protocol approach. > Technically this is possible so +1 for doing this for 5.4.0. But I don't see any value supporting both together since these are only user management API and sonner or later we have to depricate SCIM 1.1. Thanks, Ishara > > Thanks ! > >> >>> Thanks, >>> Sathya >>> >>> On Wed, Aug 30, 2017 at 6:25 PM, Thilina Madumal <thilina...@wso2.com> >>> wrote: >>> >>>> >>>> Hi all, >>>> >>>> While I was trying to fix IDENTITY-6315 >>>> <https://wso2.org/jira/browse/IDENTITY-6315> I got to know that we >>>> can't enable both SCIM1 and SCIM2 at the same time in WSO2 Identity Server. >>>> Is it because of this specific issue or is there any other reasons? >>>> >>>> Thanks & Regards, >>>> Thilina. >>>> >>>> -- >>>> *Thilina Madumal* >>>> *Software Engineer | **WSO2* >>>> Email: thilina...@wso2.com >>>> Mobile: *+ <+94%2077%20767%201807>94 774553167* >>>> Web: <http://goog_716986954>http://wso2.com >>>> >>>> <http://wso2.com/signature> >>>> >>>> >>> >>> >>> -- >>> Sathya Bandara >>> Software Engineer >>> WSO2 Inc. http://wso2.com >>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>> >>> <+94%2071%20411%205032> >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Sagara Gunathunga > > Associate Director / Architect; WSO2, Inc.; http://wso2.com > V.P Apache Web Services;http://ws.apache.org/ > Linkedin; http://www.linkedin.com/in/ssagara > Blog ; http://ssagara.blogspot.com > > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [GSOC-2017] [IS] [OAuth DCRM] Integration Test for the implementation of OAuth 2.0 DCRM protocol
Hi, Thanks Abilashini, will review the PR -Ishara On Wed, Aug 9, 2017 at 1:05 PM, Abilashini Thiyagarajah < abilashini...@cse.mrt.ac.lk> wrote: > Hi, > > Please find the PR of the integration test cases [1] for the > implementation of OAuth DCRM protocol [2]. > > Covered test cases in this PR as follow, > >1. Successful Read service provider >2. Read request with invalid client ID in the endpoint URL >3. Successful update service provider >4. Update request with invalid client ID in the endpoint URL >5. Update request with invalid client ID >6. Update request with invalid client secret >7. Update request without grant type >8. Update request with invalid grant type >9. Successful Delete service provider >10. Delete request with invalid client ID in the endpoint URL > > Please share your feedback to improve further > > [1] https://github.com/wso2/product-is/pull/1293 > [2] https://github.com/wso2-extensions/identity-inbound- > auth-oauth/pull/396 > > Best Regards, > Abilashini > > *Thiyagarajah Abilashini* > Student > Department of Computer Science and Engineering > University of Moratuwa, Sri Lanka > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [VOTE] Release WSO2 Carbon Kernel 4.4.17 RC2
HI Chandana, IS team is waiting on this kernel release. You have already fixed the issue raised by Lahiru. Can you give us an update of this release. -Ishara On Wed, Jul 19, 2017 at 12:45 PM, Lahiru Manohara <lahir...@wso2.com> wrote: > Hi Chandana, > > I have created an issue [1]. > > 1. https://github.com/wso2/carbon-kernel/issues/1442 > > Best Regards, > > On Wed, Jul 19, 2017 at 11:56 AM, Chandana Napagoda <chand...@wso2.com> > wrote: > >> Hi All, >> >> We are dropping the carbon kernel 4.4.17 RC2 and will share the new >> release candidate soon. >> >> @Lahiru, Could you please create an issue for this? >> >> Regards, >> Chandana >> >> On Tue, Jul 18, 2017 at 2:45 PM, Lahiru Manohara <lahir...@wso2.com> >> wrote: >> >>> The provided public certificate in the default keystore is expired. It >>> is issued only for 3 months and it is already expired. Please update the >>> certificate with a longer duration. >>> >>> [x] Broken - Do not release >>> >>> Best Regards, >>> >>> On Fri, Jul 14, 2017 at 11:40 PM, Rushmin Fernando <rush...@wso2.com> >>> wrote: >>> >>>> Built IS 5.x.x branch with the integrations tests. >>>> >>>> Manually tested user management. >>>> 1) In tenants >>>> 2) Using the embedded LDAP primary user store >>>> 3) Using a JDBC secondary user store >>>> >>>> >>>> Found no issues. >>>> >>>> [ x] Stable - Go ahead and release >>>> >>>> On Fri, Jul 14, 2017 at 2:04 PM, Chandana Napagoda <chand...@wso2.com> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> This is the 2nd release candidate of WSO2 Carbon Kernel 4.4.17. >>>>> >>>>> This release fixes the following issues >>>>> https://github.com/wso2/carbon-kernel/milestone/15?closed=1 >>>>> >>>>> Please download and test your products with kernel 4.4.17 RC2 and >>>>> vote. The vote will be open for 72 hours or as long as needed. >>>>> >>>>> Maven staging repository: >>>>> https://maven.wso2.org/nexus/content/repositories/orgwso2carbon-1184/ >>>>> >>>>> The tag to be voted upon: >>>>> https://github.com/wso2/carbon-kernel/releases/tag/v4.4.17-rc2 >>>>> >>>>> [ ] Broken - Do not release (explain why) >>>>> [ ] Stable - Go ahead and release >>>>> >>>>> Thank you >>>>> Platform Team >>>>> >>>>> -- >>>>> *Chandana Napagoda* >>>>> Associate Technical Lead >>>>> WSO2 Inc. - http://wso2.org >>>>> >>>>> *Email : chand...@wso2.com <chand...@wso2.com>**Mobile : >>>>> +94718169299 <+94%2071%20816%209299>* >>>>> >>>>> *Blog :http://cnapagoda.blogspot.com >>>>> <http://cnapagoda.blogspot.com> | http://chandana.napagoda.com >>>>> <http://chandana.napagoda.com>* >>>>> >>>>> *Linkedin : http://www.linkedin.com/in/chandananapagoda >>>>> <http://www.linkedin.com/in/chandananapagoda>* >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Best Regards* >>>> >>>> *Rushmin Fernando* >>>> *Technical Lead* >>>> >>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>> >>>> mobile : +94775615183 >>>> >>>> >>>> >>>> ___ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> *Lahiru Manohara* >>> *Software Engineer* >>> Mobile: +94716561576 >>> WSO2 Inc. | http://wso2.com >>> lean.enterprise.middleware >>> >>> >> >> >> -- >> *Chandana Napagoda* >> Associate Technical Lead >> WSO2 Inc. - http://wso2.org >> >> *Email : chand...@wso2.com <chand...@wso2.com>**Mobile : +94718169299 >> <+94%2071%20816%209299>* >> >> *Blog :http://cnapagoda.blogspot.com <http://cnapagoda.blogspot.com> >> | http://chandana.napagoda.com <http://chandana.napagoda.com>* >> >> *Linkedin : http://www.linkedin.com/in/chandananapagoda >> <http://www.linkedin.com/in/chandananapagoda>* >> >> > > > -- > *Lahiru Manohara* > *Software Engineer* > Mobile: +94716561576 > WSO2 Inc. | http://wso2.com > lean.enterprise.middleware > > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Please increase the TOKEN_SCOPE column length in IDN_OAUTH2_ACCESS_TOKEN_SCOPE table
On Thu, Jun 22, 2017 at 3:44 PM, Bhathiya Jayasekara <bhath...@wso2.com> wrote: > I think the problem is we have sent the list as comma-separated list. Due > to that IS may think that's a single scope. > Yes, only space should be use to separate scops. -Ishara > > @Naduni: Please try again with space separated list, and update if it > works. > > Thanks, > Bhathiya > > On Thu, Jun 22, 2017 at 3:37 PM, Maduranga Siriwardena <madura...@wso2.com > > wrote: > >> Hi Naduni, >> >> Please note that scope in [1] is a single scope value and other 2 places >> has the whole scope string for a token (or authorization code). >> >> As you get this error, seems to be your single scope values are more than >> 60 characters in length. >> >> [1] https://github.com/wso2/carbon-identity-framework/blob/m >> aster/features/identity-core/org.wso2.carbon.identity.core.s >> erver.feature/resources/dbscripts/mysql.sql#L105 >> >> Thanks, >> >> On Thu, Jun 22, 2017 at 12:53 PM, Naduni Pamudika <nad...@wso2.com> >> wrote: >> >>> Thanks a lot Indunil. >>> >>> On Thu, Jun 22, 2017 at 12:38 PM, Isura Karunaratne <is...@wso2.com> >>> wrote: >>> >>>> >>>> On Thu, Jun 22, 2017 at 12:21 PM, Nuwan Dias <nuw...@wso2.com> wrote: >>>> >>>>> Please remember to include this change in the migration script (5.3.0 >>>>> to 5.4.0) as well. >>>>> >>>> Noted. [1] is used to maintain the changes from 5.3.0 to 5.4.0. >>>> >>>> [1] https://wso2.org/jira/browse/IDENTITY-6094 >>>> >>>> Thanks >>>> Isura. >>>> >>>>> >>>>> On Thu, Jun 22, 2017 at 12:19 PM, Indunil Upeksha Rathnayake < >>>>> indu...@wso2.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Created a JIRA for this in [1], will be fixed in 5.4.0-m2. >>>>>> >>>>>> [1] https://wso2.org/jira/browse/IDENTITY-6093 >>>>>> >>>>>> Thanks and Regards >>>>>> >>>>>> On Thu, Jun 22, 2017 at 11:54 AM, Naduni Pamudika <nad...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi IS Team, >>>>>>> >>>>>>> I am working on the SSO Login feature in APIM, and there I need to >>>>>>> have a bit longer scopes list. When I was trying to send the access >>>>>>> token >>>>>>> request it gave an error saying "Value too long for column >>>>>>> "TOKEN_SCOPE VARCHAR(60) NOT NULL"". >>>>>>> >>>>>>> Noticed that you have size 2048 for the scopes in other places >>>>>>> [1,2]. Can you please increase this [3] as well? >>>>>>> >>>>>>> [1] https://github.com/wso2/carbon-identity-framework/blob/m >>>>>>> aster/features/identity-core/org.wso2.carbon.identity.core.s >>>>>>> erver.feature/resources/dbscripts/mysql.sql#L31 >>>>>>> [2] https://github.com/wso2/carbon-identity-framework/blob/m >>>>>>> aster/features/identity-core/org.wso2.carbon.identity.core.s >>>>>>> erver.feature/resources/dbscripts/mysql.sql#L86 >>>>>>> [3] https://github.com/wso2/carbon-identity-framework/blob/m >>>>>>> aster/features/identity-core/org.wso2.carbon.identity.core.s >>>>>>> erver.feature/resources/dbscripts/mysql.sql#L105 >>>>>>> >>>>>>> Thank you. >>>>>>> Naduni >>>>>>> >>>>>>> -- >>>>>>> *Naduni Pamudika* >>>>>>> Software Engineer | WSO2 >>>>>>> Mobile: +94 719 143658 <+94%2071%20914%203658> >>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Indunil Upeksha Rathnayake >>>>>> Software Engineer | WSO2 Inc >>>>>> Emailindu...@wso2.com >>>>>> Mobile 0772182255 <077%20218%202255> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>>
Re: [Dev] Improvements to OAuth Dynamic Client Registration
>>>>>> University of Moratuwa, Sri Lanka >>>>>>>>>>> >>>>>>>>>>> On 9 May 2017 at 09:16, Maduranga Siriwardena < >>>>>>>>>>> madura...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Abilashini, >>>>>>>>>>>> >>>>>>>>>>>> As discussed can you start working on [1] and [2] to improve >>>>>>>>>>>> the existing DCR functionality. If you need any clarification or >>>>>>>>>>>> help, >>>>>>>>>>>> please get back to us. >>>>>>>>>>>> >>>>>>>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-5529 >>>>>>>>>>>> [2] https://wso2.org/jira/browse/IDENTITY-5185 >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> -- >>>>>>>>>>>> Maduranga Siriwardena >>>>>>>>>>>> Senior Software Engineer >>>>>>>>>>>> WSO2 Inc; http://wso2.com/ >>>>>>>>>>>> >>>>>>>>>>>> Email: madura...@wso2.com >>>>>>>>>>>> Mobile: +94718990591 <+94%2071%20899%200591> >>>>>>>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/ >>>>>>>>>>>> <https://madurangasiriwardena.wordpress.com/>* >>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ___ >>>>>>>>>>> Dev mailing list >>>>>>>>>>> Dev@wso2.org >>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Dimuthu De Lanerolle >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2 Inc. >>>>>>>>>> lean . enterprise . middlewear. >>>>>>>>>> http://wso2.com/ >>>>>>>>>> Tel. : +94 11 2145345 <011%202%20145345> Fax : +94 11 2145300 >>>>>>>>>> <011%202%20145300> email : dimut...@wso2.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Maduranga Siriwardena >>>>>>> Senior Software Engineer >>>>>>> WSO2 Inc; http://wso2.com/ >>>>>>> >>>>>>> Email: madura...@wso2.com >>>>>>> Mobile: +94718990591 <+94%2071%20899%200591> >>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/ >>>>>>> <https://madurangasiriwardena.wordpress.com/>* >>>>>>> <http://wso2.com/signature> >>>>>>> >>>>>> >>>>>> >>>>>> ___ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Pushpalanka. >>>>> -- >>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>>>> Mobile: +94779716248 >>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >>>>> ushpalanka/ | Twitter: @pushpalanka >>>>> >>>>> >>>> >>> >>> >>> -- >>> Pushpalanka. >>> -- >>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>> Mobile: +94779716248 >>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >>> ushpalanka/ | Twitter: @pushpalanka >>> >>> >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Bhathiya Jayasekara* > *Associate Technical Lead,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <+94%2071%20547%208185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Implemeting Scope Validator
intension of using scope validate is to handle OIDC support in a single place. On Tue, May 16, 2017 at 7:52 PM, Farasath Ahamedwrote: > > On Tue, May 16, 2017 at 7:38 PM, Hasanthi Purnima Dissanayake < > hasan...@wso2.com> wrote: > >> Hi All, >> In our current OIDC implementation we support below four grant types and >> issue id tokens and user info claims for all the below grant type. >> >>- authorization_code >>- implicit >>- client_credential >>- password >> >> What about extension grant types like SAML2BearerGrant, JWTBearer or any > other custom grant type we write? > AFAIR we do issue id_tokens to any grant type when "openid" scope is > present. > > >> Among those 4 grant types that we have implemented, OIDC spec discusses >> about only implict and authorization_code grant types. According to the >> spec "openid" scope value is a must to Inform the Authorization Server >> that the client is making an OpenID Connect request. So we have introduced >> a new property in identity.xml as below and we have implemented a scope >> validator to validate whether the grant types are authorization_code , >> implicit or password if the scope is openid. >> > >> >>
Re: [Dev] [APIM][C5] - Best Way to get the end user information
On Sun, May 14, 2017 at 12:54 PM, Nuwan Dias <nuw...@wso2.com> wrote: > Ok. All of these are extensions anyway. If some IDP sends the same > responses as IS the benefit is that we can just plug and play. If there are > differences we basically have to write code and deploy as extensions. > Yes this implementations can be differ fom IDP to IDP. So better to do the default implementation with IS and keep extension for other implementations > > On Sun, 14 May 2017 at 12:44 pm, Farasath Ahamed <farasa...@wso2.com> > wrote: > >> On Sun, May 14, 2017 at 12:30 PM, Nuwan Dias <nuw...@wso2.com> wrote: >> >>> It looks like we may have to use the introspect to validate the token >>> and use a proprietary api in IS to get user claims. >>> >> >> Sending username of the authorized user in the introspection response is >> not mandatory. IS sends by default. This may not be the same with external >> Key Managers. So we might have to consider that as well. >> >> >>> When using an external KM we will have to override the part that gets >>> user claims. That's of course if they want to send JWT to target endpoints >>> only. >>> >>> On Sun, 14 May 2017 at 8:57 am, Bhathiya Jayasekara <bhath...@wso2.com> >>> wrote: >>> >>>> Hi Ishara, >>>> >>>> On Sun, May 14, 2017 at 8:51 AM, Ishara Karunarathna <isha...@wso2.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> On Sun, May 14, 2017 at 8:42 AM, Ishara Karunarathna <isha...@wso2.com >>>>> > wrote: >>>>> >>>>>> Hi Bhathiya, >>>>>> >>>>>> On Sun, May 14, 2017 at 8:18 AM, Bhathiya Jayasekara < >>>>>> bhath...@wso2.com> wrote: >>>>>> >>>>>>> Hi Ishara, >>>>>>> >>>>>>> On Sun, May 14, 2017 at 7:16 AM, Ishara Karunarathna < >>>>>>> isha...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> In the current implementations you get a JWT token from token >>>>>>>> validation service regardless of the grant types. >>>>>>>> But this would be a problem when you go with standards only. For >>>>>>>> example you may not be able to get and ID token from IDP if its only >>>>>>>> supporting specifications. >>>>>>>> >>>>>>> >>>>>>> We thought of using "openid" scope when generating token and then >>>>>>> call userinfo after validating (introspect) the token. I expect that >>>>>>> should >>>>>>> work if the IDP is complient with the specs. WDYT? >>>>>>> >>>>>> What I'm saying is for all the oauth grant types does not work with >>>>>> OIDC >>>>>> For example in password grant type you can't use OIDC. OIDC define >>>>>> only authorization code and implicit grant types (it has a hybrid flow as >>>>>> well ) >>>>>> In that case you can't expect to get ID token for all grant types. >>>>>> >>>>> >>>> Oh that's going to be a problem. >>>> >>>> >>>>> So do you need this user information in all the cases ?? >>>>> >>>> >>>> Yes we may need, specially in passwrod grant type. If this is not going >>>> to work, we will have to think of a different solution (like the SCIM one >>>> you suggested.) >>>> >>>> Thanks, >>>> Bhathiya >>>> >>>> >>>>> >>>>> one option that come to my mind is. >>>>> in the token introspection response get the user name. >>>>> And then call a SCIM endpoint (or any other api to get the user >>>>> information) to get user information. >>>>> >>>>> But this also has a issue, this username is a optional parameter >>>>> >>>>> >>>>>> >>>>>> So do you need this user information in all the cases ?? >>>>>> >>>>>> >>>>>>> Thanks, >>>>>>> Bhathiya >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> so this has to be address ca
Re: [Dev] [APIM][C5] - Best Way to get the end user information
Hi, On Sun, May 14, 2017 at 8:42 AM, Ishara Karunarathna <isha...@wso2.com> wrote: > Hi Bhathiya, > > On Sun, May 14, 2017 at 8:18 AM, Bhathiya Jayasekara <bhath...@wso2.com> > wrote: > >> Hi Ishara, >> >> On Sun, May 14, 2017 at 7:16 AM, Ishara Karunarathna <isha...@wso2.com> >> wrote: >> >>> Hi, >>> >>> In the current implementations you get a JWT token from token validation >>> service regardless of the grant types. >>> But this would be a problem when you go with standards only. For example >>> you may not be able to get and ID token from IDP if its only supporting >>> specifications. >>> >> >> We thought of using "openid" scope when generating token and then call >> userinfo after validating (introspect) the token. I expect that should work >> if the IDP is complient with the specs. WDYT? >> > What I'm saying is for all the oauth grant types does not work with OIDC > For example in password grant type you can't use OIDC. OIDC define only > authorization code and implicit grant types (it has a hybrid flow as well ) > In that case you can't expect to get ID token for all grant types. > one option that come to my mind is. in the token introspection response get the user name. And then call a SCIM endpoint (or any other api to get the user information) to get user information. But this also has a issue, this username is a optional parameter > > So do you need this user information in all the cases ?? > > >> Thanks, >> Bhathiya >> >> >>> >>> so this has to be address case by case. >>> -Ishara >>> >>> On Sat, May 13, 2017 at 10:40 PM, Bhathiya Jayasekara <bhath...@wso2.com >>> > wrote: >>> >>>> Thanks for the explanation Farasath. >>>> >>>> So this means we have to do a DCR call and another service call to >>>> register claims to SP. @Tharindu: looks like we don't have a choice here. >>>> >>>> Thanks, >>>> Bhathiya >>>> >>>> On Sat, May 13, 2017 at 1:49 PM, Farasath Ahamed <farasa...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> On Sat, May 13, 2017 at 1:15 PM, Bhathiya Jayasekara < >>>>> bhath...@wso2.com> wrote: >>>>> >>>>>> Hi Farasath, >>>>>> >>>>>> That's going to be a problem when we use DCR, I guess. Shouldn't we >>>>>> send the claims given in the spec for each scope by default, without any >>>>>> special configurations in SP? >>>>>> >>>>> >>>>> Not really. >>>>> >>>>> Even the spec says[1], >>>>> >>>>> In some cases, the End-User will be given the option to have the >>>>>> OpenID Provider decline to provide some or all information requested by >>>>>> RPs. To minimize the amount of information that the End-User is being >>>>>> asked >>>>>> to disclose, an RP can elect to only request a subset of the information >>>>>> available from the UserInfo Endpoint. >>>>> >>>>> >>>>> Simply put we are not bound to provide all the claims a client(Relying >>>>> party) asks for using a 'scope'. There should be a way to control the >>>>> claims that are sent out based on the application. This is because the >>>>> sensitive nature of a claim depends on the application and other factors >>>>> as >>>>> well. For example, 'phone number' might be a sensitive claim for some >>>>> apps. >>>>> Therefore for such apps, we need to have a way to control a client from >>>>> getting hold of that claim using scope 'phone'. >>>>> >>>>> So we can consider "requested claims" in Service Provider config as >>>>> our way of allowing an application admin to decide what claims an external >>>>> client can retrieve and what not. >>>>> >>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>>>> >>>>> >>>>>> Thanks, >>>>>> Bhathiya >>>>>> >>>>>> >>>>>> >>>>>> On Sat, May 13, 2017 at 1:09 PM, Farasath Ahamed <farasa...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>&g
Re: [Dev] [APIM][C5] - Best Way to get the end user information
Hi Bhathiya, On Sun, May 14, 2017 at 8:18 AM, Bhathiya Jayasekara <bhath...@wso2.com> wrote: > Hi Ishara, > > On Sun, May 14, 2017 at 7:16 AM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi, >> >> In the current implementations you get a JWT token from token validation >> service regardless of the grant types. >> But this would be a problem when you go with standards only. For example >> you may not be able to get and ID token from IDP if its only supporting >> specifications. >> > > We thought of using "openid" scope when generating token and then call > userinfo after validating (introspect) the token. I expect that should work > if the IDP is complient with the specs. WDYT? > What I'm saying is for all the oauth grant types does not work with OIDC For example in password grant type you can't use OIDC. OIDC define only authorization code and implicit grant types (it has a hybrid flow as well ) In that case you can't expect to get ID token for all grant types. So do you need this user information in all the cases ?? > Thanks, > Bhathiya > > >> >> so this has to be address case by case. >> -Ishara >> >> On Sat, May 13, 2017 at 10:40 PM, Bhathiya Jayasekara <bhath...@wso2.com> >> wrote: >> >>> Thanks for the explanation Farasath. >>> >>> So this means we have to do a DCR call and another service call to >>> register claims to SP. @Tharindu: looks like we don't have a choice here. >>> >>> Thanks, >>> Bhathiya >>> >>> On Sat, May 13, 2017 at 1:49 PM, Farasath Ahamed <farasa...@wso2.com> >>> wrote: >>> >>>> >>>> On Sat, May 13, 2017 at 1:15 PM, Bhathiya Jayasekara <bhath...@wso2.com >>>> > wrote: >>>> >>>>> Hi Farasath, >>>>> >>>>> That's going to be a problem when we use DCR, I guess. Shouldn't we >>>>> send the claims given in the spec for each scope by default, without any >>>>> special configurations in SP? >>>>> >>>> >>>> Not really. >>>> >>>> Even the spec says[1], >>>> >>>> In some cases, the End-User will be given the option to have the OpenID >>>>> Provider decline to provide some or all information requested by RPs. To >>>>> minimize the amount of information that the End-User is being asked to >>>>> disclose, an RP can elect to only request a subset of the information >>>>> available from the UserInfo Endpoint. >>>> >>>> >>>> Simply put we are not bound to provide all the claims a client(Relying >>>> party) asks for using a 'scope'. There should be a way to control the >>>> claims that are sent out based on the application. This is because the >>>> sensitive nature of a claim depends on the application and other factors as >>>> well. For example, 'phone number' might be a sensitive claim for some apps. >>>> Therefore for such apps, we need to have a way to control a client from >>>> getting hold of that claim using scope 'phone'. >>>> >>>> So we can consider "requested claims" in Service Provider config as our >>>> way of allowing an application admin to decide what claims an external >>>> client can retrieve and what not. >>>> >>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>>> >>>> >>>>> Thanks, >>>>> Bhathiya >>>>> >>>>> >>>>> >>>>> On Sat, May 13, 2017 at 1:09 PM, Farasath Ahamed <farasa...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Yes. We do support openid scopes (address, email, phone, profile). >>>>>> (Refer [1]) >>>>>> But as Tharindu has mentioned this too requires the relevant claims >>>>>> that fall under these scopes to be configured as requested claims in the >>>>>> Service Provider. >>>>>> >>>>>> For example, >>>>>> OIDC scope 'address' would return "address" and "street" claims. But >>>>>> unless you have these claims as requested claims in the claim >>>>>> configuration >>>>>> of the SP. These claims won't be returned although you requested the >>>>>> token >>>>>> with a scope
Re: [Dev] [APIM][C5] - Best Way to get the end user information
er claims. I think we can >>>>>> use >>>>>> them here. So when generating tokens, these scopes should be used as per >>>>>> the requirement. >>>>>> >>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>>>>> >>>>>> Thanks, >>>>>> Bhathiya >>>>>> >>>>>> On Sat, May 13, 2017 at 12:18 AM, Tharindu Dharmarathna < >>>>>> tharin...@wso2.com> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> We had a use case on APIM to send the user claims in the JWT Header >>>>>>> to the backend server. >>>>>>> >>>>>>> Currently APIM C4 architecture was Getting the user claims and >>>>>>> generate JWT from Key manager node. >>>>>>> >>>>>>> As in C5 architecture, we have to get the user claims from the IS or >>>>>>> the third party key manager. >>>>>>> >>>>>>> I had observed below two ways of getting user claims into the >>>>>>> Gateway from IS. >>>>>>> >>>>>>> 1. Generate token with OpenID scope. >>>>>>> 2. Call userinfo endpoint with above generated token >>>>>>> 3. Call OAuth2TokenValidation Service and get the token. >>>>>>> >>>>>>> When considering [2] in order to receive user info we have to set >>>>>>> the requested claims in service provider according to the App. >>>>>>> >>>>>>> And from Current C4 architecture, we don't mandate to send openid >>>>>>> token as a scope. >>>>>>> >>>>>>> Is there any other alternative ways to achieve above task. >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> *Tharindu Dharmarathna*Senior Software Engineer >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> mobile: *+94779109091 <077%20910%209091>* >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Bhathiya Jayasekara* >>>>>> *Associate Technical Lead,* >>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>> >>>>>> *Phone: +94715478185 <071%20547%208185>* >>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>> <https://twitter.com/bhathiyax>* >>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Bhathiya Jayasekara* >>>>> *Associate Technical Lead,* >>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>> >>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>> *Twitter: https://twitter.com/bhathiyax >>>>> <https://twitter.com/bhathiyax>* >>>>> *Blog: http://movingaheadblog.blogspot.com >>>>> <http://movingaheadblog.blogspot.com/>* >>>>> >>>>> ___ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>> >>> >>> -- >>> *Bhathiya Jayasekara* >>> *Associate Technical Lead,* >>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>> >>> *Phone: +94715478185 <+94%2071%20547%208185>* >>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>> <http://www.linkedin.com/in/bhathiyaj>* >>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>> *Blog: http://movingaheadblog.blogspot.com >>> <http://movingaheadblog.blogspot.com/>* >>> >> >> > > > -- > *Bhathiya Jayasekara* > *Associate Technical Lead,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <+94%2071%20547%208185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled
obtain >>>>> a >>>>> new access token for the saas-disabled application by using the issued >>>>> refresh token for a different tenant user. >>>>> >>>>> For this I have added functionality to validate tenant domain and to >>>>> check if the SP is SaaS enabled before granting access to the userInfo >>>>> endpoint. It is evident that we should revoke the refresh token such that >>>>> user is not permitted to obtain further access tokens for the application. >>>>> In addition to this is it required to invalidate the already-issued access >>>>> token? >>>>> >>>>> Appreciate your help on this. >>>>> >>>>> [1] https://wso2.org/jira/browse/IDENTITY-4981 >>>>> >>>>> Best regards, >>>>> Sathya >>>>> >>>>> -- >>>>> Sathya Bandara >>>>> Software Engineer >>>>> WSO2 Inc. http://wso2.com >>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>> >>>>> <+94%2071%20411%205032> >>>>> >>>> >>>> >>>> >>>> -- >>>> *Pulasthi Mahawithana* >>>> Senior Software Engineer >>>> WSO2 Inc., http://wso2.com/ >>>> Mobile: +94-71-5179022 <+94%2071%20517%209022> >>>> Blog: https://medium.com/@pulasthi7/ >>>> >>>> <https://wso2.com/signature> >>>> >>> >> >> >> -- >> >> *Isura Dilhara Karunaratne* >> Senior Software Engineer | WSO2 >> Email: is...@wso2.com >> Mob : +94 772 254 810 <+94%2077%20225%204810> >> Blog : http://isurad.blogspot.com/ >> >> >> >> > > -- > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Clarification on 'Use tenant domain in local subject identifier' attribute
as [1],[2],[3],[4] reported related to the above >>>>>> attribute and thought of discussing the expected behavior of this >>>>>> attribute. >>>>>> >>>>>> AFAIU if the above attribute is checked in both federated and local >>>>>> scenarios: >>>>>> - the tenant domain should append with the sub claim even when the >>>>>> username is added as a requested claim or username is set as the subject >>>>>> claim uri. >>>>>> >>>>> This is little bit tricky. If we think of an occasion without a local > association in a federated scenario, does it really make sense to append > our local user store domain or tenant domain to user name? I think it's an > invalid information, as a federated user is not present in our user stores > unless provisioned or associated. > > We can argue, if the SP is configured with federated authentication we > shouldn't select the above options. But the concerns around this become > more complex when we consider this together with multi-option > authentication. An SP can allow user to select authentication from either > local or federated. As such case we should be able to dynamically decide we > shouldn't be attaching user store and tenant names to federated user > attributes. WDYT? > I also agree with Lanka, we can append tenant domain only to the local claims so there won't be a issue with Federated claims. -Ishara > >>>>>> If the above attribute is unchecked : >>>>>> - The tenant domain should not append with the sub claim even when >>>>>> the user name is subject claim uri or a requested claim. >>>>>> >>>>> >>>>>> [1] https://wso2.org/jira/browse/IDENTITY-5013 >>>>>> [2] https://wso2.org/jira/browse/IDENTITY-4931 >>>>>> [3]https://wso2.org/jira/browse/IDENTITY-4956 >>>>>> [4]https://wso2.org/jira/browse/IDENTITY-4470 >>>>>> >>>>>> Please let me know if the behavior of this attribute is something >>>>>> different. >>>>>> >>>>> Yes. That is the behavior of 'Use tenant domain in local subject >>>>> identifier" attribute. >>>>> >>>>> Thanks >>>>> Isura. >>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Hasanthi Dissanayake >>>>>> >>>>>> Software Engineer | WSO2 >>>>>> >>>>>> E: hasan...@wso2.com >>>>>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> >>>>>> >>>>>> ___ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Isura Dilhara Karunaratne* >>>>> Senior Software Engineer | WSO2 >>>>> Email: is...@wso2.com >>>>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>>>> Blog : http://isurad.blogspot.com/ >>>>> >>>>> >>>>> >>>>> >>>>> ___ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>> >> >> >> -- >> >> *Ruwan Abeykoon* >> *Associate Director/Architect**,* >> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >> *lean.enterprise.middleware.* >> >> > > > -- > Pushpalanka. > -- > Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). > Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ > Mobile: +94779716248 > Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/ > pushpalanka/ | Twitter: @pushpalanka > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] IS 5.2.0 DB2 migration scripts
Thanks Rajith for finding out this. @Dinali Can you please update the scripts. -Ishara On Fri, May 5, 2017 at 11:52 PM, Rajith Roshan <raji...@wso2.com> wrote: > The migration resources for db2 specified in step 11 of doc [1] is giving > errors. It tries to insert boolean values to columns which have type > smallint. They should be replaced with 0s and 1s. Please find the modified > script below [2] > > [1] - https://docs.wso2.com/display/IS520/Upgrading+from+ > a+Previous+Release > > [2] - > INSERT INTO UM_CLAIM ( > UM_DIALECT_ID, > UM_CLAIM_URI, > UM_DISPLAY_TAG, > UM_DESCRIPTION, > UM_MAPPED_ATTRIBUTE, > UM_TENANT_ID, > UM_READ_ONLY, >UM_SUPPORTED, >UM_REQUIRED, >UM_DISPLAY_ORDER, >UM_CHECKED_ATTRIBUTE) > VALUES ((SELECT UM_ID FROM UM_DIALECT WHERE UM_DIALECT_URI='http://wso2. > org/claims' AND UM_TENANT_ID=-1234), > 'http://wso2.org/claims/identity/lastLoginTime','Last Login Time','Last > Login Time','carLicense',-1234,1,0,0,7,0)/ > > > INSERT INTO UM_CLAIM ( >UM_DIALECT_ID, >UM_CLAIM_URI, >UM_DISPLAY_TAG, >UM_DESCRIPTION, >UM_MAPPED_ATTRIBUTE, >UM_TENANT_ID, >UM_READ_ONLY) > > SELECT DIALECT.UM_ID, > 'http://wso2.org/claims/identity/lastLoginTime', >'Last Login Time', >'Last Login Time', >'carLicense', > DIALECT.UM_TENANT_ID, >1 >FROM UM_DIALECT as DIALECT JOIN UM_TENANT as TENANT ON > DIALECT.UM_TENANT_ID=TENANT.UM_ID WHERE DIALECT.UM_DIALECT_URI='http:/ > /wso2.org/claims'/ > > > INSERT INTO UM_CLAIM ( > UM_DIALECT_ID, > UM_CLAIM_URI, > UM_DISPLAY_TAG, > UM_DESCRIPTION, > UM_MAPPED_ATTRIBUTE, > UM_TENANT_ID, > UM_READ_ONLY, >UM_SUPPORTED, >UM_REQUIRED, >UM_DISPLAY_ORDER, >UM_CHECKED_ATTRIBUTE) > VALUES ((SELECT UM_ID FROM UM_DIALECT WHERE UM_DIALECT_URI='http://wso2. > org/claims' AND UM_TENANT_ID=-1234), > 'http://wso2.org/claims/identity/lastPasswordUpdateTime','Last Password > Update','Last Password Update','businessCategory',-1234,1,0,0,7,0)/ > > > INSERT INTO UM_CLAIM ( >UM_DIALECT_ID, >UM_CLAIM_URI, >UM_DISPLAY_TAG, >UM_DESCRIPTION, >UM_MAPPED_ATTRIBUTE, >UM_TENANT_ID, >UM_READ_ONLY) > > SELECT DIALECT.UM_ID, > 'http://wso2.org/claims/identity/lastPasswordUpdateTime', > 'Last Password Update', > 'Last Password Update', > 'businessCategory', > DIALECT.UM_TENANT_ID, > 1 > FROM UM_DIALECT as DIALECT JOIN UM_TENANT as TENANT ON > DIALECT.UM_TENANT_ID=TENANT.UM_ID WHERE DIALECT.UM_DIALECT_URI='http:/ > /wso2.org/claims'/ > > > CREATE INDEX REG_LOG_IND_BY_P1 > ON REG_LOG(REG_LOGGED_TIME, REG_TENANT_ID)/ > > CREATE INDEX REG_RESOURCE_IND_3 > ON REG_RESOURCE(REG_UUID)/ > > CREATE INDEX REG_RESOURCE_IND_4 > ON REG_RESOURCE(REG_TENANT_ID, REG_UUID)/ > > CREATE INDEX REG_RESOURCE_IND_5 > ON REG_RESOURCE(REG_TENANT_ID, REG_MEDIA_TYPE)/ > -- > Rajith Roshan > Software Engineer, WSO2 Inc. > Mobile: +94-72-642-8350 <%2B94-71-554-8430> > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Please review and merge
Hi connector team, Can we get this merged ? -Ishara On Fri, May 5, 2017 at 10:11 AM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi Kathees > > Fixed the comments. > > Thanks, > > Hasanthi Dissanayake > > Software Engineer | WSO2 > > E: hasan...@wso2.com > M :0718407133| http://wso2.com <http://wso2.com/> > > On Fri, May 5, 2017 at 9:45 AM, Kathees Rajendram <kath...@wso2.com> > wrote: > >> Thanks Hasanthi for your fix. >> >> Please fix those comments in the PR. >> >> Thanks, >> Kathees >> >> On Thu, May 4, 2017 at 3:16 PM, Hasanthi Purnima Dissanayake < >> hasan...@wso2.com> wrote: >> >>> Hi connector team, >>> Please review and merge [1] which fixes [2]. >>> [1]https://github.com/wso2-extensions/identity-oauth2-grant-jwt/pull/14 >>> [2]https://wso2.org/jira/browse/IDENTITY-5888 >>> >>> Thanks, >>> >>> Hasanthi Dissanayake >>> >>> Software Engineer | WSO2 >>> >>> E: hasan...@wso2.com >>> M :0718407133| http://wso2.com <http://wso2.com/> >>> >> >> >> >> -- >> Kathees >> Software Engineer, >> email: kath...@wso2.com >> mobile: +94772596173 <+94%2077%20259%206173> >> > > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Client credential grant type for ID token generation
Hi, On Fri, May 5, 2017 at 11:42 AM, Isura Karunaratne <is...@wso2.com> wrote: > Hi all, > > On Thu, May 4, 2017 at 3:03 PM, Gayan Gunawardana <ga...@wso2.com> wrote: > >> >> >> On Thu, May 4, 2017 at 2:41 PM, Pushpalanka Jayawardhana <la...@wso2.com> >> wrote: >> >>> Hi All, >>> >>> This is in relation to issue [1] which happened when we issue ID_token >>> for client credentials grant. >>> >>> Client credentials grant type is not really a part of OpenID Connect >>> specification, as it only mentions of authorization code grant flow(Basic >>> Profile) and implicit grant flow (Implicit profile), and hybrid flow. >>> This is an additional thing when we issue id_token for client >>> credentials grant. >>> >>> Also this does not make much sense when we issue an ID_token to an >>> application which is presented in client credentials grant. >>> In my opinion we should get rid of this, if noone is currently using it. >>> Appreciate your inputs. >>> >> Also OpenID Connect specification does not talk about issuing ID_token >> for password grant type as well. Apart from specification POV issuing >> ID_token for password grant type is not logically wrong. >> Issuing ID_token for client credentials grant type is logically wrong >> hence +1 to remove the functionality. >> > Yes. +1 to remove ID token for client credentials grant type. > > +1 Since there is no user authentication, this is logically wrong. so better to fix this with removing ID token. But in the password grant type even its not there in the spec still there are usecases with this to let keep it and fix related issues. -Ishara > > Thanks > Isura. > >> >>> [1] - https://wso2.org/jira/browse/IDENTITY-4915 >>> >>> Thanks, >>> -- >>> Pushpalanka. >>> -- >>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>> Mobile: +94779716248 >>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >>> ushpalanka/ | Twitter: @pushpalanka >>> >>> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: ga...@wso2.com >> Mobile: +94 (71) 8020933 >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > > *Isura Dilhara Karunaratne* > Senior Software Engineer | WSO2 > Email: is...@wso2.com > Mob : +94 772 254 810 <+94%2077%20225%204810> > Blog : http://isurad.blogspot.com/ > > > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] GSOC : OAuth 2.0 Dynamic Client Registration Management Protocol Support
On Fri, May 5, 2017 at 10:53 AM, Abilashini Thiyagarajah < abilashini...@cse.mrt.ac.lk> wrote: > Yeah we can have. > Then lets arrange a hangout from 2-3 pm > > *Thiyagarajah Abilashini* > Student > Department of Computer Science and Engineering > University of Moratuwa, Sri Lanka > > On 5 May 2017 at 10:25, Ishara Karunarathna <isha...@wso2.com> wrote: > >> >> >> On Fri, May 5, 2017 at 10:21 AM, Abilashini Thiyagarajah < >> abilashini...@cse.mrt.ac.lk> wrote: >> >>> Hi Ishara, >>> >>> Thank you. >>> >>> Tomorrow in the sense do you mean Saturday(6.4.2017)? >>> >> Its today 5/5/2017 if you available we can have a meeting in the evening. >> >> -Ishara >> >>> >>> >>> >>> *Thiyagarajah Abilashini* >>> Student >>> Department of Computer Science and Engineering >>> University of Moratuwa, Sri Lanka >>> >>> On 5 May 2017 at 00:51, Ishara Karunarathna <isha...@wso2.com> wrote: >>> >>>> Hi, >>>> >>>> Congratz Abilashini, >>>> >>>> On Thu, May 4, 2017 at 11:42 PM, Abilashini Thiyagarajah < >>>> abilashini...@cse.mrt.ac.lk> wrote: >>>> >>>>> Hi all, >>>>> >>>>> Thank you so much for accepting my proposal and selecting me to work >>>>> on the project "*OAuth 2.0 Dynamic Client Registration Management >>>>> Protocol support for WSO2 Identity Server*" in GSOC 2017. I am so >>>>> happy to work on a WSO2 project after the internship. >>>>> >>>>> I would like to clarify the plan through out the program. Shall we >>>>> stick to my project plan in my proposal? >>>>> >>>> We may have to do some slight modification. Shall we arrange a meeting >>>> and discuss tomorrow. ? >>>> >>>> Thanks, >>>> Ishara >>>> >>>>> >>>>> Looking forward to have a fabulous project experience with WSO2 for >>>>> next 4 months of period. >>>>> >>>>> Thankyou and best regards, >>>>> Abilashini >>>>> >>>>> *Thiyagarajah Abilashini* >>>>> Student >>>>> Department of Computer Science and Engineering >>>>> University of Moratuwa, Sri Lanka >>>>> >>>>> On 3 April 2017 at 20:15, Abilashini Thiyagarajah < >>>>> abilashini...@cse.mrt.ac.lk> wrote: >>>>> >>>>>> Hi Maduranga, >>>>>> >>>>>> I have already submitted the final proposal. I would like to thank >>>>>> you for your guidance throughout the process of understanding the project >>>>>> and preparing the proposal. Looking forward to work on the project. >>>>>> >>>>>> Best Regards, >>>>>> Abilashini >>>>>> >>>>>> *Thiyagarajah Abilashini* >>>>>> Student >>>>>> Department of Computer Science and Engineering >>>>>> University of Moratuwa, Sri Lanka >>>>>> >>>>>> On 3 April 2017 at 19:54, Maduranga Siriwardena <madura...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Abishalani, >>>>>>> >>>>>>> I will not have time to go through your proposal now. As the >>>>>>> deadline is getting closer, please go ahead and submit the proposal. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> On Sun, Apr 2, 2017 at 10:12 PM, Abilashini Thiyagarajah < >>>>>>> abilashini...@cse.mrt.ac.lk> wrote: >>>>>>> >>>>>>>> Hi Maduranga, >>>>>>>> >>>>>>>> I have included the initial design in the proposal. I kindly >>>>>>>> request your feedback on it. >>>>>>>> >>>>>>>> Thank you, >>>>>>>> Abilashini >>>>>>>> >>>>>>>> *Thiyagarajah Abilashini* >>>>>>>> Student >>>>>>>> Department of Computer Science and Engineering >>>>>>>> University of Moratuwa, Sri Lanka >>>>>>>> >>>>>>>> On
Re: [Dev] GSOC : OAuth 2.0 Dynamic Client Registration Management Protocol Support
On Fri, May 5, 2017 at 10:21 AM, Abilashini Thiyagarajah < abilashini...@cse.mrt.ac.lk> wrote: > Hi Ishara, > > Thank you. > > Tomorrow in the sense do you mean Saturday(6.4.2017)? > Its today 5/5/2017 if you available we can have a meeting in the evening. -Ishara > > > > *Thiyagarajah Abilashini* > Student > Department of Computer Science and Engineering > University of Moratuwa, Sri Lanka > > On 5 May 2017 at 00:51, Ishara Karunarathna <isha...@wso2.com> wrote: > >> Hi, >> >> Congratz Abilashini, >> >> On Thu, May 4, 2017 at 11:42 PM, Abilashini Thiyagarajah < >> abilashini...@cse.mrt.ac.lk> wrote: >> >>> Hi all, >>> >>> Thank you so much for accepting my proposal and selecting me to work on >>> the project "*OAuth 2.0 Dynamic Client Registration Management Protocol >>> support for WSO2 Identity Server*" in GSOC 2017. I am so happy to work >>> on a WSO2 project after the internship. >>> >>> I would like to clarify the plan through out the program. Shall we stick >>> to my project plan in my proposal? >>> >> We may have to do some slight modification. Shall we arrange a meeting >> and discuss tomorrow. ? >> >> Thanks, >> Ishara >> >>> >>> Looking forward to have a fabulous project experience with WSO2 for next >>> 4 months of period. >>> >>> Thankyou and best regards, >>> Abilashini >>> >>> *Thiyagarajah Abilashini* >>> Student >>> Department of Computer Science and Engineering >>> University of Moratuwa, Sri Lanka >>> >>> On 3 April 2017 at 20:15, Abilashini Thiyagarajah < >>> abilashini...@cse.mrt.ac.lk> wrote: >>> >>>> Hi Maduranga, >>>> >>>> I have already submitted the final proposal. I would like to thank you >>>> for your guidance throughout the process of understanding the project and >>>> preparing the proposal. Looking forward to work on the project. >>>> >>>> Best Regards, >>>> Abilashini >>>> >>>> *Thiyagarajah Abilashini* >>>> Student >>>> Department of Computer Science and Engineering >>>> University of Moratuwa, Sri Lanka >>>> >>>> On 3 April 2017 at 19:54, Maduranga Siriwardena <madura...@wso2.com> >>>> wrote: >>>> >>>>> Hi Abishalani, >>>>> >>>>> I will not have time to go through your proposal now. As the deadline >>>>> is getting closer, please go ahead and submit the proposal. >>>>> >>>>> Thanks, >>>>> >>>>> On Sun, Apr 2, 2017 at 10:12 PM, Abilashini Thiyagarajah < >>>>> abilashini...@cse.mrt.ac.lk> wrote: >>>>> >>>>>> Hi Maduranga, >>>>>> >>>>>> I have included the initial design in the proposal. I kindly request >>>>>> your feedback on it. >>>>>> >>>>>> Thank you, >>>>>> Abilashini >>>>>> >>>>>> *Thiyagarajah Abilashini* >>>>>> Student >>>>>> Department of Computer Science and Engineering >>>>>> University of Moratuwa, Sri Lanka >>>>>> >>>>>> On 27 March 2017 at 21:14, Abilashini Thiyagarajah < >>>>>> abilashini...@cse.mrt.ac.lk> wrote: >>>>>> >>>>>>> Hi Maduranga, >>>>>>> >>>>>>> Sorry for the inconvenience occurred with the wrong link. >>>>>>> >>>>>>> Thank you for your comments and I am updating the proposal >>>>>>> respectively. Also I have replied to some of the comments for >>>>>>> clarification. It would be so helpful if I get your comment on those. >>>>>>> >>>>>>> I will include the initial design and the the fixed jira issues as >>>>>>> soon as possible. >>>>>>> >>>>>>> Thanks, >>>>>>> Abilashini >>>>>>> >>>>>>> *Thiyagarajah Abilashini* >>>>>>> Student >>>>>>> Department of Computer Science and Engineering >>>>>>> University of Moratuwa, Sri Lanka >>>>>>> >>>>>>> On 27 March 2017 at 20:07, Maduranga Siriwardena <madura...@wso2.c
Re: [Dev] GSOC : OAuth 2.0 Dynamic Client Registration Management Protocol Support
gt;>>>>>>> to the product, you can build the jar and then create folder >>>>>>>>>> patch0001 >>>>>>>>>> (format of the folder name should be "patch" and then a four digit >>>>>>>>>> number. >>>>>>>>>> Patches are applied in the order of the number) in >>>>>>>>>> /repository/components/patches and place the newly >>>>>>>>>> built jar inside that. After this you have to restart the server. >>>>>>>>>> Please >>>>>>>>>> note that the for jars you are going patch name should be equal to >>>>>>>>>> the >>>>>>>>>> original jar in dropins folder. >>>>>>>>>> >>>>>>>>>> If you successfully installed the changes, you will be able to >>>>>>>>>> notice a log like below at the next start up. >>>>>>>>>> >>>>>>>>>> [2017-01-31 21:07:39,035] INFO >>>>>>>>>> {org.wso2.carbon.server.extensions.PatchInstaller} >>>>>>>>>> - Patch changes detected {org.wso2.carbon.server.exten >>>>>>>>>> sions.PatchInstaller} >>>>>>>>>> [2017-01-31 21:07:39,513] INFO >>>>>>>>>> {org.wso2.carbon.server.util.PatchUtils.console} >>>>>>>>>> - Backed up plugins to patch {org.wso2.carbon.server.util.P >>>>>>>>>> atchUtils.console} >>>>>>>>>> [2017-01-31 21:07:39,525] INFO >>>>>>>>>> {org.wso2.carbon.server.util.PatchUtils.console} >>>>>>>>>> - Patch verification started {org.wso2.carbon.server.util.P >>>>>>>>>> atchUtils.console} >>>>>>>>>> [2017-01-31 21:07:39,530] INFO >>>>>>>>>> {org.wso2.carbon.server.util.PatchUtils.console} >>>>>>>>>> - Patch verification successfully completed. >>>>>>>>>> {org.wso2.carbon.server.util.P >>>>>>>>>> atchUtils.console} >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> On Sat, Mar 18, 2017 at 7:26 AM, Abilashini Thiyagarajah < >>>>>>>>>> abilashini...@cse.mrt.ac.lk> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I have worked to understand the specifications and code base >>>>>>>>>>> related to OAuth 2.0 DCR protocol management. Now I am trying to >>>>>>>>>>> fix some >>>>>>>>>>> of the issues that you have shared with me. Can I know the location >>>>>>>>>>> of dcr >>>>>>>>>>> component in the server? Or else the way to try my code changes in >>>>>>>>>>> the dcr >>>>>>>>>>> component? >>>>>>>>>>> >>>>>>>>>>> Thanks in advance, >>>>>>>>>>> Abilashini >>>>>>>>>>> >>>>>>>>>>> *Thiyagarajah Abilashini* >>>>>>>>>>> Student >>>>>>>>>>> Department of Computer Science and Engineering >>>>>>>>>>> University of Moratuwa, Sri Lanka >>>>>>>>>>> >>>>>>>>>>> On 15 March 2017 at 10:26, Abilashini Thiyagarajah < >>>>>>>>>>> abilashini...@cse.mrt.ac.lk> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Maduranga, >>>>>>>>>>>> >>>>>>>>>>>> Thank you so much for your reply and references. I will work on >>>>>>>>>>>> to understand the code and fix jira as you said. >>>>>>>>>>>> >>>>>>>>>>>> Best Regards, >>>>>>>>>>>> Abilashini >>>>>>>>>>>> >>>>>>>>>>>> *Thiyagarajah Abilashini* >>>>>>>>>>>> Student >>>>>>>>>>>> Department of Computer Science and Engineering >>>>>>>>>>>> University of Moratuwa, Sri Lanka >>>>>>>>>>>> >>>>>>>>>>>> On 15 March 2017 at 01:52, Maduranga Siriwardena < >>>>>>>>>>>> madura...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Abilashini, >>>>>>>>>>>>> >>>>>>>>>>>>> We are glad to see your interest in doing GSoC with WSO2. >>>>>>>>>>>>> >>>>>>>>>>>>> The requirement of the project is to fully implement >>>>>>>>>>>>> the Dynamic Client Registration Management Protocol [1]. The >>>>>>>>>>>>> current >>>>>>>>>>>>> implementation of Dynamic Client Registration is in repo [2] and >>>>>>>>>>>>> particularly component in [3]. Documentation for OpenID Connect >>>>>>>>>>>>> Dynamic >>>>>>>>>>>>> Client Registration is in [4]. >>>>>>>>>>>>> >>>>>>>>>>>>> If you need to get familiarize with the code, you can fix jira >>>>>>>>>>>>> already reported regarding dcr implementation which are in [5] >>>>>>>>>>>>> (or you can >>>>>>>>>>>>> fix any jira in Identity Server project as a start). >>>>>>>>>>>>> >>>>>>>>>>>>> [1] https://tools.ietf.org/html/rfc7592 >>>>>>>>>>>>> [2] https://github.com/wso2-extensions/identity-inbound-auth >>>>>>>>>>>>> -oauth >>>>>>>>>>>>> [3] https://github.com/wso2-extensions/identity-inbound-auth >>>>>>>>>>>>> -oauth/tree/master/components/org.wso2.carbon.identity.oauth >>>>>>>>>>>>> .dcr >>>>>>>>>>>>> [4] https://docs.wso2.com/display/IS530/OpenID+Connect+Dynam >>>>>>>>>>>>> ic+Client+Registration >>>>>>>>>>>>> [5] https://goo.gl/ghqqgE >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Mar 14, 2017 at 1:06 AM, Abilashini Thiyagarajah < >>>>>>>>>>>>> abilashini...@cse.mrt.ac.lk> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I am Abilashini from Department of Computer Science and >>>>>>>>>>>>>> Engineering, University of Moratuwa. I have done my internship >>>>>>>>>>>>>> at WSO2 last >>>>>>>>>>>>>> year (July - December) and worked in the implementation of >>>>>>>>>>>>>> tomcat extension >>>>>>>>>>>>>> of OpenID Connect [1]. So I am a little bit familiar with OAuth >>>>>>>>>>>>>> 2.0 and >>>>>>>>>>>>>> OpenID Connect protocols. I found the project 'OAuth 2.0 >>>>>>>>>>>>>> Dynamic Client Registration Management Protocol Support' as >>>>>>>>>>>>>> interesting to work on. Can I have some assistance to understand >>>>>>>>>>>>>> the >>>>>>>>>>>>>> details and requirements more clearly behind this project idea? >>>>>>>>>>>>>> Also can I have the locations of documentation and code base >>>>>>>>>>>>>> related to dynamic client registration? >>>>>>>>>>>>>> >>>>>>>>>>>>>> [1] https://github.com/wso2-extensions/tomcat-extension-open >>>>>>>>>>>>>> idsso >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks and Regards >>>>>>>>>>>>>> Abilashini >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Thiyagarajah Abilashini* >>>>>>>>>>>>>> Student >>>>>>>>>>>>>> Department of Computer Science and Engineering >>>>>>>>>>>>>> University of Moratuwa, Sri Lanka >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Maduranga Siriwardena >>>>>>>>>>>>> Software Engineer >>>>>>>>>>>>> WSO2 Inc; http://wso2.com/ >>>>>>>>>>>>> >>>>>>>>>>>>> Email: madura...@wso2.com >>>>>>>>>>>>> Mobile: +94718990591 <+94%2071%20899%200591> >>>>>>>>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/ >>>>>>>>>>>>> <https://madurangasiriwardena.wordpress.com/>* >>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Maduranga Siriwardena >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2 Inc; http://wso2.com/ >>>>>>>>>> >>>>>>>>>> Email: madura...@wso2.com >>>>>>>>>> Mobile: +94718990591 <+94%2071%20899%200591> >>>>>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/ >>>>>>>>>> <https://madurangasiriwardena.wordpress.com/>* >>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Maduranga Siriwardena >>>>>>>> Software Engineer >>>>>>>> WSO2 Inc; http://wso2.com/ >>>>>>>> >>>>>>>> Email: madura...@wso2.com >>>>>>>> Mobile: +94718990591 <+94%2071%20899%200591> >>>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/ >>>>>>>> <https://madurangasiriwardena.wordpress.com/>* >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Maduranga Siriwardena >>>>>> Senior Software Engineer >>>>>> WSO2 Inc; http://wso2.com/ >>>>>> >>>>>> Email: madura...@wso2.com >>>>>> Mobile: +94718990591 <+94%2071%20899%200591> >>>>>> Blog: *https://madurangasiriwardena.wordpress.com/ >>>>>> <https://madurangasiriwardena.wordpress.com/>* >>>>>> <http://wso2.com/signature> >>>>>> >>>>> >>>>> >>>> >>> >>> >>> -- >>> Maduranga Siriwardena >>> Senior Software Engineer >>> WSO2 Inc; http://wso2.com/ >>> >>> Email: madura...@wso2.com >>> Mobile: +94718990591 <+94%2071%20899%200591> >>> Blog: *https://madurangasiriwardena.wordpress.com/ >>> <https://madurangasiriwardena.wordpress.com/>* >>> <http://wso2.com/signature> >>> >> >> > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] GSoC 2017 - Proposal 20: [IS] OAuth 2.0 Dynamic Client Registration Management Protocol Support
;>>>>>>>>>> >>>>>>>>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth >>>>>>>>>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >>>>>>>>>>> .dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/proces >>>>>>>>>>> sor/DCRProcessor.java >>>>>>>>>>> [2] https://github.com/wso2-extensions/identity-inbound-auth >>>>>>>>>>> -oauth/blob/master/components/org.wso2.carbon.identity.oidc. >>>>>>>>>>> dcr/src/main/java/org/wso2/carbon/identity/oidc/dcr/processo >>>>>>>>>>> r/OIDCDCRProcessor.java >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Wed, Mar 22, 2017 at 10:53 AM, Dinuksha Ishwari < >>>>>>>>>>> dinuksha.ishw...@gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Maduranga, >>>>>>>>>>>> >>>>>>>>>>>> I have referred the given code [1] and observed that >>>>>>>>>>>> DCRProcessor will only process requests that call the endpoint >>>>>>>>>>>> /identity/register as OAuth2.0 specification and will not process >>>>>>>>>>>> the the >>>>>>>>>>>> calls to /identity/connect/register which is the endpoint >>>>>>>>>>>> specified in >>>>>>>>>>>> OpenIDConnect specification for DCR. Correct me if I am wrong. >>>>>>>>>>>> >>>>>>>>>>>> I would appreciate if you could provide me some more >>>>>>>>>>>> information regarding exposing an endpoint for the custom >>>>>>>>>>>> component of DCRM. >>>>>>>>>>>> >>>>>>>>>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth >>>>>>>>>>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >>>>>>>>>>>> .dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/proces >>>>>>>>>>>> sor/DCRProcessor.java >>>>>>>>>>>> >>>>>>>>>>>> Thank you, >>>>>>>>>>>> Dinuksha. >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Mar 21, 2017 at 11:54 PM, Maduranga Siriwardena < >>>>>>>>>>>> madura...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Dinuksha, >>>>>>>>>>>>> >>>>>>>>>>>>> Glad to hear that you have made progress with the project. >>>>>>>>>>>>> >>>>>>>>>>>>> As a start, exposing a separate servlet would be okay. But >>>>>>>>>>>>> going forward with the project, you may have to use the approach >>>>>>>>>>>>> used in >>>>>>>>>>>>> the DCR endpoint which is [1] (or may have to use a cxf endpoint). >>>>>>>>>>>>> >>>>>>>>>>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth >>>>>>>>>>>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >>>>>>>>>>>>> .dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/proces >>>>>>>>>>>>> sor/DCRProcessor.java >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Mar 21, 2017 at 12:26 PM, Dinuksha Ishwari < >>>>>>>>>>>>> dinuksha.ishw...@gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Devs/Mentors, >>>>>>>>>>>>>> >
Re: [Dev] GSoC 2017 - Proposal 20: [IS] OAuth 2.0 Dynamic Client Registration Management Protocol Support
On Fri, Feb 24, 2017 at 11:16 AM, Dinuksha Ishwari < dinuksha.ishw...@gmail.com> wrote: [+ dev] > Hi Ishara, > > Thank you for the information. I'm in the process of reading the related > specifications and getting familiar with the code base further. Will get > back to you soon. > > Thanks, > Dinuksha. > > On Fri, Feb 24, 2017 at 10:14 AM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Dinuksha, >> >> Thank you for your interest in GSoC and the effort on WSO2IS DCRM >> implementation. >> It’s great that you have already started working with IS code base. >> Further you can go through current DCR implementation from >> here[1] and go through that code. >> >> You may find open jiras here[2]. Following are related to current DCR >> implementation >> https://wso2.org/jira/browse/IDENTITY-5185 >> https://wso2.org/jira/browse/IDENTITY-5184 >> >> Thanks, >> Ishara >> >> [1] https://github.com/wso2-extensions/identity-inbound-auth-oauth >> [2] https://wso2.org/jira/projects/IDENTITY/issues/IDENTITY- >> 5723?filter=allopenissues >> >> >> On Mon, Feb 20, 2017 at 4:45 PM, Dinuksha Ishwari < >> dinuksha.ishw...@gmail.com> wrote: >> >>> Hi All, >>> >>> >>> I am Dinuksha Kanda Samanage, a 3rd year undergraduate from Sri Lanka >>> Institute of Information Technology, following the Software Engineering >>> specialization. >>> >>> >>> This is to convey my interest in implementing the OAuth 2.0 Dynamic >>> Client Registration Management Protocol Support for Identity Server >>> (Proposal 20) in GSoC 2017. >>> >>> >>> I am well versed in Java and also familiar with Maven and Git. I have >>> been involved in implementing an OAuth 2.0 and OpenID Connect related >>> project for almost 7 months during my internship. >>> >>> >>> I have already started to get familiar with WSO2 codebase and fixed the >>> JIRA [1] where the pull request is already merged to the WSO2 codebase. I >>> will continue fixing more open JIRA tickets on Identity Server. (If you can >>> suggest some, that would be great too) >>> >>> >>> In order to get ready for this project, I already setup OAuth 2.0 >>> Playground2 sample with Identity Server 5.3.0 and wrote the blog post [2] >>> for sharing my experience. When running this flow, I faced an issue and >>> raised it in the Dev mail [3] and have got the answer now. >>> >>> >>> My GitHub profile can be found at [4]. >>> >>> >>> Therefore I believe I can learn the required concepts/technologies and >>> implement this project for GSoC 2017. >>> >>> >>> I appreciate if you can guide me on proceeding further with the project. >>> >>> >>> [1] https://wso2.org/jira/browse/IDENTITY-5241 >>> >>> [2] http://dinukshaish.blogspot.com/2017/02/getting-started-with >>> -oauth-20-using.html >>> >>> [3] [Dev] Mandatory Claims in OAuth 2.0 with Identity Server 5.3.0 >>> >>> [4] https://github.com/dinuish94 >>> >>> >>> Best Regards, >>> >>> Dinuksha >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] GSoC 2017 - Proposal 20: [IS] OAuth 2.0 Dynamic Client Registration Management Protocol Support
Hi Dinuksha, Thank you for your interest in GSoC and the effort on WSO2IS DCRM implementation. It’s great that you have already started working with IS code base. Further you can go through current DCR implementation from here[1] and go through that code. You may find open jiras here[2]. Following are related to current DCR implementation https://wso2.org/jira/browse/IDENTITY-5185 https://wso2.org/jira/browse/IDENTITY-5184 Thanks, Ishara [1] https://github.com/wso2-extensions/identity-inbound-auth-oauth [2] https://wso2.org/jira/projects/IDENTITY/issues/IDENTITY-5723?filter=allopenissues On Mon, Feb 20, 2017 at 4:45 PM, Dinuksha Ishwari < dinuksha.ishw...@gmail.com> wrote: > Hi All, > > > I am Dinuksha Kanda Samanage, a 3rd year undergraduate from Sri Lanka > Institute of Information Technology, following the Software Engineering > specialization. > > > This is to convey my interest in implementing the OAuth 2.0 Dynamic > Client Registration Management Protocol Support for Identity Server > (Proposal 20) in GSoC 2017. > > > I am well versed in Java and also familiar with Maven and Git. I have been > involved in implementing an OAuth 2.0 and OpenID Connect related project > for almost 7 months during my internship. > > > I have already started to get familiar with WSO2 codebase and fixed the > JIRA [1] where the pull request is already merged to the WSO2 codebase. I > will continue fixing more open JIRA tickets on Identity Server. (If you can > suggest some, that would be great too) > > > In order to get ready for this project, I already setup OAuth 2.0 > Playground2 sample with Identity Server 5.3.0 and wrote the blog post [2] > for sharing my experience. When running this flow, I faced an issue and > raised it in the Dev mail [3] and have got the answer now. > > > My GitHub profile can be found at [4]. > > > Therefore I believe I can learn the required concepts/technologies and > implement this project for GSoC 2017. > > > I appreciate if you can guide me on proceeding further with the project. > > > [1] https://wso2.org/jira/browse/IDENTITY-5241 > > [2] http://dinukshaish.blogspot.com/2017/02/getting-started- > with-oauth-20-using.html > > [3] [Dev] Mandatory Claims in OAuth 2.0 with Identity Server 5.3.0 > > [4] https://github.com/dinuish94 > > > Best Regards, > > Dinuksha > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] SCIM User Add Operation in C5
Hi All, I think here we have a confusion between immutable attributes and Unique attributes. *Immutable Attributes* : Will not change over the time (Using this attribute can track the identity over the time) *Unique Attribute* : this is unique to the system but can be changed over the time and this can be tracked with a immutable attribute. With the new design UserID would be the Immutable attribute (But read only identity stores this can be changed) And user name is a unique attribute. So in new implementation also isUserExist should return true if there is a user with given user name. And this is applicable to all unique attributes. Thanks, Ishara On Fri, Feb 3, 2017 at 9:42 AM, Farasath Ahamed <farasa...@wso2.com> wrote: > IIRC, Our plan in C5 was to use the SCIM API for user signup, user > provisioning etc. > > So if the username is a special attribute in SCIM while user core can > accommodate duplicate usernames(ie. username need not be unique), when we > use SCIM API in the product won't there be a mismatch? > > > > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > On Thu, Feb 2, 2017 at 7:41 PM, Gayan Gunawardana <ga...@wso2.com> wrote: > >> >> >> On Fri, Feb 3, 2017 at 8:29 AM, Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> In our identity-mgt level we don't treat username as a special >>> attribute. It's just another attribute. However in certain higher levels we >>> may need to treat username as a special attribute. We do have a claim for >>> username which I think is "http://wso2.org/claim/username;. We can >>> treat this claim as the username in higher level implementations. >>> >>> On Fri, Feb 3, 2017 at 4:12 AM, Chamila Wijayarathna < >>> cdwijayarat...@gmail.com> wrote: >>> >>>> Hi Gayan, >>>> >>>> If we can add multiple users with same user name, why do we need to >>>> avoid adding multiple users in SCIM? I don't get the point here. >>>> >>>> If we consider two users with same username as two entities in server >>>> level, it won't be a duplicate resource creation IMO, it will be two >>>> different resources with same username. >>>> >>> >>> I guess what Gayan means is in SCIM 2.0 username is a special attribute >>> and we can't have two users with same username attribute. It is a >>> specification of SCIM 2.0. >>> >> Yes exactly. There should be a way to identify duplicate resource in the >> context of SCIM. For user resource it is user name. >> >>> >>>> Regards! >>>> >>>> On Fri, Feb 3, 2017 at 5:52 AM, Gayan Gunawardana <ga...@wso2.com> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> In C4 user name was an unique identifier and we returned http response >>>>> 409 (Conflict) if user name already exist [1]. In C5 user name is just an >>>>> another claim and we can add multiple users with same user name. >>>>> IMO we should check isUserExist in SCIM level and avoid adding >>>>> multiple users with same user name. >>>>> >>>>> WDYT ? >>>>> >>>>> [1] https://tools.ietf.org/html/rfc7644#section-3.12 >>>>> >>>>> Thanks, >>>>> Gayan >>>>> >>>>> -- >>>>> Gayan Gunawardana >>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: ga...@wso2.com >>>>> Mobile: +94 (71) 8020933 >>>>> >>>>> ___ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Chamila Dilshan Wijayarathna, >>>> PhD Research Student >>>> The University of New South Wales (UNSW Canberra) >>>> Australian Centre for Cyber Security >>>> Australian Defence Force Academy >>>> PO Box 7916, Canberra BA ACT 2610 >>>> Australia >>>> Mobile:(+61)416895795 <+61%20416%20895%20795> >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+9476950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: ga...@wso2.com >> Mobile: +94 (71) 8020933 >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] Account Lock/Disable Feature in IS 6.0.0
Hi On Fri, Jan 20, 2017 at 4:28 PM, Rushmin Fernando <rush...@wso2.com> wrote: > Isura, as per my understanding, in most of the cases 'inactive' user are > treated as non-existing users. > > So from the domain model side we should have a method to . > > get the active users (since this the default case, we can even name > the method as getUsers() ) > > and another method to > > get the user including inactive users > +1 for this. Ideally in all user operation we can filter out the inactive users. Ex in JDBC user stores we may accound_inactive claim in LDAP we can filter out with UserAccountControl attribute. > > When it comes to operations, we anyway have to have an interceptor in the > authentication flow to refuse locked users (inative users will no even be > considered) > > One down side is performance. If we check this before in authentication it will reduce the performance. so if the user store (Identity store ) support for account locking better to use that implementation. if not we have to explicitly check the account lock property. -Ishara > > > On Fri, Jan 20, 2017 at 3:32 PM, Isura Karunaratne <is...@wso2.com> wrote: > >> Hi all, >> >> >> We are working on implementing account lock/disable features for IS >> 6.0.0. >> >> *Account Lock: * >> >>- User *must not *be able to login to the system. >>- Admin user *can* update the user attributes and assign roles >>(account is active) >>- User cannot start a password recovery flow. >> >> *Account Disable: * >> >>- User *must not* be able to login to the system. >>- Admin user *can not* update the user attributes and cannot assign >>roles until enabling the account. (inactive state) >>- User cannot start a password recovery flow. >> >> >> >> *When will the account be locked?* >> >> >> >>- Self Signup users until account confirmation >>- Try to login with invalid credentials more than configured number >>of attempts. Then the account will be locked configured amount of time. >>(Like 5 minutes). This lock time will be increased if the user locked >> again >>based on a configuration. >>- Provide invalid answers more than configured number of attempts, >>when password recovery >>- User onboarding with Email/SMS verification flow. >>- When admin needs to block the user to login to the system >>- When admin initiated password reset flow starts. >> >> >> >> *When will the account be disabled?* >> >> >> >> >> >>- When admin needs to inactivate user. >> >> >> >> What is the best way handle account disable check? We can do this from a >> inceptor level, then we need to check account disable in each operation. >> >> Thanks >> Isura. >> >> >> >> >> >> *Isura Dilhara Karunaratne* >> Senior Software Engineer | WSO2 >> Email: is...@wso2.com >> Mob : +94 772 254 810 <+94%2077%20225%204810> >> Blog : http://isurad.blogspot.com/ >> >> >> >> >> ___ >> Architecture mailing list >> architect...@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Best Regards* > > *Rushmin Fernando* > *Technical Lead* > > WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware > > mobile : +94775615183 > > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS6 M1] LDAP Userstore implementation and documentation
On Mon, Jan 16, 2017 at 10:24 AM, Niranjan Karunanandham <niran...@wso2.com> wrote: > Hi IsharaK, > > AFAIR we did not have a code review on this. Can you organize one please > before we can merge the PR? > Niranjan We did this after the Thanus one, and we need thanus PR merged > > Regards, > Nira > > On Sun, Jan 15, 2017 at 7:14 AM, Samuel Gnaniah <sam...@wso2.com> wrote: > >> I checked the readme in Github and it doesn't have any content added. Is >> it possible to provide tested steps for this for documentation? >> >> Also, will this be common to all C5 products or is it only for IS? >> >> *Samuel Gnaniah* >> Lead Technical Writer >> >> WSO2 (pvt.) Ltd. >> Colombo, Sri Lanka >> (+94) 773131798 <+94%2077%20313%201798> >> >> On Sat, Jan 14, 2017 at 10:41 PM, KasunG Gajasinghe <kas...@wso2.com> >> wrote: >> >>> >>> >>> On Sat, Jan 14, 2017 at 9:29 PM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi Kasun, >>>> >>>> On Sat, Jan 14, 2017 at 6:58 PM, KasunG Gajasinghe <kas...@wso2.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Opening this thread to keep track of the LDAP userstore feature that >>>>> goes into the M1. We are on the final stage of this implementation which >>>>> is >>>>> maintained at [1]. @Ishara is working on this. >>>>> >>>> Are we going to track all the features via mails ? >>>> I think all should be tracked with users stories. >>>> >>> >>> Yes. User stories and mails serve for two different purposes, isn't it? >>> This is to have discussions, make sure that everyone is on the same page. >>> >>> >>> >>>> >>>>> We need to get the PR for carbon-jndi merged [2] since the current >>>>> JNDI impl does not load JNDI provides coming from the JRE. >>>>> >>>>> @Samuel, please note on docs. >>>>> >>>>> [1] https://github.com/wso2-extensions/carbon-security-user-store-ldap >>>>> [2] https://github.com/wso2/carbon-jndi/pull/32 >>>>> >>>>> -- >>>>> >>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>>> email: kasung AT spamfree wso2.com >>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>> blog: http://kasunbg.org >>>>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813 >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 <071%20799%206791> >>>> >>>> >>>> >>> >>> >>> -- >>> >>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>> email: kasung AT spamfree wso2.com >>> linked-in: http://lk.linkedin.com/in/gajasinghe >>> blog: http://kasunbg.org >>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813 >>> >>> >> >> > > > -- > > > *Niranjan Karunanandham* > Associate Technical Lead - WSO2 Inc. > WSO2 Inc.: http://www.wso2.com > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS6 M1] LDAP Userstore implementation and documentation
Hi Kasun, On Sat, Jan 14, 2017 at 6:58 PM, KasunG Gajasinghe <kas...@wso2.com> wrote: > Hi, > > Opening this thread to keep track of the LDAP userstore feature that goes > into the M1. We are on the final stage of this implementation which is > maintained at [1]. @Ishara is working on this. > Are we going to track all the features via mails ? I think all should be tracked with users stories. > > We need to get the PR for carbon-jndi merged [2] since the current JNDI > impl does not load JNDI provides coming from the JRE. > > @Samuel, please note on docs. > > [1] https://github.com/wso2-extensions/carbon-security-user-store-ldap > [2] https://github.com/wso2/carbon-jndi/pull/32 > > -- > > *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. > email: kasung AT spamfree wso2.com > linked-in: http://lk.linkedin.com/in/gajasinghe > blog: http://kasunbg.org > phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813 > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [VOTE] Release WSO2 Identity Server 5.3.0- RC3
Hi, Tested, OAuth Discovery OAuth DCR IS Analytics with IS Runtime. Worked fine without any issues. [+] Stable - go ahead and release -Ishara On Fri, Jan 6, 2017 at 10:06 PM, Pulasthi Mahawithana <pulast...@wso2.com> wrote: > Hi All, > > This is the 3rd Release Candidate of WSO2 Identity Server 5.3.0. > > Please download, test the product and vote. Vote will be open for 72 hours > or as needed. > > This release fixes the following issues: > > Runtime : https://wso2.org/jira/issues/?filter=13612 > Analytics : https://wso2.org/jira/issues/?filter=13614 > > Source and distribution > > Run-time : https://github.com/wso2/product-is/releases/tag/v5.3.0-rc3 > Analytics : https://github.com/wso2/analytics-is/releases/tag/v5. > 3.0-rc3 > > Please vote as follows. > [+] Stable - go ahead and release > [-] Broken - do not release (explain why) > > Thanks, > - WSO2 Identity Server Team - > > -- > *Pulasthi Mahawithana* > Senior Software Engineer > WSO2 Inc., http://wso2.com/ > Mobile: +94-71-5179022 <+94%2071%20517%209022> > Blog: http://blog.pulasthi.org > > <https://wso2.com/signature> > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] C5 Carbon JNDI implementation does not support for LDAP
Hi Kishanthan, I have added support to load built in JRE providers[1]. Since JRE already has LDAP provider we can use this. -Ishara [1] https://github.com/wso2/carbon-jndi/pull/32 On Wed, Jan 4, 2017 at 4:37 PM, Kishanthan Thangarajah <kishant...@wso2.com> wrote: > > > On Tue, Jan 3, 2017 at 11:24 AM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Kernel team, >> >> Current carbon JNDI Implementation does not support for LDAPs. Basically >> it does not support for >> DirContext operations. >> > > We did not have a requirement to support this that is why it is not > implemented. Since IS will mostly be using LDAP related JNDI lookups and it > should be supported with the provider implementation (may be apache > directory and need to check whether this would work with jre supported > providers), it is best that if you guys can work on it and add to > carbon-jndi? > > > >> In addition to that it need to support to load JRE supported context >> providers. >> >> To implement LDAP connector for User management core in C5 base IS we >> need this. >> Can we get improvement ? >> >> Thanks, >> Ishara >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> > > > -- > *Kishanthan Thangarajah* > Technical Lead, > Platform Technologies Team, > WSO2, Inc. > lean.enterprise.middleware > > Mobile - +94773426635 <+94%2077%20342%206635> > Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>* > Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>* > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] [C5] Self sign-up in C5 User Portal
On Tue, Jan 3, 2017 at 12:52 PM, Johann Nallathamby <joh...@wso2.com> wrote: > What are the new user stories we are trying to implement that are not > already there in IS 5.3.0? Can we come up with a list of new requirements? > Isn't most of the above user stories already there in IS 5.3.0? > Yes in 5.3.0 we have almost complete user store. But when it comes to C5 implementation we can't cover it with a single milestone release,So we need to start with a simple user story and use different version of that adding other use cases associated with that. -Ishara > On Tue, Jan 3, 2017 at 10:30 AM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Indunil, >> >> When we think about self sign up. >> basic use case is User comes to self sign up page and add his user >> informations, system will create a account and let user to login. >> >> But there are lot of associated use cases with this. For example. >> 1. Once user self signed up need to send a verification mail. >> 2. self sign up should go through a approval process. >> 3. User should be assign to a particular roles. >> >> To cater those requirements we need additional features. And we may need >> several version of this user story to complete this feature. >> For the 1st implementation better to implement the simple case. where use >> self sign up and login (with login permission only ) >> >> Thanks, >> -Ishara >> >> >> >> On Tue, Jan 3, 2017 at 9:54 AM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi, >>> >>> In IS C5, we are currently implementing self sign-up in the User Portal >>> and having following considerations regarding the self sign-up >>> functionality. >>> >>> what would be the correct way of achieving self sign-up and would like >>> to know how it has been implemented in other C5 based products. >>> If self sign up is enabled, *users should be create their own user >>> accounts and will be able to logged in immediately?* or there should be >>> an *account confirmation through the email* which helps to confirm an >>> actual user? or there should be configurations to enable/disable both >>> registration and account confirmation? >>> >>> And when it comes to self sign-up, specially if there are no account >>> confirmation, in C5, I think it's better to include improvements such as a >>> way to *allow anyone to sign up (no restrictions) or restrict users to >>> specific domains* and also a way to choose whether *administrators >>> should receive an email when a new account is created*. >>> >>> I would appreciate your ideas/suggestions on this. >>> >>> Thanks and Regards >>> -- >>> Indunil Upeksha Rathnayake >>> Software Engineer | WSO2 Inc >>> Emailindu...@wso2.com >>> Mobile 0772182255 >>> >> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+9476950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] C5 Carbon JNDI implementation does not support for LDAP
Hi Kernel team, Current carbon JNDI Implementation does not support for LDAPs. Basically it does not support for DirContext operations. In addition to that it need to support to load JRE supported context providers. To implement LDAP connector for User management core in C5 base IS we need this. Can we get improvement ? Thanks, Ishara -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] [C5] Self sign-up in C5 User Portal
Hi Indunil, When we think about self sign up. basic use case is User comes to self sign up page and add his user informations, system will create a account and let user to login. But there are lot of associated use cases with this. For example. 1. Once user self signed up need to send a verification mail. 2. self sign up should go through a approval process. 3. User should be assign to a particular roles. To cater those requirements we need additional features. And we may need several version of this user story to complete this feature. For the 1st implementation better to implement the simple case. where use self sign up and login (with login permission only ) Thanks, -Ishara On Tue, Jan 3, 2017 at 9:54 AM, Indunil Upeksha Rathnayake <indu...@wso2.com > wrote: > Hi, > > In IS C5, we are currently implementing self sign-up in the User Portal > and having following considerations regarding the self sign-up > functionality. > > what would be the correct way of achieving self sign-up and would like to > know how it has been implemented in other C5 based products. > If self sign up is enabled, *users should be create their own user > accounts and will be able to logged in immediately?* or there should be > an *account confirmation through the email* which helps to confirm an > actual user? or there should be configurations to enable/disable both > registration and account confirmation? > > And when it comes to self sign-up, specially if there are no account > confirmation, in C5, I think it's better to include improvements such as a > way to *allow anyone to sign up (no restrictions) or restrict users to > specific domains* and also a way to choose whether *administrators should > receive an email when a new account is created*. > > I would appreciate your ideas/suggestions on this. > > Thanks and Regards > -- > Indunil Upeksha Rathnayake > Software Engineer | WSO2 Inc > Emailindu...@wso2.com > Mobile 0772182255 > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Delete operation on /Me endpoint in SCIM 2.0
Hi, As I remember we are not supporting this with C4 User core. But better to support this and then we should be able to associate workflow to set some approval for deleted users. -Ishara On Fri, Nov 11, 2016 at 10:27 AM, Vindula Jayawardana <vind...@wso2.com> wrote: > Hi All, > > In SCIM /Me endpoint, an authenticated user should be able to delete > himself as mentioned in specification [1]. However when I try to do that > using the current user core, I get a user store exception saying > 'LoggedInUser Cannot delete logged in user'. > > One way of how I can handle this is , as mentioned in specification itself > [2], can respond to HTTP DELETE on /Me endpoint with a HTTP status code 501 > as we can not support it. Or else is there any other good way of handling > this ? > > Any thoughts on this is highly appreciated. > > [1] https://tools.ietf.org/html/rfc7644#section-3.2 > [2] https://tools.ietf.org/html/rfc7644#section-3.11 > -- > *Vindula Jayawardana* > Trainee Software Engineer > Mobile : +94 713 462554 > Email : vind...@wso2.com > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] What are the REST APIs in WSO2IS-5.3.0 that need to be secured?
On Thu, Oct 20, 2016 at 1:40 PM, Harsha Thirimanna <hars...@wso2.com> wrote: > > > *Harsha Thirimanna* > Associate Tech Lead | WSO2 > > Email: hars...@wso2.com > Mob: +94715186770 > Blog: http://harshathirimanna.blogspot.com/ > Twitter: http://twitter.com/harshathirimann > Linked-In: linked-in: http://www.linkedin.com/pub/ > harsha-thirimanna/10/ab8/122 > <http://wso2.com/signature> > > On Thu, Oct 20, 2016 at 1:39 PM, Harsha Thirimanna <hars...@wso2.com> > wrote: > >> Moving to DEV... >> >> *Harsha Thirimanna* >> Associate Tech Lead | WSO2 >> >> Email: hars...@wso2.com >> Mob: +94715186770 >> Blog: http://harshathirimanna.blogspot.com/ >> Twitter: http://twitter.com/harshathirimann >> Linked-In: linked-in: http://www.linkedin.com/pub/ha >> rsha-thirimanna/10/ab8/122 >> <http://wso2.com/signature> >> >> On Thu, Oct 20, 2016 at 12:49 PM, Harsha Thirimanna <hars...@wso2.com> >> wrote: >> > Hi, At this point I don't think that its good idea to remove already available authentication mechanism and use this instead, for secured APIs since those may have some logics those apis need. Instead only check with the REST APIs that need security. WDYT ? -Ishara > If there any REST API that already secured within itself the feature, then >>> we have to remove it and use this. As ex : DCR. in DCR we expect user in >>> request payload for now and that APIs are not secured. After apply this we >>> can remove the user from request payload and rely on this. And same as we >>> may have to check other REST APIs whether those are rely on any other >>> secure mechanism. >>> >>> @Isura, Can you please confirm in identity management REST API like >>> inforecovery ? >>> >>> @Ayesha, >>> Ishara already test the DCR and you can fix that removing user in >>> payload, apply this and test. >>> >>> *Harsha Thirimanna* >>> Associate Tech Lead | WSO2 >>> >>> Email: hars...@wso2.com >>> Mob: +94715186770 >>> Blog: http://harshathirimanna.blogspot.com/ >>> Twitter: http://twitter.com/harshathirimann >>> Linked-In: linked-in: http://www.linkedin.com/pub/ha >>> rsha-thirimanna/10/ab8/122 >>> <http://wso2.com/signature> >>> >>> On Thu, Oct 20, 2016 at 12:34 PM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi Ayesha, >>>> >>>> This feature provide a authentication layer in front of any unsecured >>>> REST APIs. So do we need to test this with all the REST APIs ? >>>> >>>> -Ishara >>>> >>>> >>>> On Thu, Oct 20, 2016 at 12:05 PM, Ayesha Dissanayaka <aye...@wso2.com> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I have started testing the"Generic Authentication Mechanism to all the >>>>> REST APIs" feature [1] in IS-5.3.0. >>>>> Please mention details on REST APIs in IS services which needs to be >>>>> secured, so that I can test those APIs with this feature. >>>>> >>>>> [1] https://wso2.org/jira/browse/IDENTITY-4742 >>>>> >>>>> Thanks! >>>>> -Ayesha >>>>> >>>>> -- >>>>> *Ayesha Dissanayaka* >>>>> Software Engineer, >>>>> WSO2, Inc : http://wso2.com >>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com=D=1=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>> 20, Palmgrove Avenue, Colombo 3 >>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>> >>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 >>>> >>>> >>>> >>> >> > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] login with multiple user stores
Hi All, While going through Apachi Shiro Noticed that it support for login with multiple realms and providing a unified view of a user [1]. This is some thing similar to our domain model where user exist in multiple identity stores and credential stores with C5 Better to have a look on this when we model our C5 API Thanks, Ishara [1] http://shiro.apache.org/authentication-features.html -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] OSGI Service to provision users and roles based on the SAML response.
tion in the end. The same happened to Carbon components. We have so >>>>>> many components and can't make the head or tail out of it. >>>>>> >>>>>> thanks, >>>>>> Dimuthu >>>>>> >>>>>> >>>>>>> Thanks & Regards, >>>>>>> Ishara Cooray >>>>>>> Senior Software Engineer >>>>>>> Mobile : +9477 262 9512 >>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>> Lean . Enterprise . Middleware >>>>>>> >>>>>>> On Wed, Aug 31, 2016 at 1:43 PM, Ishara Cooray <isha...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> + Prabath, Johann >>>>>>>> >>>>>>>> Thanks & Regards, >>>>>>>> Ishara Cooray >>>>>>>> Senior Software Engineer >>>>>>>> Mobile : +9477 262 9512 >>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>> Lean . Enterprise . Middleware >>>>>>>> >>>>>>>> On Wed, Aug 31, 2016 at 1:27 PM, Pamod Sylvester <pa...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Would it make sense to have it under "user-mgt.xml" ? >>>>>>>>> >>>>>>>>> On Wed, Aug 31, 2016 at 1:00 PM, Ishara Cooray <isha...@wso2.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> I am working on the $Subject. >>>>>>>>>> >>>>>>>>>> *Motivation:* >>>>>>>>>> I have a use case where i want to authorize users who are logged >>>>>>>>>> into API publisher/ store but APIM does not have the access to >>>>>>>>>> underline >>>>>>>>>> user store. >>>>>>>>>> >>>>>>>>>> *Plan:* >>>>>>>>>> The plan is to write an osgi service that should do the Just In >>>>>>>>>> Time provisioning before the permission check to authorize the user. >>>>>>>>>> And it >>>>>>>>>> will get the roles from the SAML response and do the provisioning. >>>>>>>>>> >>>>>>>>>> But we will have to do the same role/permission mapping manually >>>>>>>>>> for now. >>>>>>>>>> >>>>>>>>>> If we write a generic service we can plug it into any wso2 >>>>>>>>>> product that need JIT provision initiated by the Service provider. >>>>>>>>>> However we need to maintain few configurations here. >>>>>>>>>> >>>>>>>>>>1. isServiceProvierInitiatedJITProvisioningEnabled >>>>>>>>>>2. User store to be provisioned >>>>>>>>>>3. Implementation class (extension point) >>>>>>>>>> >>>>>>>>>> What could be the best place to maintain this configuration if >>>>>>>>>> the component is written as a generic component to any wso2 product? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks & Regards, >>>>>>>>>> Ishara Cooray >>>>>>>>>> Senior Software Engineer >>>>>>>>>> Mobile : +9477 262 9512 >>>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>> >>>>>>>>>> ___ >>>>>>>>>> Architecture mailing list >>>>>>>>>> architect...@wso2.org >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Pamod Sylvester * >>>>>>>>> >>>>>>>>> *WSO2 Inc.; http://wso2.com <http://wso2.com>* >>>>>>>>> cell: +94 77 7779495 >>>>>>>>> >>>>>>>>> ___ >>>>>>>>> Architecture mailing list >>>>>>>>> architect...@wso2.org >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> ___ >>>>>>> Architecture mailing list >>>>>>> architect...@wso2.org >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Dimuthu Leelarathne >>>>>> Director, Solutions Architecture >>>>>> >>>>>> WSO2, Inc. (http://wso2.com) >>>>>> email: dimut...@wso2.com >>>>>> Mobile: +94773661935 >>>>>> Blog: http://muthulee.blogspot.com >>>>>> >>>>>> Lean . Enterprise . Middleware >>>>>> >>>>>> ___ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Best Regards, >>>>> >>>>> Malaka Silva >>>>> Senior Technical Lead >>>>> M: +94 777 219 791 >>>>> Tel : 94 11 214 5345 >>>>> Fax :94 11 2145300 >>>>> Skype : malaka.sampath.silva >>>>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77 >>>>> Blog : http://mrmalakasilva.blogspot.com/ >>>>> >>>>> WSO2, Inc. >>>>> lean . enterprise . middleware >>>>> https://wso2.com/signature >>>>> http://www.wso2.com/about/team/malaka-silva/ >>>>> <http://wso2.com/about/team/malaka-silva/> >>>>> https://store.wso2.com/store/ >>>>> >>>>> Don't make Trees rare, we should keep them with care >>>>> >>>>> ___ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> >>>> *Johann Dilantha Nallathamby* >>>> Technical Lead & Product Lead of WSO2 Identity Server >>>> Governance Technologies Team >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile - *+9476950* >>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>>> >>>> ___ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> ___ >>> Architecture mailing list >>> architect...@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> > > ___ > Architecture mailing list > architect...@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [VOTE] Release WSO2 Identity Server 5.2.0- RC1
Hi Devs, Tested, User dashboard, XACMl, Tenant creation On Thu, Sep 15, 2016 at 12:33 PM, Kathees Rajendram <kath...@wso2.com> wrote: > Hi, > > Tested the following authenticators. > >- SMS OTP >- Email OTP > > No blocking issue found. > > [+] Stable - go ahead and release > > Thanks, > Kathees > > On Thu, Sep 15, 2016 at 12:13 PM, Darshana Gunawardana <darsh...@wso2.com> > wrote: > >> Hi Devs, >> >> Tested, >> >>- SAML SSO >>- Federation >>- JIT Provisioning >>- Google Provisioning >> >> Did not find any blocking issue. >> >> So here's my vote, >> >> [+] Stable - go ahead and release >> >> Thanks, >> >> On Wed, Sep 14, 2016 at 2:59 AM, Hasintha Indrajee <hasin...@wso2.com> >> wrote: >> >>> Tested IS Analytics including >>> >>> >>>1. Enabling and disabling analytics (publishers), >>>2. Data publishing through publishers. >>>3. Analytics Dashboard functionalities. >>>4. Session Analytics >>>5. Login Analytics >>> >>> >>>- Variation over time >>>- Drilling down from different attributes >>>- Content of data table >>> >>> No blocking issues found. >>> [+] Stable - go ahead and release >>> >>> >>> On Sat, Sep 10, 2016 at 7:48 AM, Kasun Bandara <kas...@wso2.com> wrote: >>> >>>> Hi All, >>>> >>>> This is the 1st Release Candidate of WSO2 Identity Server 5.2.0 >>>> >>>> Please download, test the product and vote. Vote will be open for 72 >>>> hours or as needed. >>>> >>>> This release fixes the following issues: >>>> https://wso2.org/jira/issues/?filter=13329 >>>> >>>> Source and distribution >>>> >>>> Run-time : https://github.com/wso2/produc >>>> t-is/releases/tag/v5.2.0-rc1 >>>> Analytics : https://github.com/wso2/analyt >>>> ics-is/releases/tag/v5.2.0-rc1 >>>> >>>> Please vote as follows. >>>> >>> No blocking issues found. Here my vote to release. > [+] Stable - go ahead and release >>>> [-] Broken - do not release (explain why) >>>> >>>> Thanks, >>>> - WSO2 Identity Server Team - >>>> >>>> -- >>>> Kasun Bandara >>>> *Software Engineer* >>>> Mobile : +94 (0) 718 338 360 >>>> <%2B94%20%280%29%20773%20451194> >>>> kas...@wso2.com <thili...@wso2.com> >>>> >>>> ___ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Hasintha Indrajee >>> WSO2, Inc. >>> Mobile:+94 771892453 >>> >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Associate Technical Lead >> WSO2 Inc.; http://wso2.com >> >> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Kathees > Software Engineer, > email: kath...@wso2.com > mobile: +94772596173 > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [AppM] SAML response signature validation in tenants
Hi, On Fri, Aug 19, 2016 at 9:47 AM, Darshana Gunawardana <darsh...@wso2.com> wrote: > > > On Thu, Aug 18, 2016 at 4:43 PM, Rushmin Fernando <rush...@wso2.com> > wrote: > >> >> In current App Manager the service providers of tenants are getting >> created in the super tenant space. >> >> We are in the process of creating the service providers in the relevant >> tenants. >> >> In the app manager gateway, we use SAML SSO to authenticate the users, >> and the aforementioned service providers are used. >> >> When it comes to validating the the SAML response signature, I can see >> that we can re-use >> *org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil::getX509CredentialImplForTenant()* >> >> As per the code, it uses the tenant key store to get the certificates. >> And we can get the certificate by using the tenant name as the alias >> >> @IS team, do you see any issues with re-using this code in our gateway ? >> > > Using this util makes gateway -which is a client side(sp) component- > depends on the SAML component -which is server side(idp) component- > > IMO, its not nice to have that dependency. Once example is, this > dependency will expose you a samlsso (idp) endpoint from the gateway. And > also gateway profile would need to have saml components and makes you to > have whole framework related dependencies as well. > > Thinking about client side (sp) components which already doing this there > are two components we have in wso2 platform. > 1. Carbon SAML authenticator : https://github.com/wso2- > extensions/identity-carbon-auth-saml2 > 2. AS SSO valve : https://github.com/wso2/carbon-deployment/blob/4.7.x/ > components/webapp-mgt/org.wso2.carbon.webapp.mgt/src/ > main/java/org/wso2/carbon/webapp/mgt/sso/SAMLSignatureValidatorImpl.java > > Better to use utls from those two components, if we have such methods. > Most suitable component for gateway is #2, since carbon authenticator don't > have usage in gateway. > > I guess it's even worthy initiate separate component to handle all these > saml utils, given that we have isolated components across the platform and > we have to fix huge number of components if we identified a core issue. > +1 with darshans idea. And later better to have some common set of libraries to handle this kind of scenarios. > > Thanks, > > >> @Amila, in a cloud story do we need to configure the key aliases for each >> tenant or can we live with the default alias (which is the tenant domain >> name) ? >> >> >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94772891266 >> >> >> > > > -- > Regards, > > > *Darshana Gunawardana*Associate Technical Lead > WSO2 Inc.; http://wso2.com > > *E-mail: darsh...@wso2.com <darsh...@wso2.com>* > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [AppM] Creating XACML Policies and Service Providers in Tenants
HI, On Mon, Aug 8, 2016 at 5:51 PM, Dinusha Senanayaka <dinu...@wso2.com> wrote: > > > On Mon, Aug 8, 2016 at 5:43 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Rushmin, >> >> On Mon, Aug 8, 2016 at 5:26 PM, Rushmin Fernando <rush...@wso2.com> >> wrote: >> >>> Hi Ishara, >>> >>> We are currently using the following two admin services to create >>> service providers. >>> >>> IdentitySAMLSSOConfigService >>> IdentityApplicationManagementService >>> >> admin/manage >> >> permission should be there for both services >> >> hmm .. admin/manage is admin rights ? This mean we need to assign admin >> rights to publisher. :( . Is there any possibility of adding fine grained >> permission for these two services as well, similar to XACML services ? >> > Nop, Only manage permission is enough . I just mention the permission path to mange permission > > Regards, > Dinusha. > >> >>> If we are to follow the above SAML authenticator method for this as >>> well, what are the permissions should a role have ? >>> >>> Regards >>> Rushmin >>> >>> On Mon, Aug 8, 2016 at 5:18 PM, Lahiru Cooray <lahi...@wso2.com> wrote: >>> >>>> Hi Ishara, >>>> Thanks a lot for the info.. >>>> >>>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com> >>>> wrote: >>>> >>>>> Hi Dinusha, >>>>> >>>>> In this case I think publisher user should be able to create those SP, >>>>> XACML policies etc. >>>>> Since publisher use is within the publisher role you can assign >>>>> necessary permission to that role. >>>>> Once user login (SSO) to publisher with his credential he can get a >>>>> cookie for that >>>>> and he can use that cookie to authenticate to the admin services. >>>>> >>>>> @Rushmin, >>>>> We don't have a authenticator for OAuth token. Better to get a ID >>>>> token using OIDC or after validating OAuth token >>>>> and create a carbon authenticator like saml carbon authenticator. >>>>> >>>>> Thanks, >>>>> Ishara >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com> >>>>> wrote: >>>>> >>>>>> In addition to creating these entries from the UI, we need to create >>>>>> the same using our ReST API as well. And the API is OAuth protected. >>>>>> >>>>>> Is there an authenticator which gives back a cookie for an OAuth >>>>>> token as well ? >>>>>> >>>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <isha...@wso2.com >>>>>> > wrote: >>>>>> >>>>>>> Hi Lahiru. >>>>>>> >>>>>>> >>>>>>> Its not the admin user.User trying to do this operation should have >>>>>>> enough permission to do this. >>>>>>> >>>>>>> Use >>>>>>> >>>>>>> >>>>>>> >>>>>>> *entitlement/policy/view* >>>>>>> >>>>>>> Add this permission to the user who is trying to view those policies. >>>>>>> >>>>>>> >>>>>>> BR, >>>>>>> >>>>>>> Ishara >>>>>>> >>>>>>> >>>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> + [DEV] >>>>>>>> >>>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> *Current behaviour:* >>>>>>>>> Currently in AppM, when we are creating XACML policies/Service >>>>>>>>> Providers via IS admin services, we are providing the super tenant >>>>>>>>> admin >>>>>>>>> credentials (where the credentials are st
Re: [Dev] [AppM] Creating XACML Policies and Service Providers in Tenants
Hi Rushmin, On Mon, Aug 8, 2016 at 5:26 PM, Rushmin Fernando <rush...@wso2.com> wrote: > Hi Ishara, > > We are currently using the following two admin services to create service > providers. > > IdentitySAMLSSOConfigService > IdentityApplicationManagementService > admin/manage permission should be there for both services > > If we are to follow the above SAML authenticator method for this as well, > what are the permissions should a role have ? > > Regards > Rushmin > > On Mon, Aug 8, 2016 at 5:18 PM, Lahiru Cooray <lahi...@wso2.com> wrote: > >> Hi Ishara, >> Thanks a lot for the info.. >> >> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com> >> wrote: >> >>> Hi Dinusha, >>> >>> In this case I think publisher user should be able to create those SP, >>> XACML policies etc. >>> Since publisher use is within the publisher role you can assign >>> necessary permission to that role. >>> Once user login (SSO) to publisher with his credential he can get a >>> cookie for that >>> and he can use that cookie to authenticate to the admin services. >>> >>> @Rushmin, >>> We don't have a authenticator for OAuth token. Better to get a ID token >>> using OIDC or after validating OAuth token >>> and create a carbon authenticator like saml carbon authenticator. >>> >>> Thanks, >>> Ishara >>> >>> >>> >>> >>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com> >>> wrote: >>> >>>> In addition to creating these entries from the UI, we need to create >>>> the same using our ReST API as well. And the API is OAuth protected. >>>> >>>> Is there an authenticator which gives back a cookie for an OAuth token >>>> as well ? >>>> >>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <isha...@wso2.com> >>>> wrote: >>>> >>>>> Hi Lahiru. >>>>> >>>>> >>>>> Its not the admin user.User trying to do this operation should have >>>>> enough permission to do this. >>>>> >>>>> Use >>>>> >>>>> >>>>> >>>>> *entitlement/policy/view* >>>>> >>>>> Add this permission to the user who is trying to view those policies. >>>>> >>>>> >>>>> BR, >>>>> >>>>> Ishara >>>>> >>>>> >>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> >>>>> wrote: >>>>> >>>>>> + [DEV] >>>>>> >>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> *Current behaviour:* >>>>>>> Currently in AppM, when we are creating XACML policies/Service >>>>>>> Providers via IS admin services, we are providing the super tenant admin >>>>>>> credentials (where the credentials are stored in a config) to get >>>>>>> authenticated. Further, XACML policies/Service providers are only >>>>>>> created >>>>>>> in super tenant and marked as a SAAS app to be used in tenants. >>>>>>> >>>>>>> *Problem:* >>>>>>> As we are moving for AppM - Cloud integration, we are trying to >>>>>>> deploy these in relevant tenant spaces. So as a solution we have tried >>>>>>> to >>>>>>> use *SAML2SSOAuthenticator*[1] (retrieving a cookie passing the >>>>>>> SAML response and use the same in subsequent service calls) but figured >>>>>>> that this is not applicable for non admin users. >>>>>>> (*eg:* In AppM user story, non admin users should be allowed to >>>>>>> create apps with XAML policies) >>>>>>> >>>>>>> Any suggestions for this would be highly appreciated! >>>>>>> >>>>>>> >>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6 >>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato >>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti >&g
Re: [Dev] [AppM] Creating XACML Policies and Service Providers in Tenants
Hi Dinusha, In this case I think publisher user should be able to create those SP, XACML policies etc. Since publisher use is within the publisher role you can assign necessary permission to that role. Once user login (SSO) to publisher with his credential he can get a cookie for that and he can use that cookie to authenticate to the admin services. @Rushmin, We don't have a authenticator for OAuth token. Better to get a ID token using OIDC or after validating OAuth token and create a carbon authenticator like saml carbon authenticator. Thanks, Ishara On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com> wrote: > In addition to creating these entries from the UI, we need to create the > same using our ReST API as well. And the API is OAuth protected. > > Is there an authenticator which gives back a cookie for an OAuth token as > well ? > > On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Lahiru. >> >> >> Its not the admin user.User trying to do this operation should have >> enough permission to do this. >> >> Use >> >> >> >> *entitlement/policy/view* >> >> Add this permission to the user who is trying to view those policies. >> >> >> BR, >> >> Ishara >> >> >> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> wrote: >> >>> + [DEV] >>> >>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> wrote: >>> >>>> Hi all, >>>> >>>> *Current behaviour:* >>>> Currently in AppM, when we are creating XACML policies/Service >>>> Providers via IS admin services, we are providing the super tenant admin >>>> credentials (where the credentials are stored in a config) to get >>>> authenticated. Further, XACML policies/Service providers are only created >>>> in super tenant and marked as a SAAS app to be used in tenants. >>>> >>>> *Problem:* >>>> As we are moving for AppM - Cloud integration, we are trying to deploy >>>> these in relevant tenant spaces. So as a solution we have tried to use >>>> *SAML2SSOAuthenticator*[1] (retrieving a cookie passing the SAML >>>> response and use the same in subsequent service calls) but figured that >>>> this is not applicable for non admin users. >>>> (*eg:* In AppM user story, non admin users should be allowed to create >>>> apps with XAML policies) >>>> >>>> Any suggestions for this would be highly appreciated! >>>> >>>> >>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6 >>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato >>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti >>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe >>>> nticator/saml2/sso/SAML2SSOAuthenticator.java >>>> >>>> -- >>>> *Lahiru Cooray* >>>> Software Engineer >>>> WSO2, Inc.;http://wso2.com/ >>>> lean.enterprise.middleware >>>> >>>> Mobile: +94 715 654154 >>>> >>> >>> >>> >>> -- >>> *Lahiru Cooray* >>> Software Engineer >>> WSO2, Inc.;http://wso2.com/ >>> lean.enterprise.middleware >>> >>> Mobile: +94 715 654154 >>> >> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> >> >> > > > -- > *Best Regards* > > *Rushmin Fernando* > *Technical Lead* > > WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware > > mobile : +94772891266 > > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [AppM] Creating XACML Policies and Service Providers in Tenants
Hi Lahiru. Its not the admin user.User trying to do this operation should have enough permission to do this. Use *entitlement/policy/view* Add this permission to the user who is trying to view those policies. BR, Ishara On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> wrote: > + [DEV] > > On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> wrote: > >> Hi all, >> >> *Current behaviour:* >> Currently in AppM, when we are creating XACML policies/Service Providers >> via IS admin services, we are providing the super tenant admin credentials >> (where the credentials are stored in a config) to get authenticated. >> Further, XACML policies/Service providers are only created in super tenant >> and marked as a SAAS app to be used in tenants. >> >> *Problem:* >> As we are moving for AppM - Cloud integration, we are trying to deploy >> these in relevant tenant spaces. So as a solution we have tried to use >> *SAML2SSOAuthenticator*[1] (retrieving a cookie passing the SAML >> response and use the same in subsequent service calls) but figured that >> this is not applicable for non admin users. >> (*eg:* In AppM user story, non admin users should be allowed to create >> apps with XAML policies) >> >> Any suggestions for this would be highly appreciated! >> >> >> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6 >> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato >> rs/saml2-sso-authenticator/org.wso2.carbon.identity. >> authenticator.saml2.sso/src/main/java/org/wso2/carbon/ >> identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java >> >> -- >> *Lahiru Cooray* >> Software Engineer >> WSO2, Inc.;http://wso2.com/ >> lean.enterprise.middleware >> >> Mobile: +94 715 654154 >> > > > > -- > *Lahiru Cooray* > Software Engineer > WSO2, Inc.;http://wso2.com/ > lean.enterprise.middleware > > Mobile: +94 715 654154 > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users
Hi Prabath, Maduranga is running same test in the openstack once its completed will compare all. BR, Ishara On Sun, Jul 31, 2016 at 10:14 PM, Prabath Siriwardana <prab...@wso2.com> wrote: > Can you please compare the results you are getting now with the results we > got a week before in the same setup...? I guess we could get ~1200 tps > with 500 concurrency for 1M users, without any drop in the tps...? > > Thanks & regards, > -Prabath > > On Sun, Jul 31, 2016 at 12:34 AM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> >> >> On Sun, Jul 31, 2016 at 12:59 PM, Malith Jayasinghe <mali...@wso2.com> >> wrote: >> >>> >>> >>> On Sun, Jul 31, 2016 at 12:49 PM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi Malith, >>>> >>>> On Sun, Jul 31, 2016 at 12:37 PM, Malith Jayasinghe <mali...@wso2.com> >>>> wrote: >>>> >>>>> HI Indunil, >>>>> Just a few question regarding this performance test you have done: >>>>> >>>>> What is the reason for selecting the concurrency = 500 here? >>>>> >>>> This is the user expected concurrency level. Thats the reason we user >>>> this. >>>> >>>>> >>>>> Have you tested the behaviour for lower concurrency levels? >>>>> >>>>> *"currently the TPS is dropping from the initial TPS 1139.5/s to >>>>> 198.1/s in around 610 user count.(User Add)" - *How did you >>>>> notice/measure this drop in TPS? Did you analyze the jmeter results >>>>> offline? After it drops, does it improve after some time or does it stay >>>>> the same? >>>>> >>>> We test this with the Jmeter summery report. >>>> with latest results if we start again few min (2min) we can get this >>>> max tps and come down to around 250tps >>>> >>> >>> Ok so it comes down to 250tps and stays there? Are you running these >>> tests without a warm-up period? >>> >> Nop. >> >> With 2s worm up and then 10s ramp up period >> >>> >>>>> >>>>> Did you look at the behaviour of latency? >>>>> >>>>> Thanks >>>>> >>>>> Malith >>>>> >>>>> >>>>> On Fri, Jul 29, 2016 at 2:57 PM, Indunil Upeksha Rathnayake < >>>>> indu...@wso2.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> We are currently engaged into a performance analysis where we are >>>>>> analyzing performance for User Add, Update, Authentication operations. >>>>>> The >>>>>> testing has been carried out in a following environment with 500 >>>>>> concurrency and users up to 10 million. >>>>>> >>>>>> *Environment :* >>>>>> >>>>>> m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances. >>>>>> MySQL 5.7 >>>>>> Ubuntu 14.04 >>>>>> Openldap-2.4.31 >>>>>> IS 5.1.0 >>>>>> >>>>>> In order to optimize the MYSQL server, following server parameters >>>>>> have been tuned accordingly. We have referred MYSQL documentation [1] as >>>>>> well as have performed analysis using several MYSQL tuners in [2]. >>>>>> >>>>>> (1) *max_connections : 1000* (The maximum permitted number of >>>>>> simultaneous client connections.) >>>>>> >>>>>> (2) *join_buffer_size : 259968* (The minimum size of the buffer that >>>>>> is used for plain index scans, range index scans, and joins that do not >>>>>> use >>>>>> indexes and thus perform full table scans.) >>>>>> >>>>>> (3) *innodb_buffer_pool_size : 5207959552 <5207959552>* (size of the >>>>>> memory area where InnoDB caches table and index data) >>>>>> >>>>>> (4) *innodb_log_buffer_size : 16777216* (size of the buffer for >>>>>> transactions that have not been committed yet) >>>>>> >>>>>> (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool >>>>>> instances. According to the mysql documentation[1], on systems with a >>>>>> large >>>&g
Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users
On Sun, Jul 31, 2016 at 12:59 PM, Malith Jayasinghe <mali...@wso2.com> wrote: > > > On Sun, Jul 31, 2016 at 12:49 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Malith, >> >> On Sun, Jul 31, 2016 at 12:37 PM, Malith Jayasinghe <mali...@wso2.com> >> wrote: >> >>> HI Indunil, >>> Just a few question regarding this performance test you have done: >>> >>> What is the reason for selecting the concurrency = 500 here? >>> >> This is the user expected concurrency level. Thats the reason we user >> this. >> >>> >>> Have you tested the behaviour for lower concurrency levels? >>> >>> *"currently the TPS is dropping from the initial TPS 1139.5/s to 198.1/s >>> in around 610 user count.(User Add)" - *How did you notice/measure >>> this drop in TPS? Did you analyze the jmeter results offline? After it >>> drops, does it improve after some time or does it stay the same? >>> >> We test this with the Jmeter summery report. >> with latest results if we start again few min (2min) we can get this max >> tps and come down to around 250tps >> > > Ok so it comes down to 250tps and stays there? Are you running these > tests without a warm-up period? > Nop. With 2s worm up and then 10s ramp up period > >>> >>> Did you look at the behaviour of latency? >>> >>> Thanks >>> >>> Malith >>> >>> >>> On Fri, Jul 29, 2016 at 2:57 PM, Indunil Upeksha Rathnayake < >>> indu...@wso2.com> wrote: >>> >>>> Hi, >>>> >>>> We are currently engaged into a performance analysis where we are >>>> analyzing performance for User Add, Update, Authentication operations. The >>>> testing has been carried out in a following environment with 500 >>>> concurrency and users up to 10 million. >>>> >>>> *Environment :* >>>> >>>> m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances. >>>> MySQL 5.7 >>>> Ubuntu 14.04 >>>> Openldap-2.4.31 >>>> IS 5.1.0 >>>> >>>> In order to optimize the MYSQL server, following server parameters have >>>> been tuned accordingly. We have referred MYSQL documentation [1] as well as >>>> have performed analysis using several MYSQL tuners in [2]. >>>> >>>> (1) *max_connections : 1000* (The maximum permitted number of >>>> simultaneous client connections.) >>>> >>>> (2) *join_buffer_size : 259968* (The minimum size of the buffer that >>>> is used for plain index scans, range index scans, and joins that do not use >>>> indexes and thus perform full table scans.) >>>> >>>> (3) *innodb_buffer_pool_size : 5207959552 <5207959552>* (size of the >>>> memory area where InnoDB caches table and index data) >>>> >>>> (4) *innodb_log_buffer_size : 16777216* (size of the buffer for >>>> transactions that have not been committed yet) >>>> >>>> (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool >>>> instances. According to the mysql documentation[1], on systems with a large >>>> amount of memory, we can improve concurrency by dividing the buffer pool >>>> into multiple buffer pool instances. But couldn't change since it's a read >>>> only variable) >>>> >>>> (6) *key_buffer_size : 38400* (size of the buffer used for index >>>> blocks) >>>> >>>> (7) *table_open_cache : 4000* (The number of open tables for all >>>> threads) >>>> >>>> (8) *sort_buffer_size : 400* (Each session that must perform a >>>> sort allocates a buffer of this size) >>>> >>>> (9) *read_buffer_size : 100* (Each thread that does a sequential >>>> scan for a table allocates a buffer of this size for each table it scans. >>>> If we do many sequential scans, we might want to increase this value) >>>> >>>> (10) *query_cache_type : 0 * >>>> >>>> (11) *query_cache_limit : 1048576* (Do not cache results that are >>>> larger than this number of bytes) >>>> >>>> (12) *query_cache_size : 1048576* (The amount of memory allocated for >>>> caching query results) >>>> >>>> (13) *thread_stack : 262144* (The stack size for each thread) >>>> >>>> (14) *net_buffer_le
Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users
>> (4) Added following additional parameters to optimize database connection >> pool. >> >> 6 >> >> 600 >> >> 20 >> >> (5) Tuning Tomcat parameters in >> /repository/conf/tomcat/catalina-server.xml. >> >> *acceptorThreadCount = 8 * >> >> *maxThreads="750" * >> >> *minSpareThreads="150" * >> >> *maxKeepAliveRequests="600" * >> >> *acceptCount="600"* >> >> >> >> JMeter has been configured as follows to optimize the performance. >> >> (1) JVM Heap Settings (-Xms -Xmx) changed as follows: >> >> *Xms : 1g * >> >> *Xmx : 1g * >> >> >> We were able to optimize the environment up to some level. But* >> currently the TPS is dropping from the initial TPS 1139.5/s to 198.1/s in >> around 610 user count.(User Add)* >> >> Appreciate your help on figuring out whether we need to do any >> modifications to the optimizations in MYSQL, IS and JMeter servers or to >> identify the exact issue for this sudden TPS dropping. >> >> [1] http://dev.mysql.com/doc/refman/5.7/en/optimizing-server.html >> >> [2] http://www.askapache.com/mysql/mysql-performance-tuning.html >> >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Emailindu...@wso2.com >> Mobile 0772182255 >> > > > > -- > Malith Jayasinghe > > > WSO2, Inc. (http://wso2.com) > Email : mali...@wso2.com > Mobile : 0770704040 > Lean . Enterprise . Middleware > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users
HI Indunil, Today I did some changes to jmeter scripts Still testing locally, will provide you those. And before we use EC2 instances we had some openstack. I think its better if we can run a backup test there as well. If EC2 give any issues we can eliminate the risk. @Chamath can we get those again ? Thanks, Ishara On Fri, Jul 29, 2016 at 3:19 PM, Indunil Upeksha Rathnayake < indu...@wso2.com> wrote: > Hi, > > I have attached the JMeter Script file which we use in adding users[1]. > May be we need to do some modifications to the script. Appreciate your > comments. > @Ishara: I'll send those results. > > [1] > https://drive.google.com/a/wso2.com/folderview?id=0Bz_EQkE2mOgBMmFDNzFpNk5CTFE=sharing > > On Fri, Jul 29, 2016 at 3:05 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Indunil, >> >> Can we get the distribution of the throughput then we can figure out how >> its coming down >> and better if we can get the resource utilization of servers. >> >> Thanks, >> Ishara >> >> On Fri, Jul 29, 2016 at 2:57 PM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi, >>> >>> We are currently engaged into a performance analysis where we are >>> analyzing performance for User Add, Update, Authentication operations. The >>> testing has been carried out in a following environment with 500 >>> concurrency and users up to 10 million. >>> >>> *Environment :* >>> >>> m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances. >>> MySQL 5.7 >>> Ubuntu 14.04 >>> Openldap-2.4.31 >>> IS 5.1.0 >>> >>> In order to optimize the MYSQL server, following server parameters have >>> been tuned accordingly. We have referred MYSQL documentation [1] as well as >>> have performed analysis using several MYSQL tuners in [2]. >>> >>> (1) *max_connections : 1000* (The maximum permitted number of >>> simultaneous client connections.) >>> >>> (2) *join_buffer_size : 259968* (The minimum size of the buffer that is >>> used for plain index scans, range index scans, and joins that do not use >>> indexes and thus perform full table scans.) >>> >>> (3) *innodb_buffer_pool_size : 5207959552 <5207959552>* (size of the >>> memory area where InnoDB caches table and index data) >>> >>> (4) *innodb_log_buffer_size : 16777216* (size of the buffer for >>> transactions that have not been committed yet) >>> >>> (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool >>> instances. According to the mysql documentation[1], on systems with a large >>> amount of memory, we can improve concurrency by dividing the buffer pool >>> into multiple buffer pool instances. But couldn't change since it's a read >>> only variable) >>> >>> (6) *key_buffer_size : 38400* (size of the buffer used for index >>> blocks) >>> >>> (7) *table_open_cache : 4000* (The number of open tables for all >>> threads) >>> >>> (8) *sort_buffer_size : 400* (Each session that must perform a sort >>> allocates a buffer of this size) >>> >>> (9) *read_buffer_size : 100* (Each thread that does a sequential >>> scan for a table allocates a buffer of this size for each table it scans. >>> If we do many sequential scans, we might want to increase this value) >>> >>> (10) *query_cache_type : 0 * >>> >>> (11) *query_cache_limit : 1048576* (Do not cache results that are >>> larger than this number of bytes) >>> >>> (12) *query_cache_size : 1048576* (The amount of memory allocated for >>> caching query results) >>> >>> (13) *thread_stack : 262144* (The stack size for each thread) >>> >>> (14) *net_buffer_length : 16384* (Each client thread is associated with >>> a connection buffer and result buffer. Both begin with a size given by >>> net_buffer_length but are dynamically enlarged up to max_allowed_packet >>> bytes as needed) >>> >>> (15) *max_allowed_packet : 4194304* (The maximum size of one packet or >>> any generated/intermediate string) >>> >>> (16) *thread_cache_size : 30* (no of threads the server should cache >>> for reuse) >>> >>> >>> >>> IS has been configured as follows to optimize the performance. >>> >>> (1) JVM Heap Settings (-Xms -Xmx) changed as follows: >>> >>> *Xms : 2g * >>> >>>
Re: [Dev] ACT tests in an EC2 environment tps drops in a few min
HI Isuru, Thank for the help its much better now. let you know if we get any issues in the environment. BR, Ishara On Fri, Jul 29, 2016 at 3:04 PM, Isuru Rupasinghe <isur...@wso2.com> wrote: > Hi Ishara, > > AWS support had confirmed that there had being a network connectivity > issue with the stated region and it should be resolved now. You could find > the mail thread below: > > > -- Forwarded message -- > From: no-reply-...@amazon.com <no-reply-...@amazon.com> > Date: Thu, Jul 28, 2016 at 5:10 PM > > > Hi There, > > Luigi here from AWS. I hope this email finds you well. > > I've checked the service status history in this region ( > http://status.aws.amazon.com/) and it seems there were connectivity > issues which should be resolved now. > > If you are still experiencing issues with this, we also have forums > available to help. The forums allow you to post your questions to our > developers who monitor and respond to these daily. The below link will help > you get there. > > https://forums.aws.amazon.com/forum.jspa?forumID=30=0 > > You can create a forum profile following these steps: > 1. Go to https://forums.aws.amazon.com/index.jspa > 2. Click on Login. > 3. Sign in using your AWS credentials. > 4. Create a AWS Nickname and a Forum Email. > > I hope you find this information helpful. I am happy to answer any > additional questions you may have. > > Best regards, > > Luigi > Amazon Web Services > We value your feedback. Please rate my response using the link below. > === > > (If you are connecting by federation, log in before following the link.) > > *Please note: this e-mail was sent from an address that cannot accept > incoming e-mail. Please use the link above if you need to contact us again > about this same issue. > > > Learn to work with the AWS Cloud. Get started with free online videos and > self-paced labs at > http://aws.amazon.com/training/ > > > Amazon Web Services, Inc. is an affiliate of Amazon.com, Inc. Amazon.com > is a registered trademark of Amazon.com, Inc. or its affiliates. > > Thanks & Regards, > > > > On Fri, Jul 29, 2016 at 2:27 PM, Dhanushka Ranasinghe <dhanush...@wso2.com > > wrote: > >> >> >> On Thu, Jul 28, 2016 at 11:19 AM, Miyuru Wanninayaka <miy...@wso2.com> >> wrote: >> >>> EC2 might throttling network as we are flooding it with requests. We >>> observed same behavior when we do ESB performance tests. Due to that, we >>> ran client, server and backend in a single EC2 instance. >>> >>> On Thu, Jul 28, 2016 at 11:15 AM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi All, >>>> >>>> We have 3 m3.2xlarge EC2 instances each for jmeter, IS and Mysql. >>>> we are running with 500 concurrent threads. And to the user add >>>> operation only. >>>> >>>> Even with 5m users we get 1000+ tps for few min and it get down to 200 >>>> tps after that. >>>> But last day same test ran without any issues. >>>> >>>> Can there be a issue in EC2 configs or can be a any other issue ? >>>> Appreciate your fed back on this. >>>> >>>> Thanks, >>>> Ishara >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 >>>> >>>> >>>> >>> >>> >>> -- >>> Miyuru Wanninayaka >>> Associate Director / Architect >>> WSO2 Inc. : http://wso2.com >>> >>> Mobile : +94 77 209 9788 >>> >> >> >> >> -- >> Dhanushka Ranasinghe, >> WSO2 lnc http://wso2.com >> E-mail : dhanush...@wso2.com >> Mobile : +94771928269 >> > > > > -- > > > > > *Isuru RupasingheWSO2 Inc.: http://wso2.com > <http://wso2.com/>lean.enterprise.middle-waremobile: +94 77 590 4545 > <%2B94%2077%20352%C2%A05930>* > *office: +94 11 214 5345 / +94 11 7**43 5800 ext: 5739* > > <http://wso2.com/signature> > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users
Hi Indunil, Can we get the distribution of the throughput then we can figure out how its coming down and better if we can get the resource utilization of servers. Thanks, Ishara On Fri, Jul 29, 2016 at 2:57 PM, Indunil Upeksha Rathnayake < indu...@wso2.com> wrote: > Hi, > > We are currently engaged into a performance analysis where we are > analyzing performance for User Add, Update, Authentication operations. The > testing has been carried out in a following environment with 500 > concurrency and users up to 10 million. > > *Environment :* > > m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances. > MySQL 5.7 > Ubuntu 14.04 > Openldap-2.4.31 > IS 5.1.0 > > In order to optimize the MYSQL server, following server parameters have > been tuned accordingly. We have referred MYSQL documentation [1] as well as > have performed analysis using several MYSQL tuners in [2]. > > (1) *max_connections : 1000* (The maximum permitted number of > simultaneous client connections.) > > (2) *join_buffer_size : 259968* (The minimum size of the buffer that is > used for plain index scans, range index scans, and joins that do not use > indexes and thus perform full table scans.) > > (3) *innodb_buffer_pool_size : 5207959552 <5207959552>* (size of the > memory area where InnoDB caches table and index data) > > (4) *innodb_log_buffer_size : 16777216* (size of the buffer for > transactions that have not been committed yet) > > (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool > instances. According to the mysql documentation[1], on systems with a large > amount of memory, we can improve concurrency by dividing the buffer pool > into multiple buffer pool instances. But couldn't change since it's a read > only variable) > > (6) *key_buffer_size : 38400* (size of the buffer used for index > blocks) > > (7) *table_open_cache : 4000* (The number of open tables for all threads) > > (8) *sort_buffer_size : 400* (Each session that must perform a sort > allocates a buffer of this size) > > (9) *read_buffer_size : 100* (Each thread that does a sequential scan > for a table allocates a buffer of this size for each table it scans. If we > do many sequential scans, we might want to increase this value) > > (10) *query_cache_type : 0 * > > (11) *query_cache_limit : 1048576* (Do not cache results that are larger > than this number of bytes) > > (12) *query_cache_size : 1048576* (The amount of memory allocated for > caching query results) > > (13) *thread_stack : 262144* (The stack size for each thread) > > (14) *net_buffer_length : 16384* (Each client thread is associated with a > connection buffer and result buffer. Both begin with a size given by > net_buffer_length but are dynamically enlarged up to max_allowed_packet > bytes as needed) > > (15) *max_allowed_packet : 4194304* (The maximum size of one packet or > any generated/intermediate string) > > (16) *thread_cache_size : 30* (no of threads the server should cache for > reuse) > > > > IS has been configured as follows to optimize the performance. > > (1) JVM Heap Settings (-Xms -Xmx) changed as follows: > > *Xms : 2g * > > *Xmx : 2g * > > (2) Removed following entry from > /repository/conf/tomcat/catalina-server.xml to disable http access > logs. > > directory="${carbon.home}/repository/logs" prefix="http_access_" > suffix=".log" pattern="combined" /> > > (3) Tuned following parameters in axis2client.xml file. > > 1000 > > 3 > > (4) Added following additional parameters to optimize database connection > pool. > > 6 > > 600 > > 20 > > (5) Tuning Tomcat parameters in > /repository/conf/tomcat/catalina-server.xml. > > *acceptorThreadCount = 8 * > > *maxThreads="750" * > > *minSpareThreads="150" * > > *maxKeepAliveRequests="600" * > > *acceptCount="600"* > > > > JMeter has been configured as follows to optimize the performance. > > (1) JVM Heap Settings (-Xms -Xmx) changed as follows: > > *Xms : 1g * > > *Xmx : 1g * > > > We were able to optimize the environment up to some level. But* currently > the TPS is dropping from the initial TPS 1139.5/s to 198.1/s in around > 610 user count.(User Add)* > > Appreciate your help on figuring out whether we need to do any > modifications to the optimizations in MYSQL, IS and JMeter servers or to > identify the exact issue for this sudden TPS dropping. > > [1] http://dev.mysql.com/doc/refman/5.7/en/optimizing-server.html > > [2] http://www.askapache.com/mysql/mysql-performance-tuning.html > > > Thanks and Regards > -- > Indunil Upeksha Rathnayake > Software Engineer | WSO2 Inc > Emailindu...@wso2.com > Mobile 0772182255 > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] ACT tests in an EC2 environment tps drops in a few min
Hi All, We have 3 m3.2xlarge EC2 instances each for jmeter, IS and Mysql. we are running with 500 concurrent threads. And to the user add operation only. Even with 5m users we get 1000+ tps for few min and it get down to 200 tps after that. But last day same test ran without any issues. Can there be a issue in EC2 configs or can be a any other issue ? Appreciate your fed back on this. Thanks, Ishara -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Error JWT grant type
Hi, We cant use id token that we get from IS 5.1.0 since we can't configure Aud there but this should be fixed in IS 5.2.0. And I used sample jwt generator class to build a JWT and test the scenario. Thanks, Ishara On Wed, Jul 6, 2016 at 11:58 PM, Malaka Silva <mal...@wso2.com> wrote: > +Keerthika > > On Wed, Jul 6, 2016 at 11:56 AM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi, >> >> I tried to use JWT grant type using ID token I got from password grant >> type. >> >> Then I got the following error >> "Error occurred while decoding public certificate of Identity Provider >> default for tenant domain carbon.super" >> >> But I have imported the pub key to the IDP >> >> Is this a known issue ? >> Or do we have any other sample to generate a JWT if this ID token is not >> valid. >> >> https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type >> >> Thanks, >> Ishara >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> > > > > -- > > Best Regards, > > Malaka Silva > Senior Technical Lead > M: +94 777 219 791 > Tel : 94 11 214 5345 > Fax :94 11 2145300 > Skype : malaka.sampath.silva > LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77 > Blog : http://mrmalakasilva.blogspot.com/ > > WSO2, Inc. > lean . enterprise . middleware > http://www.wso2.com/ > http://www.wso2.com/about/team/malaka-silva/ > <http://wso2.com/about/team/malaka-silva/> > https://store.wso2.com/store/ > > Save a tree -Conserve nature & Save the world for your future. Print this > email only if it is absolutely necessary. > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Error JWT grant type
Hi, I tried to use JWT grant type using ID token I got from password grant type. Then I got the following error "Error occurred while decoding public certificate of Identity Provider default for tenant domain carbon.super" But I have imported the pub key to the IDP Is this a known issue ? Or do we have any other sample to generate a JWT if this ID token is not valid. https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type Thanks, Ishara -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [DEV][IS]Some information about Dynamic Client Registration and Resource Registration
Hi Sanjeewa, On Thu, Oct 29, 2015 at 7:12 PM, Sanjeewa Malalgoda <sanje...@wso2.com> wrote: > Hi All, > I would like to know some information about Oauth dynamic client > registration[1] and resource registration APIs available in IS. > AFAIK we were discussing about subject for some time and i think we > already implemented it. > So my question is do we have resource registration APIs and DCR APIs > available with IS? > Still we don't have this implementations in IS. Thanks, Ishara > If so can someone please point me endpoint details or some sample. > > [1]https://datatracker.ietf.org/doc/rfc7591/?include_text=1 > > > Thanks, > sanjeewa. > -- > > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +94713068779 > > <http://sanjeewamalalgoda.blogspot.com/>blog > :http://sanjeewamalalgoda.blogspot.com/ > <http://sanjeewamalalgoda.blogspot.com/> > > > -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app
Hi Nadeesha, On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana <darsh...@wso2.com> wrote: > Hi Nadeesha, > > Have you checked whether the assertion is encrypted in the response IS > send back to travelocity app? > > And please provide the SSO Trace (save as a text file and attach in the > mail) for the whole flow. > > Thanks, > Darshana > > On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda <nadees...@wso2.com> > wrote: > >> Hi. >> >> I have configured the setup to Login to the Identity Server Using Another >> Identity Server as per the details in [1] in Super tenant mode. With the >> happy scenario according to the documentation this works fine. But I have >> enabled some additional properties in IDP and SP used for IDP as following : >> >> *Properties enabled for Federated Authenticators* - SAML2 Web SSO >> Configuration >> >> 1. Enabled Assertion Encryption >> 2. Enable Assertion Signing >> 3. Enable Authentication Response Signing >> >> *Properties enabled fo SP used for IDP * >> >> 1. Enabled Assertion Encryption >> 2. Enabled Response Signing >> >> *Properties enabled fo SP used for travelocity app* >> >> 1. Enabled Assertion Encryption >> > What is the Certificate Alias you used here ? is that the public key in travelocity app ? > 2. Enabled Response Signing >> >> In the travelocity.properties file also I have enabled Assertion >> Encryption,Response signing and Assertion signing. I have already imported >> the Identity Provider Public Certificate to IDP >> >> When I'm signing in to travelocity.com I get Unable to decrypt the SAML >> Assertion error and error in [2] in tomcat. >> >> Note that only enabling "assertion signing" in IDP I was successfully >> able to login and no error was displayed. When I enabled the Assertion >> Encryption this error occurred. Why is this error occurred when I enable >> this property as mentioned above? >> >> Any help regarding this is highly appreciated! >> >> >> >> [1] - >> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510 >> >> [2] - Oct 02, 2015 2:10:47 PM >> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter >> SEVERE: An error has occurred >> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable to >> decrypt the SAML Assertion >> at >> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) >> at >> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) >> at >> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >> at >> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:745) >> >> >> >> >> Th
Re: [Dev] Should mysql database scripts work with old mysql versions.
Hi Ruwan, On Fri, Oct 2, 2015 at 1:09 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote: > Hi Ishara, > >>In Identity server we started to persist session date with its updated > timestamp. And retrieve the latest data object related to > given session. > >>If it's only supported for seconds we get duplicate entries. In that > case we have to go for fractional seconds in timestamp > or will have to store it in another data type. > > I think tying up with timestamp for any uniqueness is going to be > problematic even if we select the most granular time resolution provided by > the hardware. > Thats true and its depend on the use case too. In our use case we don't depend only on the timestamp and we can't expect nano second level time different between session participants. In that case I believe we can go ahead with our approach. Thanks, Ishara > For example lets say an IoT device sends more than one request in fraction > of nano second and this might be causing problems down the pipeline/in the > future. > So I would suggest a changing the dependency of using timestamp for any > uniqueness/ latest check by adding/appending a sequence number, if it is > the case. > > Cheers, > Ruwan > > > On Fri, Oct 2, 2015 at 10:05 AM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Shankar, >> >> On Thu, Oct 1, 2015 at 9:54 PM, Selvaratnam Uthaiyashankar < >> shan...@wso2.com> wrote: >> >>> Is this support (fraction of second) there in other RDBMS (Oracle, >>> MSSQL, etc?). If it is only Mysql 5.6.4 +, then we shouldn't use IMO. If >>> this support is there in all other RDBMS, then it should be ok. >>> >>> I checked with Oracle, MSSQL, PostgreSQL, Informix and DB2. All support >> for fraction of seconds. >> >> Thanks, >> Ishara >> [1] >> http://docs.oracle.com/cd/B19306_01/server.102/b14200/sql_elements001.htm#i54330 >> [2] https://msdn.microsoft.com/en-us/library/ms187819.aspx >> [3] http://www.postgresql.org/docs/9.1/static/datatype-datetime.html >> [4] >> https://www-01.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.sqlr.doc/ids_sqr_110.htm >> [5] >> https://www-304.ibm.com/support/knowledgecenter/SSEPEK_10.0.0/com.ibm.db2z10.doc.intro/src/tpc/db2z_datetimetimestamp.dita >> >>> On Thu, Oct 1, 2015 at 9:40 PM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi Shankar, >>>> >>>> On Thu, Oct 1, 2015 at 7:45 PM, Selvaratnam Uthaiyashankar < >>>> shan...@wso2.com> wrote: >>>> >>>>> Normally, we should keep the compatibility with older versions. >>>>> >>>>> Is there any specific reason why you need upto microsecond precision >>>>> for the timestamp? >>>>> >>>> by default mysql support for seconds. >>>> In Identity server we started to persist session date with its updated >>>> timestamp. And retrieve the latest data object related to >>>> given session. >>>> If it's only supported for seconds we get duplicate entries. In that >>>> case we have to go for fractional seconds in timestamp >>>> or will have to store it in another data type. >>>> >>>> Thanks, >>>> Ishara >>>> >>>>> >>>>> On Wed, Sep 30, 2015 at 10:35 PM, Ishara Karunarathna < >>>>> isha...@wso2.com> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> For example In mysql version 5.6.4 (released on February 5, 2013 ) >>>>>> onwards [1] it support for >>>>>> fractional seconds for TIMESTAMP values, with up to microseconds (6 >>>>>> digits) >>>>>> >>>>>> But if we write scripts to get that features it won't work with older >>>>>> versions. >>>>>> So can we write scripts to work only with mysql version 5.6.4 and >>>>>> latest or should we support for old versions ?. >>>>>> >>>>>> Thanks, >>>>>> Ishara >>>>>> >>>>>> [1] >>>>>> http://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html#mysql-nutshell-additions >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Senior Software Engineer >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >&
Re: [Dev] Should mysql database scripts work with old mysql versions.
Hi Shankar, On Thu, Oct 1, 2015 at 7:45 PM, Selvaratnam Uthaiyashankar <shan...@wso2.com > wrote: > Normally, we should keep the compatibility with older versions. > > Is there any specific reason why you need upto microsecond precision for > the timestamp? > by default mysql support for seconds. In Identity server we started to persist session date with its updated timestamp. And retrieve the latest data object related to given session. If it's only supported for seconds we get duplicate entries. In that case we have to go for fractional seconds in timestamp or will have to store it in another data type. Thanks, Ishara > > On Wed, Sep 30, 2015 at 10:35 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi all, >> >> For example In mysql version 5.6.4 (released on February 5, 2013 ) >> onwards [1] it support for >> fractional seconds for TIMESTAMP values, with up to microseconds (6 >> digits) >> >> But if we write scripts to get that features it won't work with older >> versions. >> So can we write scripts to work only with mysql version 5.6.4 and latest >> or should we support for old versions ?. >> >> Thanks, >> Ishara >> >> [1] >> http://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html#mysql-nutshell-additions >> -- >> Ishara Karunarathna >> Senior Software Engineer >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> > > > > -- > S.Uthaiyashankar > VP Engineering > WSO2 Inc. > http://wso2.com/ - "lean . enterprise . middleware" > > Phone: +94 714897591 > -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Should mysql database scripts work with old mysql versions.
Hi Shankar, On Thu, Oct 1, 2015 at 9:54 PM, Selvaratnam Uthaiyashankar <shan...@wso2.com > wrote: > Is this support (fraction of second) there in other RDBMS (Oracle, MSSQL, > etc?). If it is only Mysql 5.6.4 +, then we shouldn't use IMO. If this > support is there in all other RDBMS, then it should be ok. > > I checked with Oracle, MSSQL, PostgreSQL, Informix and DB2. All support for fraction of seconds. Thanks, Ishara [1] http://docs.oracle.com/cd/B19306_01/server.102/b14200/sql_elements001.htm#i54330 [2] https://msdn.microsoft.com/en-us/library/ms187819.aspx [3] http://www.postgresql.org/docs/9.1/static/datatype-datetime.html [4] https://www-01.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.sqlr.doc/ids_sqr_110.htm [5] https://www-304.ibm.com/support/knowledgecenter/SSEPEK_10.0.0/com.ibm.db2z10.doc.intro/src/tpc/db2z_datetimetimestamp.dita > On Thu, Oct 1, 2015 at 9:40 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Shankar, >> >> On Thu, Oct 1, 2015 at 7:45 PM, Selvaratnam Uthaiyashankar < >> shan...@wso2.com> wrote: >> >>> Normally, we should keep the compatibility with older versions. >>> >>> Is there any specific reason why you need upto microsecond precision for >>> the timestamp? >>> >> by default mysql support for seconds. >> In Identity server we started to persist session date with its updated >> timestamp. And retrieve the latest data object related to >> given session. >> If it's only supported for seconds we get duplicate entries. In that case >> we have to go for fractional seconds in timestamp >> or will have to store it in another data type. >> >> Thanks, >> Ishara >> >>> >>> On Wed, Sep 30, 2015 at 10:35 PM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi all, >>>> >>>> For example In mysql version 5.6.4 (released on February 5, 2013 ) >>>> onwards [1] it support for >>>> fractional seconds for TIMESTAMP values, with up to microseconds (6 >>>> digits) >>>> >>>> But if we write scripts to get that features it won't work with older >>>> versions. >>>> So can we write scripts to work only with mysql version 5.6.4 and >>>> latest or should we support for old versions ?. >>>> >>>> Thanks, >>>> Ishara >>>> >>>> [1] >>>> http://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html#mysql-nutshell-additions >>>> -- >>>> Ishara Karunarathna >>>> Senior Software Engineer >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 >>>> >>> >>> >>> >>> -- >>> S.Uthaiyashankar >>> VP Engineering >>> WSO2 Inc. >>> http://wso2.com/ - "lean . enterprise . middleware" >>> >>> Phone: +94 714897591 >>> >> >> >> >> -- >> Ishara Karunarathna >> Senior Software Engineer >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> > > > > -- > S.Uthaiyashankar > VP Engineering > WSO2 Inc. > http://wso2.com/ - "lean . enterprise . middleware" > > Phone: +94 714897591 > -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] [DEV] Getting "localhost" as the saml2:Issuer in SAML authentication response
Hi Nadeesha, In you cluster nodes what are the MgtHostName and HostName values ? On Wed, Sep 30, 2015 at 11:53 AM, Rajith Vitharana <raji...@wso2.com> wrote: > Hi Nadeesha, > > As I remember you need to change the issuer in ResidentIDP config for this > to work. > > Thanks, > > On Wed, Sep 30, 2015 at 11:48 AM, Nadeesha Meegoda <nadees...@wso2.com> > wrote: > >> Hi IS team, >> >> I have configured a SAML SSO service provider (travelocity.com) in >> tenant mode (ymc.com). My IS is running in cluster environment it's >> https://mgt.is.wso2.com. When I was signing in to travelocity.com in the >> SAML AuthnRequest the samlp:issuer is as follows : >> >> >> travelocity@ymc.com >> >> However in the SAML Response to the authentication request the >> saml2:issuer is as follows: >> >> > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >> >localhost >> >> May I know why the saml2:Issuer is localhost here? Do I need to do more >> configurations to get it right? Can anyone explain please? >> >> I have attached the full authentication request and response with the >> mail. >> >> >> Thanks >> >> -- >> *Nadeesha Meegoda* >> Software Engineer - QA >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> email : nadees...@wso2.com >> mobile: +94783639540 >> <%2B94%2077%202273555> >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Rajith Vitharana > > Software Engineer, > WSO2 Inc. : wso2.com > Mobile : +94715883223 > Blog : http://lankavitharana.blogspot.com/ > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Should mysql database scripts work with old mysql versions.
Hi all, For example In mysql version 5.6.4 (released on February 5, 2013 ) onwards [1] it support for fractional seconds for TIMESTAMP values, with up to microseconds (6 digits) But if we write scripts to get that features it won't work with older versions. So can we write scripts to work only with mysql version 5.6.4 and latest or should we support for old versions ?. Thanks, Ishara [1] http://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html#mysql-nutshell-additions -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [IS] - Single Sign out is not working when integrated with Google OpenID - Connect Authentication
Hi Nadeesha. This is an expected behavior. In this scenario not only SLO you involve in Single login, Federated authentication. Here involve protocols SAML between travelocity.com - IS and OIDC between IS - Google. In this scenario SLO works over application logged in with IS only. In that case if you have a google session in your browser you should be automatically logged in again. Thanks, Ishara On Thu, Sep 17, 2015 at 6:29 PM, Nadeesha Meegoda <nadees...@wso2.com> wrote: > Hi Hasinthi, > > It works fine when I logout from Google account. But my concern is, Is > that the expected behavior of Single Logout? If so, when trying to sign in > from travelocity app if we are sending request for Google for > authentication why does the logout acts differently? Why can't it send a > request for Google for single logout? Clicking logout in my point of view > is to logout from the application/session, and when trying to login again > Google credentials should be provided. Otherwise what is the point of the > logout if the session stays persistent? Please clarify! > > On Thu, Sep 17, 2015 at 4:02 PM, Hasanthi Purnima Dissanayake < > hasan...@wso2.com> wrote: > >> Hi Nadeesha, >> >> Once you logout from the travelocity app, please make sure to logout from >> the google account too. Otherwise if there is a session of the google >> account it will automatically redirect to travelocity app in the second >> attempt without asking the permission. Please let us know if you face the >> same issue even after logging out from the google account too. >> >> Thanks. >> >> Hasanthi Dissanayake >> >> Software Engineer | WSO2 >> >> E: hasan...@wso2.com <nirosh...@wso2.com> >> M :0718407133| http://wso2.com <http://wso2.com/> >> >> On Thu, Sep 17, 2015 at 2:57 PM, Nadeesha Meegoda <nadees...@wso2.com> >> wrote: >> >>> Hi, >>> >>> Followed the blog in [1] and configured Google as OpenID Connect IDP. >>> Login in to travelocity.com with SAML was successful with google >>> authentication. Also when the logout was clicked it directed to >>> http://localhost:8080/travelocity.com/index.jsp from the home.jsp so I >>> thought the logout was successful. But when I tried to sign in with SAML >>> again I got logged in automatically without asking for the Google >>> authentication credentials. Have I missed some configurations? >>> >>> Note : I have enabled single logout in the SP I created and double >>> checked the travelocity.properties file and there also it is marked as >>> true. (SAML.EnableSLO=true). With the SAML tracer I monitored the logout >>> but I couldn't see any request sent to google where I think is the issue. >>> >>> [1] - http://xacmlinfo.org/2014/12/02/621/ >>> >>> Any help on above is highly appreciated. >>> >>> >>> Thank you >>> -- >>> *Nadeesha Meegoda* >>> Software Engineer - QA >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> email : nadees...@wso2.com >>> mobile: +94783639540 >>> <%2B94%2077%202273555> >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> > > > -- > *Nadeesha Meegoda* > Software Engineer - QA > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > email : nadees...@wso2.com > mobile: +94783639540 > <%2B94%2077%202273555> > -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] OAuth2 support for Google spreadsheet API in DSS
Hi Rajith, On Wed, Jul 29, 2015 at 11:48 AM, Rajith Vitharana raji...@wso2.com wrote: Hi All, We are in the process of implementing Oauth2 support for google spreasheets API. We have used google-api-client for this purpose(dependency is in [1]) We are going to give a tool so that user can generate Access token, Refresh token and store them in the DBS file. (going to add the generation tool since google doesn't let us use Refresh tokens generated by other clients) What are the validity period of these refresh and access tokens. If refresh token has limited time this approach also not going to work as you expected. In that case there should be a way to get a new toke if access token or refresh token expired. even you should be able to handle token revocation scenarios. Thanks, Ishara We thought of only to save Refresh token in the dbs file since the Access token will be expired after some time and it will make the dbs file contain wrong data. Our approach will be to request and get a access token in the dbs deployment time using the refresh token we have. Will this approach be good to tackle the situation? [1] - dependency groupIdcom.google.api-client/groupId artifactIdgoogle-api-client/artifactId version1.20.0/version /dependency Thanks, -- Rajith Vitharana Software Engineer, WSO2 Inc. : wso2.com Mobile : +94715883223 Blog : http://lankavitharana.blogspot.com/ -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] OAuth2 support for Google spreadsheet API in DSS
Hi, On Wed, Jul 29, 2015 at 4:47 PM, Rajith Vitharana raji...@wso2.com wrote: Hi Ishara, Thanks for the response. As per [1], [2] google refresh tokens never expires, quoting the statement Refresh tokens are valid until the user revokes access. This field is only present if access_type=offline is included in the authorization code request normally access tokens expires in 60 mins. Further more there are no password grant type in google. So we have to go to consent page to get the tokens. (Although there is a service account concept where we need to a key to get access) In that case I think its ok. But you will have to handle token revocations. [1] - https://developers.google.com/identity/protocols/OAuth2WebServer [2] - http://stackoverflow.com/questions/8953983/do-google-refresh-tokens-expire Thanks, On Wed, Jul 29, 2015 at 4:35 PM, Ishara Karunarathna isha...@wso2.com wrote: Hi Rajith, On Wed, Jul 29, 2015 at 11:48 AM, Rajith Vitharana raji...@wso2.com wrote: Hi All, We are in the process of implementing Oauth2 support for google spreasheets API. We have used google-api-client for this purpose(dependency is in [1]) We are going to give a tool so that user can generate Access token, Refresh token and store them in the DBS file. (going to add the generation tool since google doesn't let us use Refresh tokens generated by other clients) What are the validity period of these refresh and access tokens. If refresh token has limited time this approach also not going to work as you expected. In that case there should be a way to get a new toke if access token or refresh token expired. even you should be able to handle token revocation scenarios. Thanks, Ishara We thought of only to save Refresh token in the dbs file since the Access token will be expired after some time and it will make the dbs file contain wrong data. Our approach will be to request and get a access token in the dbs deployment time using the refresh token we have. Will this approach be good to tackle the situation? [1] - dependency groupIdcom.google.api-client/groupId artifactIdgoogle-api-client/artifactId version1.20.0/version /dependency Thanks, -- Rajith Vitharana Software Engineer, WSO2 Inc. : wso2.com Mobile : +94715883223 Blog : http://lankavitharana.blogspot.com/ -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 -- Rajith Vitharana Software Engineer, WSO2 Inc. : wso2.com Mobile : +94715883223 Blog : http://lankavitharana.blogspot.com/ -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] User profile management - getNameAssociatedWith
Hi Suhan, On Fri, Jul 17, 2015 at 10:41 AM, Suhan Dharmasuriya suh...@wso2.com wrote: Hi Ishara, Thank you for the guidance. Is it necessary to set the same resident IDP certificate to the IDP that we are creating [1] [@109]? If not, will it affect the retrieval of the Associated name functionality? There shouldn't be a affect with certificate with Associated ID functionality. I'm not clear what your are going to do.Better if you explain what your are going to do here. I'm trying to get the resident IDP in App Server but unable to do so. Therefore when creating the new IDP, I tried with setting up a dummy certificate value with BASE64 encoded. [1] https://github.com/wso2/product-is/blob/7c3cbe328ea37ecbbee995a9528d4de44495e633/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/identity/mgt/IdentityProviderMgtServiceTestCase.java Thanks, Suhan On Wed, Jul 15, 2015 at 6:07 PM, Ishara Karunarathna isha...@wso2.com wrote: Hi, On Wed, Jul 15, 2015 at 5:46 PM, Suhan Dharmasuriya suh...@wso2.com wrote: Hi, What is the functionality of $subject? If you did an account association. Sending Associated IDP, Associated subject ID you can get the Associated users (Who exist in the user store) user name. Thanks, Ishara I'm observing this operation inside UserProfileMgtService [1] when admin services are exposed in App Server latest build. I have added an IdP with basic details [2]. mgt:identityProvider xsd:aliashttps://localhost:9443/oauth2/token//xsd:alias xsd:certificateBASE64 encoded String goes here/xsd:certificate xsd:displayNameSample IdP/xsd:displayName xsd:enabletrue/xsd:enable xsd:federationHubfalse/xsd:federationHub xsd:homeRealmIdlocalhost/xsd:homeRealmId xsd:identityProviderDescriptionSample Description/xsd:identityProviderDescription xsd:identityProviderNameTestIdP/xsd:identityProviderName xsd:primarytrue/xsd:primary xsd:provisioningRoletest/xsd:provisioningRole /mgt:identityProvider After performing associateID operation, I tried to call the getNameAssociatedWith through my custom client but getting a null object. Relevant sql is as follows [3]. sql = SELECT DOMAIN_NAME, USER_NAME FROM IDN_ASSOCIATED_ID WHERE TENANT_ID = ? AND IDP_ID = (SELECT ID + FROM IDP WHERE NAME = ? AND TENANT_ID = ?) AND IDP_USER_ID = ?; [1] https://localhost:9443/services/UserProfileMgtService?wsdl [2] https://github.com/wso2/carbon-identity/blob/master/components/idp-mgt/org.wso2.carbon.idp.mgt/src/main/java/org/wso2/carbon/idp/mgt/IdentityProviderManagementService.java [3] https://github.com/wso2/carbon-identity/blob/master/components/user-mgt/org.wso2.carbon.identity.user.profile/src/main/java/org/wso2/carbon/identity/user/profile/mgt/UserProfileAdmin.java Thanks, Suhan -- Suhan Dharmasuriya Software Engineer - Test Automation *WSO2, Inc. * lean . enterprise . middleware Tel: +94 112 145345 Mob: +94 779 869138 Blog: http://suhan-opensource.blogspot.com/ -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 -- Suhan Dharmasuriya Software Engineer - Test Automation *WSO2, Inc. * lean . enterprise . middleware Tel: +94 112 145345 Mob: +94 779 869138 Blog: http://suhan-opensource.blogspot.com/ -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] User profile management - getNameAssociatedWith
HI On Fri, Jul 17, 2015 at 4:00 PM, Suhan Dharmasuriya suh...@wso2.com wrote: Hi Ishara, Scenario I'm trying is as follows. I'm trying to test the associated ID functionality regarding the UserProfileMgtService in App Server. Therefore to test the same I have to create an IDP first with basic details. I have successfully tested the following operations. 1. associateID 2. getAssociatedIDs 3. removeAssociateID However I'm unable to get a value with getNameAssociatedWith. I have logged in to my AuthenticatorClient using default admin credentials. Can you please provide some related documentation or an article regarding the associated ID functionality? You will find it here[1]. [1] http://daytodayjava.blogspot.com/2015/04/manage-user-account-associations.html I would like to further analyse this scenario in depth. Thanks, Suhan On Fri, Jul 17, 2015 at 12:05 PM, Ishara Karunarathna isha...@wso2.com wrote: Hi Suhan, On Fri, Jul 17, 2015 at 10:41 AM, Suhan Dharmasuriya suh...@wso2.com wrote: Hi Ishara, Thank you for the guidance. Is it necessary to set the same resident IDP certificate to the IDP that we are creating [1] [@109]? If not, will it affect the retrieval of the Associated name functionality? There shouldn't be a affect with certificate with Associated ID functionality. I'm not clear what your are going to do.Better if you explain what your are going to do here. I'm trying to get the resident IDP in App Server but unable to do so. Therefore when creating the new IDP, I tried with setting up a dummy certificate value with BASE64 encoded. [1] https://github.com/wso2/product-is/blob/7c3cbe328ea37ecbbee995a9528d4de44495e633/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/identity/mgt/IdentityProviderMgtServiceTestCase.java Thanks, Suhan On Wed, Jul 15, 2015 at 6:07 PM, Ishara Karunarathna isha...@wso2.com wrote: Hi, On Wed, Jul 15, 2015 at 5:46 PM, Suhan Dharmasuriya suh...@wso2.com wrote: Hi, What is the functionality of $subject? If you did an account association. Sending Associated IDP, Associated subject ID you can get the Associated users (Who exist in the user store) user name. Thanks, Ishara I'm observing this operation inside UserProfileMgtService [1] when admin services are exposed in App Server latest build. I have added an IdP with basic details [2]. mgt:identityProvider xsd:aliashttps://localhost:9443/oauth2/token/ /xsd:alias xsd:certificateBASE64 encoded String goes here/xsd:certificate xsd:displayNameSample IdP/xsd:displayName xsd:enabletrue/xsd:enable xsd:federationHubfalse/xsd:federationHub xsd:homeRealmIdlocalhost/xsd:homeRealmId xsd:identityProviderDescriptionSample Description/xsd:identityProviderDescription xsd:identityProviderNameTestIdP/xsd:identityProviderName xsd:primarytrue/xsd:primary xsd:provisioningRoletest/xsd:provisioningRole /mgt:identityProvider After performing associateID operation, I tried to call the getNameAssociatedWith through my custom client but getting a null object. Relevant sql is as follows [3]. sql = SELECT DOMAIN_NAME, USER_NAME FROM IDN_ASSOCIATED_ID WHERE TENANT_ID = ? AND IDP_ID = (SELECT ID + FROM IDP WHERE NAME = ? AND TENANT_ID = ?) AND IDP_USER_ID = ?; [1] https://localhost:9443/services/UserProfileMgtService?wsdl [2] https://github.com/wso2/carbon-identity/blob/master/components/idp-mgt/org.wso2.carbon.idp.mgt/src/main/java/org/wso2/carbon/idp/mgt/IdentityProviderManagementService.java [3] https://github.com/wso2/carbon-identity/blob/master/components/user-mgt/org.wso2.carbon.identity.user.profile/src/main/java/org/wso2/carbon/identity/user/profile/mgt/UserProfileAdmin.java Thanks, Suhan -- Suhan Dharmasuriya Software Engineer - Test Automation *WSO2, Inc. * lean . enterprise . middleware Tel: +94 112 145345 Mob: +94 779 869138 Blog: http://suhan-opensource.blogspot.com/ -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 -- Suhan Dharmasuriya Software Engineer - Test Automation *WSO2, Inc. * lean . enterprise . middleware Tel: +94 112 145345 Mob: +94 779 869138 Blog: http://suhan-opensource.blogspot.com/ -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 -- Suhan Dharmasuriya Software Engineer - Test Automation *WSO2, Inc. * lean . enterprise . middleware Tel: +94 112 145345 Mob: +94 779 869138 Blog: http://suhan-opensource.blogspot.com/ -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean
Re: [Dev] User profile management - getNameAssociatedWith
Hi, On Wed, Jul 15, 2015 at 5:46 PM, Suhan Dharmasuriya suh...@wso2.com wrote: Hi, What is the functionality of $subject? If you did an account association. Sending Associated IDP, Associated subject ID you can get the Associated users (Who exist in the user store) user name. Thanks, Ishara I'm observing this operation inside UserProfileMgtService [1] when admin services are exposed in App Server latest build. I have added an IdP with basic details [2]. mgt:identityProvider xsd:aliashttps://localhost:9443/oauth2/token//xsd:alias xsd:certificateBASE64 encoded String goes here/xsd:certificate xsd:displayNameSample IdP/xsd:displayName xsd:enabletrue/xsd:enable xsd:federationHubfalse/xsd:federationHub xsd:homeRealmIdlocalhost/xsd:homeRealmId xsd:identityProviderDescriptionSample Description/xsd:identityProviderDescription xsd:identityProviderNameTestIdP/xsd:identityProviderName xsd:primarytrue/xsd:primary xsd:provisioningRoletest/xsd:provisioningRole /mgt:identityProvider After performing associateID operation, I tried to call the getNameAssociatedWith through my custom client but getting a null object. Relevant sql is as follows [3]. sql = SELECT DOMAIN_NAME, USER_NAME FROM IDN_ASSOCIATED_ID WHERE TENANT_ID = ? AND IDP_ID = (SELECT ID + FROM IDP WHERE NAME = ? AND TENANT_ID = ?) AND IDP_USER_ID = ?; [1] https://localhost:9443/services/UserProfileMgtService?wsdl [2] https://github.com/wso2/carbon-identity/blob/master/components/idp-mgt/org.wso2.carbon.idp.mgt/src/main/java/org/wso2/carbon/idp/mgt/IdentityProviderManagementService.java [3] https://github.com/wso2/carbon-identity/blob/master/components/user-mgt/org.wso2.carbon.identity.user.profile/src/main/java/org/wso2/carbon/identity/user/profile/mgt/UserProfileAdmin.java Thanks, Suhan -- Suhan Dharmasuriya Software Engineer - Test Automation *WSO2, Inc. * lean . enterprise . middleware Tel: +94 112 145345 Mob: +94 779 869138 Blog: http://suhan-opensource.blogspot.com/ -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [ES] Configuring a New Key store in ES 2.0 with SSO enabled via IS 5.0
Hi, On Mon, Jul 13, 2015 at 6:44 PM, Nadeesha Meegoda nadees...@wso2.com wrote: Hi all, I have a concern regarding the steps followed when configuring a New Key store in ES where ES authenticates via IS. I think you have configured SSO with SAML. These are the steps followed : 1. Created a Key store for ES, Imported the key to Client Trust store in ES 2. Configured ES to work with the new Key store 3. Added the ES key to IS Client Trust Store - Note that IS is having the default wso2carbon.jks Here you have created a new keystore and import your public key to your existing client-truststore.jks And to work sso scenario you will have to import public cert of IS to your new keystore Thanks, Ishara We thought following the above steps will be enough for the Key store configurations since ES has the default wso2carbon.jks imported to its Client Trust store anyway. However ES login via IS was not successful due to *not* having the IS public key details imported into the key that I created in ES.So ultimately the data decryption didn't happen successfully. My concern is that All the third party public keys should be imported in to the client trust store not to the main key itself. What we do here is we are importing the IS public key details to the main key of ES. My question is do we need to follow all the above with importing the IS public key to the main key of ES or 1,2,3 steps would be enough for the New key store to work? Thanks Regards, Nadeesha -- *Nadeesha Meegoda* Software Engineer - QA WSO2 Inc.; http://wso2.com lean.enterprise.middleware email : nadees...@wso2.com mobile: +94783639540 %2B94%2077%202273555 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [ES] Configuring a New Key store in ES 2.0 with SSO enabled via IS 5.0
On Tue, Jul 14, 2015 at 9:59 AM, Pavithra Madurangi pavit...@wso2.com wrote: On Tue, Jul 14, 2015 at 9:52 AM, Ishara Karunarathna isha...@wso2.com wrote: Hi, On Mon, Jul 13, 2015 at 6:44 PM, Nadeesha Meegoda nadees...@wso2.com wrote: Hi all, I have a concern regarding the steps followed when configuring a New Key store in ES where ES authenticates via IS. I think you have configured SSO with SAML. These are the steps followed : 1. Created a Key store for ES, Imported the key to Client Trust store in ES 2. Configured ES to work with the new Key store 3. Added the ES key to IS Client Trust Store - Note that IS is having the default wso2carbon.jks Here you have created a new keystore and import your public key to your existing client-truststore.jks And to work sso scenario you will have to import public cert of IS to your new keystore Normally we add certificates from other parties that we expect to communicate with , to trust store (trust store of ES in this case). So instead of doing so, why do we have to add it to key store of ES ? For the SSL communication yes we add trusted public keys to client-truststore.jks. But this case we keep IDP public keys in our main keystore. Thanks, Ishara We thought following the above steps will be enough for the Key store configurations since ES has the default wso2carbon.jks imported to its Client Trust store anyway. However ES login via IS was not successful due to *not* having the IS public key details imported into the key that I created in ES.So ultimately the data decryption didn't happen successfully. My concern is that All the third party public keys should be imported in to the client trust store not to the main key itself. What we do here is we are importing the IS public key details to the main key of ES. My question is do we need to follow all the above with importing the IS public key to the main key of ES or 1,2,3 steps would be enough for the New key store to work? Thanks Regards, Nadeesha -- *Nadeesha Meegoda* Software Engineer - QA WSO2 Inc.; http://wso2.com lean.enterprise.middleware email : nadees...@wso2.com mobile: +94783639540 %2B94%2077%202273555 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Pavithra Madurangi* Associate Technical Lead - QA. WSO2 Inc.: http://wso2.com/ Mobile: 0777207357 / 0112747089 -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Please merge PR #280
Hi, Add some changes. Please merge this to. https://github.com/wso2/carbon4-kernel/pull/281 On Mon, Jul 6, 2015 at 12:51 PM, Johann Nallathamby joh...@wso2.com wrote: Merged. Thanks. On Mon, Jul 6, 2015 at 11:58 AM, Ishara Karunarathna isha...@wso2.com wrote: Hi, $subject pls for [1] Thanks, Ishara [1] https://github.com/wso2/carbon4-kernel/pull/280 -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 -- Thanks Regards, *Johann Dilantha Nallathamby* Technical Lead Product Lead of WSO2 Identity Server Integration Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+9476950* Blog - *http://nallaa.wordpress.com http://nallaa.wordpress.com* -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Please merge PR #263
Hi, $subject pls for [1] Apart from this there are set of pull requests created by IS team better to merge those as well. Thanks, Ishara [1] https://github.com/wso2/carbon4-kernel/pull/263 -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Visibility of Internal Roles for the tenant admins
Hi, On Fri, Jun 26, 2015 at 5:01 PM, Bhathiya Jayasekara bhath...@wso2.com wrote: Hi Tanya, On Fri, Jun 26, 2015 at 4:44 PM, Tanya Madurapperuma ta...@wso2.com wrote: Hi, In products like ES, APIM we have set of internal roles such as internal/publisher, internal/store, internal/reviewer etc that comes by default. These roles are visible when we log into the super tenant. But if we create a tenant and login to that tenant from management console as the tenant admin, those internal roles are not visible to the tenant admin. Is this the desired behaviour ? Yes, roles belong to a particular tenant. If so, is it the responsibility of the tenant admin to create those roles manually and assign the appropriate permission to that role? You can automate that by writing a tenant loading listener by extending AbstractAxis2ConfigurationContextObserver. I think its better to use TenantMgtListener to do this. Thanks, Ishara Thanks, Bhathiya Appreciate any insight. Thanks, Tanya -- Tanya Madurapperuma Senior Software Engineer, WSO2 Inc. : wso2.com Mobile : +94718184439 Blog : http://tanyamadurapperuma.blogspot.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Bhathiya Jayasekara* *Senior Software Engineer,* *WSO2 inc., http://wso2.com http://wso2.com* *Phone: +94715478185 %2B94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj http://www.linkedin.com/in/bhathiyaj* *Twitter: https://twitter.com/bhathiyax https://twitter.com/bhathiyax* *Blog: http://movingaheadblog.blogspot.com http://movingaheadblog.blogspot.com/* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Please fix IDENTITY-3338
Hi, Will check on this. Thanks, Ishara On Mon, Jun 8, 2015 at 2:33 PM, Tanya Madurapperuma ta...@wso2.com wrote: Hi IS team, We have faced the following issue in ES [1] and is affecting the ES beta release. We were able to reproduce the same issue in IS as well [2] Appreciate if you could fix [2] at your earliest possible. [1] https://wso2.org/jira/browse/STORE-744 [2] https://wso2.org/jira/browse/IDENTITY-3338 Thanks, Tanya -- Tanya Madurapperuma Senior Software Engineer, WSO2 Inc. : wso2.com Mobile : +94718184439 Blog : http://tanyamadurapperuma.blogspot.com -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] OAuth issues
) at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) at org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticatorFrameworkValve.processResponse(WebappAuthenticatorFrameworkValve.java:46) at org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticatorFrameworkValve.invoke(WebappAuthenticatorFrameworkValve.java:38) at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:744) [2015-05-15 20:49:33,887] ERROR {JAGGERY.site.blocks.subscription.subscription-add.ajax.subscription-add:jag} - org.wso2.carbon.apimgt.api.APIManagementException: Exception occurred while trying to invoke service method renewAccessToken Thanks, Lakshitha Harshan Software Engineer Mobile: *+94724423048* Email: hars...@wso2.com Blog : http://harshanliyanage.blogspot.com/ *WSO2, Inc. :** wso2.com http://wso2.com/* lean.enterprise.middleware. -- Prabath Abeysekara Technical Lead WSO2 Inc. Email: praba...@wso2.com Mobile: +94774171471 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- /sumedha m: +94 773017743 b : bit.ly/sumedha -- /sumedha m: +94 773017743 b : bit.ly/sumedha -- /sumedha m: +94 773017743 b : bit.ly/sumedha -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] (no subject)
Hi Suharsha, Welcome to the list. For a beginning better to get some understanding on OAuth and try out sample scenarios with that. Then go through the specifications attached to proposal 7 description [1] You can download the WSo2 Identity server [2] Documentation on OAuth concepts [3] Try out OAuth sample Thanks, Ishara [1] http://wso2.com/products/identity-server/ [2] https://docs.wso2.com/display/IS500/OAuth+Concepts [3] https://docs.wso2.com/display/IS450/OAuth+2.0+Playground+with+WSO2+Identity+Server On Wed, Feb 18, 2015 at 6:44 AM, Suharsha fonseka suharshafonsek...@gmail.com wrote: Hi, I am Suharsha Fonseka. I am Currently an undergraduate student of Informatics Institute of Technology(IIT). And i like to work in the project proposal - 07 User-Managed Access (UMA) Profile for OAuth2 and i want some guidence to work in the project Thanks, Suharsha Fonseka ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Importing users with attribute values into JDBC user store using Bulk Import Users feature in WSO2 identity server
Hi Nuwan, Using CVS file you cant set more user attributes other than user name. But you can get this done via SCIM bulk import support [1] here you will get more info on that. Thanks, Ishara [1] https://malalanayake.wordpress.com/2013/05/28/scim-bulk-endpoint-operations-in-wso2-identity-server/ On Thu, Jan 22, 2015 at 4:48 PM, Nuwan Wimalasekara nuw...@wso2.com wrote: Hi IS Team, I want to import users which are in csv file into JDBC user store in IS. However in sample csv file I found only has two fields(username, password). But users have more attributes value with themselves. So any one aware of the csv file format with user attribute values and it is possible to import users with attribute values by the feature Bulk Import Users. Thanks, Nuwanw -- Nuwan Wimalasekara Senior Software Engineer - Test Automation WSO2, Inc.: http://wso2.com lean. enterprise. middleware phone: +94 71 668 4620 -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Sewwandhi Perera
Congratz Sewwandi . On Tue, Sep 16, 2014 at 11:26 PM, Ramith Jayasinghe ram...@wso2.com wrote: Hi Sewwandhi, Congratulations! It is with great pleasure that we welcome you as a WSO2 committer. Keep up the good work! thanks and best regards, -- Ramith Jayasinghe Technical Lead WSO2 Inc., http://wso2.com lean.enterprise.middleware E: ram...@wso2.com P: +94 777542851 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [SCIM User, Group filtering syntaxes are different than specification]
Hi, On Mon, Sep 15, 2014 at 10:16 AM, Gayan Gunawardana ga...@wso2.com wrote: Hi, According current SCIM implementation of WSO2 Identity Server (IS 5.0) user and group filtering commands will be [1] curl -v -k --user admin:admin https: //localhost:9443/wso2/scim/Users?filter=userNameEqadam curl -v -k --user admin:admin https: //localhost:9443/wso2/scim/Groups?filter=displayNameEqengineer But specification [2] expect something like filter=userName Eq john +1 We only support filtering with equal, If have time better to implement contains too. Thanks, Ishara Same Issue was reported here too [3] Shall we fixed that according to specification in future releases WDYT? [1] https://docs.wso2.com/display/IS500/WSO2+Identity+Server+as+a+SCIM+Service+Provider [2] http://www.simplecloud.info/specs/draft-scim-api-01.html#query-resources [3] http://stackoverflow.com/questions/19992960/wso2-identity-server-scim-filtering -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Has to change the property name in Userstore configurations
Hi, passwordHashMethod property name should be changed as PasswordHashMethod p to P And has to fix this in the default configuration file too [1] Thanks, Ishara [1] https://wso2.org/jira/browse/IDENTITY-2281 -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Thanuja Jayasinghe
Udayakantha Software Engineer, WSO2 Mobile: *0711241005 0711241005* *lakshm...@wso2.com lakshm...@wso2.com * ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Gayan Kaushalya Yalpathwala* Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: +94 71 8682704 http://asia14.wso2con.com/ http://asia14.wso2con.com/ ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Regards, Waruna Lakshitha Jayaweera Software Engineer WSO2 Inc; http://wso2.com phone: +94713255198 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Kavith Lokuhewage* Software Engineer WSO2 Inc. - http://wso2.com lean . enterprise . middleware Mobile - +9477-9-145-123 | +9471-455-6-401 Linkedin http://www.linkedin.com/pub/kavith-lokuhewage/49/473/419 Twitter https://twitter.com/KavithThiranga ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Gayashan Amarasinghe* Software Engineer | Platform TG WSO2, Inc. | http://wso2.com lean. enterprise. middleware Mobile : +94718314517 Blog : gayashan-a.blogspot.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Dilini Muthumala* Software Engineer, WSO2 Inc. *E-mail :* dil...@wso2.com *Mobile: *+94713 400 029 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Harsha Kumara Software Engineer, WSO2 Inc. Mobile: +94775505618 Blog:harshcreationz.blogspot.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Susinda Perera* Software Engineer Mobile:(+94)716049075 WSO2 Inc. http://wso2.com/ Tel : 94 11 214 5345 Fax :94 11 2145300 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Regards, Manula Chathurika Thantriwatte Software Engineer WSO2 Inc. : http://wso2.com lean . enterprise . middleware email : manu...@wso2.com / man...@apache.org phone : +94 772492511 blog : http://manulachathurika.blogspot.com/ ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Tanya Madurapperuma Software Engineer, WSO2 Inc. : wso2.com Mobile : +94718184439 Blog : http://tanyamadurapperuma.blogspot.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Regards, Dunith Dhanushka, Senior Software Engineer - BAM, WSO2 Inc, Mobile - +94 71 8615744 Blog - dunithd.wordpress.com http://blog.dunith.com Twitter - @dunithd http://twitter.com/dunithd ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Prasad Tissera
Congratz Prasad . . On Wed, Jul 23, 2014 at 4:08 AM, Suresh Attanayaka sur...@wso2.com wrote: Congrats Prasad! On Wed, Jul 23, 2014 at 4:28 PM, Johann Nallathamby joh...@wso2.com wrote: Hi All, It's my pleasure to announce Prasad Tissera as a WSO2 Committer. Prasad has been a valuable contributor for WSO2 Identity Server product, and in recognition of his contributions to WSO2, he has been voted as a WSO2 Committer. Prasad, Congratulations and Keep up the good work! Thanks Regards, Johann. -- Thanks Regards, *Johann Dilantha Nallathamby* Associate Technical Lead Product Lead of WSO2 Identity Server Integration Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+9476950* Blog - *http://nallaa.wordpress.com http://nallaa.wordpress.com* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Suresh Attanayake Senior Software Engineer; WSO2 Inc. http://wso2.com/ Blog : http://sureshatt.blogspot.com/ Twitter : https://twitter.com/sureshatt LinkedIn : http://lk.linkedin.com/in/sureshatt Mobile : +94755012060 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Isura Karunaratne
Congratz Isura . . . On Wed, Jul 23, 2014 at 4:07 AM, Pulasthi Mahawithana pulast...@wso2.com wrote: Congrats Isura ... On Wed, Jul 23, 2014 at 4:35 PM, Suresh Attanayaka sur...@wso2.com wrote: Congrats Isura. On Wed, Jul 23, 2014 at 4:30 PM, Johann Nallathamby joh...@wso2.com wrote: Hi All, It's my pleasure to announce Isura Karunaratne as a WSO2 Committer. Isura has been a valuable contributor for WSO2 Identity Server product, and in recognition of his contributions to WSO2, he has been voted as a WSO2 Committer. Isura, Congratulations and Keep up the good work! Thanks Regards, Johann. -- Thanks Regards, *Johann Dilantha Nallathamby* Associate Technical Lead Product Lead of WSO2 Identity Server Integration Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+9476950* Blog - *http://nallaa.wordpress.com http://nallaa.wordpress.com* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Suresh Attanayake Senior Software Engineer; WSO2 Inc. http://wso2.com/ Blog : http://sureshatt.blogspot.com/ Twitter : https://twitter.com/sureshatt LinkedIn : http://lk.linkedin.com/in/sureshatt Mobile : +94755012060 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- *Pulasthi Mahawithana* Software Engineer WSO2 Inc., http://wso2.com/ Mobile: +94-71-5179022 Blog: http://blog.pulasthi.org ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] How to add a new User member to a Group in SCIM
Hi Gayan, On Wed, Jul 16, 2014 at 7:42 AM, Gayan Gunawardana ga...@wso2.com wrote: Yes Darshana. Limitation was you have to send entire list with existing members. Isn't this the problem that you are going to address through patch operation. On Wed, Jul 16, 2014 at 8:07 PM, Darshana Gunawardana darsh...@wso2.com wrote: So does that means we can update user list of a group from externally(calling scim group endpoint) as well? On Wed, Jul 16, 2014 at 9:27 AM, Gayan Gunawardana ga...@wso2.com wrote: Hi Darshana, I have found a way. setUserMember(String id, String displayName) works fine. setUserMember(String id) also do the job but it fails during json decoding. Anyway thanks for looking into this. Thanks, Gayan On Wed, Jul 16, 2014 at 1:28 AM, Darshana Gunawardana darsh...@wso2.com wrote: Hi Gayan, Have you found the way to do $subject? AFAIK, this functionality does not supported. If you have to add user to some group using scim, * Either you have to include that user while creating the group * Or you have to update role list of user. Thanks, Darshana On Mon, Jul 14, 2014 at 11:45 AM, Gayan Gunawardana ga...@wso2.com wrote: Hi Ishara, While writing integration test for patch operation I wanted to modify user list of a group. I have tried following method setMember(String id) setUserMember(String id) setGroupMember(String id) but it gives org.apache.wink.client.ClientRuntimeException: org.wso2.charon.core.exceptions.AbstractCharonException at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:240) at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:189) at org.apache.wink.client.internal.ResourceImpl.put(ResourceImpl.java:326) at org.wso2.carbon.identity.tests.scim.SCIMServiceProviderGroupTestCase.updateGroup(SCIMServiceProviderGroupTestCase.java:208) Caused by: org.wso2.charon.core.exceptions.AbstractCharonException at org.wso2.charon.core.encoder.json.JSONDecoder.decodeException(JSONDecoder.java:153) at org.wso2.charon.core.client.SCIMClient.decodeSCIMException(SCIMClient.java:219) at org.wso2.carbon.identity.tests.scim.utils.SCIMResponseHandler.handle(SCIMResponseHandler.java:51) at org.apache.wink.client.internal.handlers.HandlerContextImpl.doChain(HandlerContextImpl.java:52) at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:227) ... 36 more seems like after modifying user list of a group, json decoder fails some where. This does not happen for updating group name only. Can you point the correct method to add new user member to a group from id ? (org.wso2.charon.core.objects.Group). -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Regards, * Darshana Gunawardana *Software Engineer WSO2 Inc.; http://wso2.com * E-mail: darsh...@wso2.com darsh...@wso2.com* *Mobile: +94718566859 %2B94718566859 *Lean . Enterprise . Middleware -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 -- Regards, * Darshana Gunawardana*Software Engineer WSO2 Inc.; http://wso2.com * E-mail: darsh...@wso2.com darsh...@wso2.com* *Mobile: +94718566859 %2B94718566859 *Lean . Enterprise . Middleware -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Custom federated authenticator (For Linked In)
Hi, On Sun, Jul 13, 2014 at 9:50 PM, Dulanja Liyanage dula...@wso2.com wrote: Shall we add this to Chunk-13? WDYT? I asked to add this an example how to add a custom federated authenticator. +1 for adding an federated authenticator to the server by efault. Thanks, -Ishara On Fri, Jul 11, 2014 at 9:41 PM, Ishara Karunarathna isha...@wso2.com wrote: Hi all, [1] Here I have written a blog on adding custom federated authenticator. So I think we can add this to our docs. Thanks, Ishara [1] http://isharaaruna.blogspot.com/2014/07/login-with-linkedin-to-wso2-identity.html -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 -- Dulanja Liyanage WSO2 Inc. M: +94776764717 -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Custom federated authenticator (For Linked In)
Hi all, [1] Here I have written a blog on adding custom federated authenticator. So I think we can add this to our docs. Thanks, Ishara [1] http://isharaaruna.blogspot.com/2014/07/login-with-linkedin-to-wso2-identity.html -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Patch method support for SCIM end points]
Hi Gayan, On Mon, Jul 7, 2014 at 11:46 AM, Gayan Gunawardana ga...@wso2.com wrote: Hi All, The requirement based on [1]. Since wso2 identity server can act as a SCIM provider, it exposes REST end points with standard http methods (GET, POST, PUT, DELETE). How ever according to [2] http PATCH method also require to do patch operation. The idea of patch operation is, suppose we need to add new user to existing group, with update operation we can update entire list of users in a particular group so we have to send complete set of users. Patch operation supports merging of existing users with new users. The bottleneck to implement patch operation is currently [3] does not support http PATCH method directly. But according to [4] it allows custom annotation such as @Update or @Patch. WDYT? +1, You will have to do the custom implementation to get PATCH support. [1] https://wso2.org/jira/browse/IDENTITY-1891 [2] http://tools.ietf.org/html/draft-ietf-scim-api-02#section-3.3.1 [3] http://cxf.apache.org/docs/jax-rs.html [4] http://cxf.apache.org/docs/jax-rs-basics.html#JAX-RSBasics-HTTPMethod Thanks, Gayan -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] SCIM Interop at Cloud Identity Summit 2014
Hi all, [1] This will be held on 19th June, And we can remotely connect to the event. Shall we take part on this. Thanks, Ishara [1] http://www.cloudidentitysummit.com/events/cloud-identity-summit-2014/event-summary-e09252dca9f144cbbd77691980893949.aspx -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] WSO2 Committers += Shazni Nazir
Congratz . . . On Wed, Jun 4, 2014 at 10:20 AM, Manula Chathurika Thantriwatte manu...@wso2.com wrote: Congratulations Shazni !!! On Wed, Jun 4, 2014 at 10:18 AM, Manoj Kumara ma...@wso2.com wrote: Congratulations Shazni !!! *Manoj Kumara* Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94713448188 On Tue, Jun 3, 2014 at 7:49 PM, Subash Chaturanga sub...@wso2.com wrote: Hi all, It's my pleasure to announce Shazni as a WSO2 Committer. Shazni has done great contributions to G-Reg product and showed very good enthusiasm in his work. And in recognition of his contribution he has been voted as a wso2 commiter. Shazni, welcome aboard and keep up the good work!. -- Thanks /subash *Subash Chaturanga* Senior Software Engineer :Platform TG; WSO2 Inc. http://wso2.com email: sub...@wso2.com blog: http://subashsdm.blogspot.com/ twitter: @subash89 phone: +9477 2225922 Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Regards, Manula Chathurika Thantriwatte Software Engineer WSO2 Inc. : http://wso2.com lean . enterprise . middleware email : manu...@wso2.com / man...@apache.org phone : +94 772492511 blog : http://manulachathurika.blogspot.com/ ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev -- Ishara Karunarathna Senior Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94 718211678 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev