Re: [Dev] iat, exp and nbf values of token introspection when 'token_string' is a JWT

[Ishara Karunarathna]

Hi Omindu,

Please find my thoughts on this.

According to " OAuth 2.0 Token Introspection" specification [1] these value
should be based on original access token, And *exp, iat, nbf* values should
use the format, defined in the
"JSON Web Token (JWT)" specification [2].
When we create a JWT out of this, yes there is a confusion. Because [2] JWT
spec define these value specific to the new JWT token that we create.

Combining these two I interpret in this way.
1. With the *exp, iat, nbf  *in JWT spec define the time frame which this
JWT token is valid.
2. All the date in this JWT token is only valid till the original access
token is valid.
3. Then the validity of the JWT should be within the validity of original
access token.

So I think.
*iat : *should be the new JWT issuing time.
*nbf* : JWT issuing time or original nbf, if this is a future value.
*exp* : should be calculated with original exp time.

Thanks,
Ishara

[1] https://tools.ietf.org/html/rfc7662#page-6
[2] https://tools.ietf.org/html/rfc7519

On Wed, Sep 5, 2018 at 8:17 AM Omindu Rathnaweera  wrote:

> Hi Team,
>
> During token introspection we can request the user information related to
> the access token in a form of a JWT. This JWT is sent under the parameter '
> token_string'.
>
> Ex:
>
> {
>"token_string":"eyJ4NXQiO... (JWT)",
>"active":true,
>"token_type":"Bearer",
>"exp":1536076577,
>"iat":1536072977,
>"nbf":1536072977,
>"client_id":"5qqc07uvtnnouDYzxe63jLlnjOEa",
>"username":"admin@carbon.super"
> }
>
> The exp (Expiration Time), iat (Issued At), nbf (Not Before) values in the
> above response is based on the original token issue time and this the
> expected outcome as per the specification [1].
>
>
> However there's a confusion when it comes to setting these values in the
> JWT sent with 'token_string'.
>
> The current behavior is that 'iat' in the JWT is calculated based on the
> issued time of the introspecting access token but the 'exp' value is
> calculated based on the creation time of the JWT.
>
> I would like you know your opinion on what these values should based on.
> Should it be same as the access tokens iat, exp, and nbf or should they be
> based on the generation time the JWT it self ?
>
> [1] - https://tools.ietf.org/html/rfc7662#page-6
>
> Thanks,
> Omindu
> --
> Omindu Rathnaweera
> Senior Software Engineer, WSO2 Inc.
>


-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [VOTE] Release of WSO2 Identity Server 5.6.0 RC3

[Ishara Karunarathna]

;>>>>>>
>>>>>>>
>>>>>>> On Tue, Jun 19, 2018 at 12:26 PM, Vihanga Liyanage >>>>>> > wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I've tested following scenarios on the IS 5.6.0-RC3 pack with
>>>>>>>> default database setup.
>>>>>>>>
>>>>>>>>- Enable user self-registration and self-register a new user.
>>>>>>>>- Add multiple consent purposes with multiple PII categories.
>>>>>>>>- Login to dashboard and see whether we can see the default
>>>>>>>>consent and above added PII categories.
>>>>>>>>- Confirm claims are getting filtered based on consents.
>>>>>>>>- Configure a service provider with OpenID Connect and acquire
>>>>>>>>access tokens via Authorization Code, Implicit, Client Credential 
>>>>>>>> and
>>>>>>>>Password grant types.
>>>>>>>>- Enable ID token encryption for the service provider and test
>>>>>>>>the flow with decryption for all grant types.
>>>>>>>>- Delete the self-signed up user, create another user with the
>>>>>>>>exact same username, log in to the dashboard and see what are the
>>>>>>>>consents shown.
>>>>>>>>- Revoke consents of the user via the dashboard and try
>>>>>>>>accessing the SP to verify the consents are asked again.
>>>>>>>>- Delete the SP, login to the dashboard and see whether the
>>>>>>>>consents are deleted for that SP.
>>>>>>>>
>>>>>>>> No blocking issues are found.
>>>>>>>>
>>>>>>>> [+] Stable - go ahead and release.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Vihanga.
>>>>>>>>
>>>>>>>> On Fri, Jun 15, 2018 at 6:29 PM Madawa Soysa 
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> We are pleased to announce the third release candidate of WSO2
>>>>>>>>> Identity Server 5.6.0.
>>>>>>>>>
>>>>>>>>> This release fixes the following issues
>>>>>>>>>
>>>>>>>>>- 5.6.0-RC Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/40?closed=1>
>>>>>>>>>- 5.6.0-Beta Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/39?closed=1>
>>>>>>>>>- 5.6.0-Alpha2 Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/43?closed=1>
>>>>>>>>>- 5.6.0-Alpha Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/38?closed=1>
>>>>>>>>>- 5.6.0-M7 Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/37?closed=1>
>>>>>>>>>- 5.6.0-M6 Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/36?closed=1>
>>>>>>>>>- 5.6.0-M5 Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/35?closed=1>
>>>>>>>>>- 5.6.0-M4 Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/34?closed=1>
>>>>>>>>>- 5.6.0-M3 Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/33?closed=1>
>>>>>>>>>- 5.6.0-M2 Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/31?closed=1>
>>>>>>>>>- 5.6.0-M1 Fixes
>>>>>>>>><https://github.com/wso2/product-is/milestone/30?closed=1>
>>>>>>>>>
>>>>>>>>> Source and distribution,
>>>>>>>>> Runtime -
>>>>>>>>> https://github.com/wso2/product-is/releases/tag/v5.6.0-rc3
>>>>>>>>> Analytics -
>>>>>>>>> 

Re: [Dev] [Architecture] [VOTE] Release WSO2 Identity Server 5.5.0 RC2

[Ishara Karunarathna]

HI,

Tested the consent mgt feature with SAML SSO. and basic user mgt features.
No blocking issues found.

[+] Stable - Go ahead and release

-Ishara

On Thu, Mar 15, 2018 at 1:08 PM, Pulasthi Mahawithana <pulast...@wso2.com>
wrote:

> Tested below scenarios and no blocking issues found.,
>
>- Adding multi-Step workflow definitions
>- Adding workflow associations and Multi step approval for user add
>operation
>- Federation with twitter
>- Login analytics
>- Session Analytics
>
> No blocking issues found.
>
> [+] Stable - Go ahead and release
>
> On Thu, Mar 15, 2018 at 12:33 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Tested below scenarios with MySQL database
>>
>> Authentication data publishing.
>> Custom OAuth client authenticators (Private key JWT client authenticator.)
>>
>> Self registration with consents (for super and non super tenants)
>> SSO with missing mandatory claims and consents for SaaS apps. (SAML, with
>> and without mandatory claims)
>> Updating and revoking consents through dashboard for super tenant and non
>> super tenant users.
>> Consent erasure while apps (for SaaS scenarios) are deleted and users are
>> deleted.
>>
>> No blocking issues found and +1 to proceed with release.
>>
>>
>> On Thu, Mar 15, 2018 at 5:19 AM, Darshana Gunawardana <darsh...@wso2.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> We are pleased to announce the second release candidate of WSO2 Identity
>>> Server 5.5.0.
>>>
>>> This release fixes the following issues,
>>>
>>>-
>>>- 5.5.0-RC2 fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-RC2>
>>>- 5.5.0-RC1 fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-RC1>
>>>- 5.5.0-Beta fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-beta>
>>>- 5.5.0-Alpha3 fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha3>
>>>- 5.5.0-Alpha2 fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha2>
>>>- 5.5.0-Alpha fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha>
>>>- 5.5.0-M4 fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M4>
>>>- 5.5.0-M3 fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M3>
>>>- 5.5.0-M2 fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M2>
>>>- 5.5.0-M1 fixes
>>>
>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M1>
>>>
>>>
>>> Source and distribution
>>>
>>> Runtime - https://github.com/wso2/product-is/releases/v5.5.0-rc2
>>> Analytics - https://github.com/wso2/analytics-is/releases/v5.5.0-rc2
>>>
>>>
>>> Please download, test the product and vote.
>>>
>>> [+] Stable - go ahead and release
>>> [-] Broken - do not release (explain why)
>>>
>>>
>>> Thanks,
>>> - WSO2 Identity and Access Management Team -
>>>
>>> --
>>> Regards,
>>>
>>>
>>> *Darshana Gunawardana*Technical Lead
>>> WSO2 Inc.; http://wso2.com
>>>
>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
>>> *Mobile: +94718566859 <071%20856%206859>*Lean . Enterprise . Middleware
>>>
>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>> ___
>> Architecture mailing list
>> architect...@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> *Pulasthi Mahawithana*
> Associate Technical Lead
> WSO2 Inc., http://wso2.com/
> Mobile: +94-71-5179022 <+94%2071%20517%209022>
> Blog: https://medium.com/@pulasthi7/
>
> <https://wso2.com/signature>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Setting commonAuth Cookie even after failing authorization in a fresh login attempt.

[Ishara Karunarathna]

On Mon, Jan 29, 2018 at 8:40 PM, Hasintha Indrajee <hasin...@wso2.com>
wrote:

> So that's because we don't have a proper way of reverting it back. Hence
> isn't it better to not to write cookies until a proper access of an
> application takes place for this scenario ?. In multi step scenario it's
> true that there is an idp session, but still the user is not properly
> logged in since one of the steps failed. Hence next time the next step will
> be prompted which means he doesn't have a valid session.
>
> The idea is if we can avoid writing cookies we can unify the post
> authentication behaviours (missing mandatory claim handling, authorization,
> etc)
>

As an improvement we can do this.
But shared computer scenario is a rare use case. Even if you use a shared
computer it's not a good practice to keep the browser session or use
remember me option.

-Ishara

>
> On Mon, Jan 29, 2018 at 8:26 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> HI Hsintha,
>>
>> On Mon, Jan 29, 2018 at 8:19 PM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>> Multi-step authentication is a different case I think, We don't set
>>> cookies in an intermediate state. What if we use "remember me" ? So the
>>> cookie will be there even if we close the browswer. isn't it ?
>>>
>> Think of a authentication steps.
>> step1 : Federated authenticator
>> step2 : Local authenticator.
>>
>> Then in the step 1 federated authenticator will create a session where
>> 2nd authentication files. So in the 2nd time also user will automatically
>> redirect to the federated authenticator and authenticated then fails in 2nd
>> case.
>>
>> -Ishara
>>
>>>
>>> On Mon, Jan 29, 2018 at 8:15 PM, Ishara Karunarathna <isha...@wso2.com>
>>> wrote:
>>>
>>>> Hi Hasintha,
>>>>
>>>> Same can happen in multi-step authentication where a user successfully
>>>> login wiht1st authenticator and fail in the 2nd case.
>>>>
>>>> On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com>
>>>> wrote:
>>>>
>>>>> We have the feature of enabling authorization for service provider
>>>>> [1]. Imagine a scenario where we login to an SP for the very first time 
>>>>> and
>>>>> authorization fails due to some violation of authorization policies. Even
>>>>> if authorization fails we do set commonAuthId cookie in the response which
>>>>> means the user has a valid SSO session from that point onwards.
>>>>>
>>>>> This can be seen in two perspectives.
>>>>>
>>>>> 1) The user is authenticated, but authorization fails, Hence we should
>>>>> set the cookie for SSO irrespective of authorization decision.
>>>>>
>>>>> 2) But this may lead to an inconsistant state. Suppose this is the
>>>>> only application the user is allowed to login. But due to some policy
>>>>> violation, the first login fails. In a case of a shared computer this 
>>>>> leads
>>>>> to a deadlock where the user neither can't properly login nor proper
>>>>> logout. We can use the workaround of calling commonAuthLogout=true. But
>>>>> this will not do a proper logout. (logging out external idps). Hence in a
>>>>> shared computer the user has no option.
>>>>>
>>>> I think in this case user should close the browser, then he won't get
>>>> this issue. this is valid for the multi step authentication as well.
>>>>
>>>> -Ishara
>>>>
>>>>>
>>>>> Hence I think we can avoid setting cookie until a user successfully
>>>>> accesses at least a single application upon successful authentication and
>>>>> authorization. So simply even if the user is authenticated for the very
>>>>> first time, we will not set the cookie unless the user is authorized to
>>>>> access that particular application. (This only applies to the very first
>>>>> app the user is trying to login)
>>>>>
>>>>> WDYT ?
>>>>>
>>>>>
>>>>> [1] https://docs.wso2.com/display/IS530/Configuring+Access+C
>>>>> ontrol+Policy+for+a+Service+Provider
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Hasintha Indrajee
>>>>> WSO2, Inc.
>>>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Ishara Karunarathna
>>>> Technical Lead
>>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>>
>>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>>>> +94717996791 <071%20799%206791>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>
>>>
>>
>>
>> --
>> Ishara Karunarathna
>> Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791 <071%20799%206791>
>>
>>
>>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>


-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Setting commonAuth Cookie even after failing authorization in a fresh login attempt.

[Ishara Karunarathna]

Hi Hasintha,

Same can happen in multi-step authentication where a user successfully
login wiht1st authenticator and fail in the 2nd case.

On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com>
wrote:

> We have the feature of enabling authorization for service provider [1].
> Imagine a scenario where we login to an SP for the very first time and
> authorization fails due to some violation of authorization policies. Even
> if authorization fails we do set commonAuthId cookie in the response which
> means the user has a valid SSO session from that point onwards.
>
> This can be seen in two perspectives.
>
> 1) The user is authenticated, but authorization fails, Hence we should set
> the cookie for SSO irrespective of authorization decision.
>
> 2) But this may lead to an inconsistant state. Suppose this is the only
> application the user is allowed to login. But due to some policy violation,
> the first login fails. In a case of a shared computer this leads to a
> deadlock where the user neither can't properly login nor proper logout. We
> can use the workaround of calling commonAuthLogout=true. But this will not
> do a proper logout. (logging out external idps). Hence in a shared computer
> the user has no option.
>
I think in this case user should close the browser, then he won't get this
issue. this is valid for the multi step authentication as well.

-Ishara

>
> Hence I think we can avoid setting cookie until a user successfully
> accesses at least a single application upon successful authentication and
> authorization. So simply even if the user is authenticated for the very
> first time, we will not set the cookie unless the user is authorized to
> access that particular application. (This only applies to the very first
> app the user is trying to login)
>
> WDYT ?
>
>
> [1] https://docs.wso2.com/display/IS530/Configuring+
> Access+Control+Policy+for+a+Service+Provider
>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>


-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Setting commonAuth Cookie even after failing authorization in a fresh login attempt.

[Ishara Karunarathna]

HI Hsintha,

On Mon, Jan 29, 2018 at 8:19 PM, Hasintha Indrajee <hasin...@wso2.com>
wrote:

> Multi-step authentication is a different case I think, We don't set
> cookies in an intermediate state. What if we use "remember me" ? So the
> cookie will be there even if we close the browswer. isn't it ?
>
Think of a authentication steps.
step1 : Federated authenticator
step2 : Local authenticator.

Then in the step 1 federated authenticator will create a session where 2nd
authentication files. So in the 2nd time also user will automatically
redirect to the federated authenticator and authenticated then fails in 2nd
case.

-Ishara

>
> On Mon, Jan 29, 2018 at 8:15 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Hasintha,
>>
>> Same can happen in multi-step authentication where a user successfully
>> login wiht1st authenticator and fail in the 2nd case.
>>
>> On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>> We have the feature of enabling authorization for service provider [1].
>>> Imagine a scenario where we login to an SP for the very first time and
>>> authorization fails due to some violation of authorization policies. Even
>>> if authorization fails we do set commonAuthId cookie in the response which
>>> means the user has a valid SSO session from that point onwards.
>>>
>>> This can be seen in two perspectives.
>>>
>>> 1) The user is authenticated, but authorization fails, Hence we should
>>> set the cookie for SSO irrespective of authorization decision.
>>>
>>> 2) But this may lead to an inconsistant state. Suppose this is the only
>>> application the user is allowed to login. But due to some policy violation,
>>> the first login fails. In a case of a shared computer this leads to a
>>> deadlock where the user neither can't properly login nor proper logout. We
>>> can use the workaround of calling commonAuthLogout=true. But this will not
>>> do a proper logout. (logging out external idps). Hence in a shared computer
>>> the user has no option.
>>>
>> I think in this case user should close the browser, then he won't get
>> this issue. this is valid for the multi step authentication as well.
>>
>> -Ishara
>>
>>>
>>> Hence I think we can avoid setting cookie until a user successfully
>>> accesses at least a single application upon successful authentication and
>>> authorization. So simply even if the user is authenticated for the very
>>> first time, we will not set the cookie unless the user is authorized to
>>> access that particular application. (This only applies to the very first
>>> app the user is trying to login)
>>>
>>> WDYT ?
>>>
>>>
>>> [1] https://docs.wso2.com/display/IS530/Configuring+Access+C
>>> ontrol+Policy+for+a+Service+Provider
>>>
>>>
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>
>>>
>>
>>
>> --
>> Ishara Karunarathna
>> Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791 <071%20799%206791>
>>
>>
>>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>


-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] IS Dashboard widgets are not loading due to 'webSocket' issue

[Ishara Karunarathna]

.runWorker(
> ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
> TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.mozilla.javascript.EcmaError: ReferenceError: "webSocket"
> is not defined. (/dashboard//session_manager.jag#7)
> at org.mozilla.javascript.ScriptRuntime.constructError(
> ScriptRuntime.java:3687)
> at org.mozilla.javascript.ScriptRuntime.constructError(
> ScriptRuntime.java:3665)
> at org.mozilla.javascript.ScriptRuntime.notFoundError(
> ScriptRuntime.java:3750)
> at org.mozilla.javascript.ScriptRuntime.name(ScriptRuntime.java:1728)
> at org.jaggeryjs.rhino.dashboard.c8._c_script_0(/dashboard//
> session_manager.jag:7)
> at org.jaggeryjs.rhino.dashboard.c8.call(/dashboard//session_manager.jag)
> at org.mozilla.javascript.ContextFactory.doTopCall(
> ContextFactory.java:394)
> at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
> at org.jaggeryjs.rhino.dashboard.c8.call(/dashboard//session_manager.jag)
> at org.jaggeryjs.rhino.dashboard.c8.exec(/dashboard//session_manager.jag)
> at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(
> RhinoEngine.java:567)
> ... 44 more
>
>
> Found a similar issue in [1] .
>
> [1] https://wso2.org/jira/browse/IDENTITY-4141
>
> Thanks
> Sashika
> --
>
> *Sashika WijesingheSoftware Engineer - QA Team*
> Mobile : +94 (0) 774537487
> sash...@wso2.com
>



-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Shouldnt we validate issuer id among users in service providers?

[Ishara Karunarathna]

On Thu, Nov 30, 2017 at 1:50 PM, Ushani Balasooriya <ush...@wso2.com> wrote:

> Wum updated pack*
>

Can you please re try this.
I just checked the WUM updated pack and didn't see that issue and recently
we didn't change anything in that areas so it should not break in 27 wum as
well.

-Ishara

>
> On 30 Nov 2017 1:31 pm, "Ushani Balasooriya" <ush...@wso2.com> wrote:
>
>> Hi Ishara,
>>
>> 27th Nov win updated pack allowed to add sp with same issuer id.
>>
>> On 30 Nov 2017 10:36 am, "Ishara Karunarathna" <isha...@wso2.com> wrote:
>>
>>> Hi Ushani,
>>>
>>> How did you test this scenarios. It does not allow to register two SPs
>>> with same issuer id.
>>>
>>> -Ishara
>>>
>>> On Thu, Nov 30, 2017 at 8:22 AM, Ushani Balasooriya <ush...@wso2.com>
>>> wrote:
>>>
>>>> Hi IAM team,
>>>>
>>>> Please consider the below scenario.
>>>>
>>>> When I think of a system as an admin and developer personas in a same
>>>> tenant,
>>>>
>>>> 1. Admin registers a service provider as *travelocity* with issuer id
>>>> as *travelocity.com <http://travelocity.com>* and assertion consumer
>>>> url as http://localhost:8080/travelocity.com/home.jsp and configure
>>>> Federated IDP as Google
>>>>
>>>> 2. Then developer persona registers a service provider as *travelocity.com
>>>> <http://travelocity.com>*  with same issuer id as *travelocity.com
>>>> <http://travelocity.com>* and assertion consumer url as
>>>> http://localhost:8080/travelocity.com/home.jsp since it does not
>>>> validate issuer id and configure federated IDP as facebook.
>>>>
>>>> In this scenario, only the *service provider name* will be *validated*
>>>> and *issuer id* will *not be validated.*
>>>>
>>>> Therefore when we try to access service provider, it will federate only
>>>> through google.
>>>>
>>>> This is a very rare negative use case, but when you think of different
>>>> personas, I think this should be considered.
>>>>
>>>> Please correct me if I am wrong.
>>>>
>>>> Thanks,
>>>> --
>>>> *Ushani Balasooriya*
>>>> Associate Technical Lead - EE;
>>>> WSO2 Inc; http://www.wso2.com/.
>>>> Mobile; +94772636796
>>>>
>>>>
>>>
>>>
>>> --
>>> Ishara Karunarathna
>>> Technical Lead
>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>
>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>>> +94717996791 <+94%2071%20799%206791>
>>>
>>>
>>>


-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Shouldnt we validate issuer id among users in service providers?

[Ishara Karunarathna]

Hi Ushani,

How did you test this scenarios. It does not allow to register two SPs with
same issuer id.

-Ishara

On Thu, Nov 30, 2017 at 8:22 AM, Ushani Balasooriya <ush...@wso2.com> wrote:

> Hi IAM team,
>
> Please consider the below scenario.
>
> When I think of a system as an admin and developer personas in a same
> tenant,
>
> 1. Admin registers a service provider as *travelocity* with issuer id as 
> *travelocity.com
> <http://travelocity.com>* and assertion consumer url as
> http://localhost:8080/travelocity.com/home.jsp and configure Federated
> IDP as Google
>
> 2. Then developer persona registers a service provider as *travelocity.com
> <http://travelocity.com>*  with same issuer id as *travelocity.com
> <http://travelocity.com>* and assertion consumer url as
> http://localhost:8080/travelocity.com/home.jsp since it does not validate
> issuer id and configure federated IDP as facebook.
>
> In this scenario, only the *service provider name* will be *validated*
> and *issuer id* will *not be validated.*
>
> Therefore when we try to access service provider, it will federate only
> through google.
>
> This is a very rare negative use case, but when you think of different
> personas, I think this should be considered.
>
> Please correct me if I am wrong.
>
> Thanks,
> --
> *Ushani Balasooriya*
> Associate Technical Lead - EE;
> WSO2 Inc; http://www.wso2.com/.
> Mobile; +94772636796
>
>


-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] What is the correct way to display service providers and identity providers for different admin role users

[Ishara Karunarathna]

Hi Ushani,


On Wed, Nov 29, 2017 at 5:26 PM, Ushani Balasooriya <ush...@wso2.com> wrote:

> Hi IAM Team,
>
> Any update on this?
>
SP applications are specific to clients and IDP configurations are specific
to the Sever.

For example lets say you create an application in FB and you can manage it,
if needed you assign different users to admin role then only they can mange
that application.
And FB support for user name password authentication later they decide to
add federation authentication support which is an IDP configuration so
thats managed by FB server admins.

-Ishara



> Thanks,
> Ushani
>
> On Wed, Nov 29, 2017 at 11:47 AM, Ushani Balasooriya <ush...@wso2.com>
> wrote:
>
>> Hi Maneesha,
>>
>> Thanks for the clarification. Appreciate if someone can explain why this
>> behavior is different for SP and IDPs? If there is an explanation would be
>> great to add it in to docs .
>>
>> Thanks,
>> Ushani
>>
>> On Wed, Nov 29, 2017 at 11:42 AM, Maneesha Wijesekara <manee...@wso2.com>
>> wrote:
>>
>>> Hi Ushani,
>>>
>>> As per the current implementation, a service provider only visible to
>>> the user who created, at first. When creating service providers, by default
>>> a role created as 'Application/{SERVICE_PROVIDER_NAME}. In order to
>>> make the service provider available for the selected users, you can assign
>>> users to this role and SP will visible to them as well.
>>>
>>> +1 to add this to the documents.
>>>
>>> Regards
>>> Maneesha
>>>
>>> On Wed, Nov 29, 2017 at 11:02 AM, Ushani Balasooriya <ush...@wso2.com>
>>> wrote:
>>>
>>>> Hi IAM team,
>>>>
>>>> Please consider the below example.
>>>>
>>>> 1. *admin* user belongs to *admin* role creates a SP named *adminsp*
>>>> and an IDP named *adminidp*
>>>>
>>>> 2. *admin1* user belongs to the same *admin* role creates a SP named
>>>> *admin1sp* and an IDP names *admin1idp*.
>>>>
>>>> So the current behavior is,
>>>> 1. Both *admin* and *admin1* users can see the existing *IDPs*  (
>>>> *adminidp* and *admin1idp*) when they log in to the management
>>>> console.
>>>>
>>>> 2. But they can only see the *SP*  created by themselves. E.g., *admin*
>>>> can see only *adminsp* and *admin1* can see only *admin1sp*.
>>>>
>>>> Can you please explain whether this contradicting behavior is expected
>>>> or whether this is a bug?
>>>>
>>>> If not a bug please explain this why and it should go to documents.
>>>>
>>>> Thanks,
>>>> --
>>>> *Ushani Balasooriya*
>>>> Associate Technical Lead - EE;
>>>> WSO2 Inc; http://www.wso2.com/.
>>>> Mobile; +94772636796
>>>>
>>>>
>>>
>>>
>>> --
>>> Maneesha Wijesekara
>>> Software Engineer - QA Team
>>> WSO2 Inc.
>>>
>>> Email: manee...@wso2.com
>>> Linkedin: http://linkedin.com/in/maneeshawijesekara
>>> Mobile: +94712443119
>>>
>>
>>
>>
>> --
>> *Ushani Balasooriya*
>> Associate Technical Lead - EE;
>> WSO2 Inc; http://www.wso2.com/.
>> Mobile; +94772636796
>>
>>
>
>
> --
> *Ushani Balasooriya*
> Associate Technical Lead - EE;
> WSO2 Inc; http://www.wso2.com/.
> Mobile; +94772636796
>
>


-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Stress Test Google Federated Authenticator as IDP

[Ishara Karunarathna]

HI Chankami,

In this cases these IDPs will identify these request as an attack and
block. And I don't think its useful to load the IDP.
I think your objective is to check whether IS can handle federation flow.

In that case you can use another IS as a IDP and do the test.

-Ishara

On Wed, Nov 29, 2017 at 3:03 PM, Chankami Maddumage <chank...@wso2.com>
wrote:

> Hi All
>
> We have a solution  to automate Google federated authenticator as IDP
> where travelocity is used as SP.
>
> I have used Jmeter to automate this scenario. When I access my SP,
> travelocity, it redirects to the Federated IDP Google Login page. Ideally
> if I login via Google login page, it redirects me to the tavelocity logged
> in page.
>
> When I capture the request, I can see multiple parameters which are
> auto-generated from Google side is passed for the login request.
>
> Also, When we try to load test Google side, they block our requests.
>
> My question is, since I am in a process to Stress test WSO2 IS  federated
> authenticator login scenario, please advice me up to which level I should
> do the stress testing?
>
>
> Example, should I stress test only up to the login page or is there any
> other correct way to proceed with this scenario.
>
>
> This problem is there for other connectors like Facebook, twitter etc
>
> --
> Best Regards,
>
>
> *Chankami Maddumage*
> Software Engineer - QA Team
> WSO2 Inc; http://www.wso2.com/.
> Mobile: +94 (0) 73096 <%2B94%20%280%29%20773%20381%20250>
>
>


-- 
Ishara Karunarathna
Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SPML Outbound provisioning Use case

[Ishara Karunarathna]

HI Ushani,



On Tue, Nov 14, 2017 at 10:22 AM, Ushani Balasooriya <ush...@wso2.com>
wrote:

>
> Hi,
>
> @Farsath - Thanks Farsath for the clear explanation. I just had it
> configured since I was validating a scenario for testing purpose. Shouldn't
> we remove the SPML connector from the product and documents if it is
> deprecated? If we are going to have it in the product, I think document
> should provide adequate information.
>
> @Ishara - I will try SCIM outbound provisioning connector as well in my
> latter part of testing.
>

At the moment SPML is not a high priority item for Identity server so we
are not focusing on doing improvement SPML related implementation or
Document.
And also  I'm agree with you since its in the doc we need to clarify it
more, but we can do it in future.

In practical scenario only users who are interested on SPML will try it,
But I'm doubt if there are any.

So better to invest time on SCIM since its high priority.

Thanks.
-Ishara

>
> Thanks,
> Ushani
>
> On Mon, Nov 13, 2017 at 7:07 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Ushani,
>>
>> Shall we try with the SCIM outbound provisioning scenario?
>> SPML is not widely used provisioning mechanism in the industry but
>> testing SCIM is important.
>>
>> Thanks,
>> Ishara
>>
>>
>> On Mon, Nov 13, 2017 at 7:01 PM, Farasath Ahamed <farasa...@wso2.com>
>> wrote:
>>
>>> Hi Ushani,
>>>
>>> When you configure an outbound provisioning to *Resident Service
>>> Provider, *any changes you do to local users will be provisioned to
>>> configured outbound provisioning connectors.
>>>
>>> So,
>>>
>>> SCIM Call ---> Resident SP --> Provision using SPML.
>>>
>>> By configuring an outbound provisioning connector you are asking IS to
>>> sync any changes(any CRUD operation) you do to a local user (in a user
>>> store) with an external entity. You would observe the same behaviour even
>>> if you add a user from the management console.
>>>
>>> Any CRUD to local user ---> Resident SP --> Trigger outbound
>>> provisioning connectors.
>>>
>>> Any particular reason you are trying out SPML since it's a deprecated
>>> connector?
>>>
>>> Thanks,
>>> Farasath
>>>
>>> Farasath Ahamed
>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>> Mobile: +94777603866
>>> Blog: blog.farazath.com
>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>> <http://wso2.com/signature>
>>>
>>>
>>>
>>> On Mon, Nov 13, 2017 at 6:31 PM, Ushani Balasooriya <ush...@wso2.com>
>>> wrote:
>>>
>>>> Hi IAM Team,
>>>>
>>>>
>>>> Can you please explain me how does SPML outbound connector works?
>>>>
>>>> In my scenario, I am adding a user via SCIM and trying to update the
>>>> user via SCIM. I have enabled SPML connector and added it under resident
>>>> service provider.
>>>>
>>>> When I add a user via SCIM, I get the below warning. Please explain why
>>>> it triggers SPML connector when I add a user via SCIM.
>>>>
>>>> I cannot find enough information in this doc [1]
>>>>
>>>> [1] https://docs.wso2.com/display/IS530/Outbound+Provisioning+with+SPML
>>>>
>>>> [2017-11-13 18:26:39,204]  WARN {org.wso2.carbon.identity.prov
>>>> isioning.connector.spml.SPMLProvisioningConnector} -  Unsupported
>>>> provisioning opertaion.
>>>> [2017-11-13 18:26:39,212]  WARN {org.wso2.carbon.identity.prov
>>>> isioning.connector.spml.SPMLProvisioningConnector} -  Unsupported
>>>> provisioning opertaion.
>>>> [2017-11-13 18:26:39,218]  WARN {org.wso2.carbon.identity.prov
>>>> isioning.connector.spml.SPMLProvisioningConnector} -  Unsupported
>>>> provisioning opertaion.
>>>> [2017-11-13 18:26:39,227] ERROR {org.wso2.carbon.identity.prov
>>>> isioning.connector.spml.SPMLProvisioningConnector} -  Error while SPML
>>>> user updating
>>>>
>>>>
>>>>
>>>> Thanks,
>>>> --
>>>> *Ushani Balasooriya*
>>>> Associate Technical Lead - EE;
>>>> WSO2 Inc; http://www.wso2.com/.
>>>> Mobile; +94772636796
>>>>
>>>>
>>>
>>
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791 <+94%2071%20799%206791>
>>
>>
>>
>
>
> --
> *Ushani Balasooriya*
> Associate Technical Lead - EE;
> WSO2 Inc; http://www.wso2.com/.
> Mobile; +94772636796
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Why do we need to patch authentication.framework.jar when deploying CAS artifacts

[Ishara Karunarathna]

HI Connector team.

Why do we need to do the $subject. and if its a customization where can I
find the source code.

Thanks,
Ishara

-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SPML Outbound provisioning Use case

[Ishara Karunarathna]

Hi Ushani,

Shall we try with the SCIM outbound provisioning scenario?
SPML is not widely used provisioning mechanism in the industry but testing
SCIM is important.

Thanks,
Ishara


On Mon, Nov 13, 2017 at 7:01 PM, Farasath Ahamed <farasa...@wso2.com> wrote:

> Hi Ushani,
>
> When you configure an outbound provisioning to *Resident Service
> Provider, *any changes you do to local users will be provisioned to
> configured outbound provisioning connectors.
>
> So,
>
> SCIM Call ---> Resident SP --> Provision using SPML.
>
> By configuring an outbound provisioning connector you are asking IS to
> sync any changes(any CRUD operation) you do to a local user (in a user
> store) with an external entity. You would observe the same behaviour even
> if you add a user from the management console.
>
> Any CRUD to local user ---> Resident SP --> Trigger outbound provisioning
> connectors.
>
> Any particular reason you are trying out SPML since it's a deprecated
> connector?
>
> Thanks,
> Farasath
>
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 <https://twitter.com/farazath619>
> <http://wso2.com/signature>
>
>
>
> On Mon, Nov 13, 2017 at 6:31 PM, Ushani Balasooriya <ush...@wso2.com>
> wrote:
>
>> Hi IAM Team,
>>
>>
>> Can you please explain me how does SPML outbound connector works?
>>
>> In my scenario, I am adding a user via SCIM and trying to update the user
>> via SCIM. I have enabled SPML connector and added it under resident service
>> provider.
>>
>> When I add a user via SCIM, I get the below warning. Please explain why
>> it triggers SPML connector when I add a user via SCIM.
>>
>> I cannot find enough information in this doc [1]
>>
>> [1] https://docs.wso2.com/display/IS530/Outbound+Provisioning+with+SPML
>>
>> [2017-11-13 18:26:39,204]  WARN {org.wso2.carbon.identity.prov
>> isioning.connector.spml.SPMLProvisioningConnector} -  Unsupported
>> provisioning opertaion.
>> [2017-11-13 18:26:39,212]  WARN {org.wso2.carbon.identity.prov
>> isioning.connector.spml.SPMLProvisioningConnector} -  Unsupported
>> provisioning opertaion.
>> [2017-11-13 18:26:39,218]  WARN {org.wso2.carbon.identity.prov
>> isioning.connector.spml.SPMLProvisioningConnector} -  Unsupported
>> provisioning opertaion.
>> [2017-11-13 18:26:39,227] ERROR {org.wso2.carbon.identity.prov
>> isioning.connector.spml.SPMLProvisioningConnector} -  Error while SPML
>> user updating
>>
>>
>>
>> Thanks,
>> --
>> *Ushani Balasooriya*
>> Associate Technical Lead - EE;
>> WSO2 Inc; http://www.wso2.com/.
>> Mobile; +94772636796
>>
>>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Usage of "tocommonauth" property in OAuth2 Authorize Endpoint

[Ishara Karunarathna]

Hi Isura,



On Fri, Oct 27, 2017 at 7:43 PM, Isura Karunaratne <is...@wso2.com> wrote:

> Hi all,
>
> If the "tocommonauth" property value is true, the authentication response
> from the login page will forward to the commonauth endpoint through OAuth2
> Authorize Endpoint.
>
>
>- IIRC, this was done to reduce the number of redirection in OAuth
>flow, but I think it is better to handle all the login response from the
>commonauth endpoint.
>
> This is used in SAML flow as well to reduce the redirections.

>
>- Do we need to continue supporting this or shall we remove this?
>
>
> At the moment In IS components we are not setting this parameter, but
there are some other components Eg App manager using this (may be customers
might have implemented authenticators with this parameter).
Do you see any issues supporting this ?
If not I think its better to keep this.

-Ishara

> String isToCommonOauth = 
> request.getParameter(FrameworkConstants.RequestParams.TO_COMMONAUTH);
>
> if ("true".equals(isToCommonOauth) && flowStatus == null) {
> try {
> return sendRequestToFramework(request, response);
> } catch (ServletException | IOException e) {
> log.error("Error occurred while sending request to authentication 
> framework.");
> return 
> Response.status(HttpServletResponse.SC_INTERNAL_SERVER_ERROR).build();
> }
> }
>
>
>
> Thanks
> Isura.
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Have we tested the new DCR on IS 5.4.0 Alpha2?

[Ishara Karunarathna]

HI Nuwan,

On Fri, Sep 15, 2017 at 7:14 AM, Nuwan Dias <nuw...@wso2.com> wrote:

> Hi Hasintha,
>
> Isn't this the old DCR implementation? This one doesn't mention about
> DCRM. Where can I get information on using DCRM?
>
> I was under the impression the new DCR implementation was documented at
> [3]. This doc mentions about DCRM too, hence why I thought that should be
> the new implementation of DCR/M.
>
> Yes that is old implementation and you should use [3].
But this sample request in the yaml need to be chnaged, no longer we
supported for ext_param_owne property, insted we get it from the
authenticated user. S
o request should be
Payload: {"redirect_uris":["https://client.example.org/callback"],"client_name":
"application_3","grant_types": ["password"]}

Thanks,
Ishara

[3] - https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth.dcr.endpoint/src/main/resources/api.
> identity.oauth.dcr.endpoint.yaml
>
> Thanks,
> NuwanD.
>
> On Fri, Sep 15, 2017 at 5:39 AM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> For IS endpoint should be https://localhost:9443/iden
>> tity/connect/register. Refer [1]​[2]
>>
>> [1] http://openid.net/specs/openid-connect-registration-1_0.html
>> [2] https://docs.wso2.com/display/IS540/OpenID+Connect+Dynam
>> ic+Client+Registration
>>
>
>
>
> --
> Nuwan Dias
>
> Software Architect - WSO2, Inc. http://wso2.com
> email : nuw...@wso2.com
> Phone : +94 777 775 729 <+94%2077%20777%205729>
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SCIM 2.0 as default in IS 5.4.0

[Ishara Karunarathna]

HI Pulasthi,

Initially, industry adoption to SCIM 2.0 was less compare to SCIM 1.1, But
seems to be its getting to the track[1]
so +1 let's make SCIM 2.0 as default.

-Ishara

[1] http://www.simplecloud.info/

On Mon, Sep 11, 2017 at 5:34 PM, Pulasthi Mahawithana <pulast...@wso2.com>
wrote:

> Hi,
>
> Shall we make $subject instead of SCIM 1.1? Any known issues on having it
> as default? Users who are migrating from older versions will still have
> SCIM 1.1 configs and won't be affected as they would keep the old configs.
>
>
> --
> *Pulasthi Mahawithana*
> Senior Software Engineer
> WSO2 Inc., http://wso2.com/
> Mobile: +94-71-5179022 <+94%2071%20517%209022>
> Blog: https://medium.com/@pulasthi7/
>
> <https://wso2.com/signature>
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [SCIM] Why Can't We Enable Both SCIM1 and SCIM2 at the Same Time?

[Ishara Karunarathna]

HI,

On Thu, Aug 31, 2017 at 7:26 AM, Sagara Gunathunga <sag...@wso2.com> wrote:

>
>
> On Thu, Aug 31, 2017 at 12:12 AM, Vindula Jayawardana <
> vindula...@cse.mrt.ac.lk> wrote:
>
>> Hi,
>>
>> IMO, should be able to enable both at the same time. What is the issue
>> you faced when enabling both?
>>
>> Achieving interoperability between 1.1 consumers and 2.0 providers can
>> have two practical approaches. One approach is to have a multi-protocol
>> ability in the SCIM service provider’s end. This could be potentially done
>> through unique URL structure (https://localhost:9443/wso2/scim/Users and
>> https://localhost:9443/scim2/Users). That means the provider can accept
>> both 1.1 and 2.0 consumers. On the other hand, SCIM consumer can be
>> modified to support the 1.1 and 2.0 protocols. However, since SCIM
>> specifications are focusing on keeping things simple and easy at the
>> consumer end, I would rather suggest the first approach. That’s why we
>> should be able to enable both the protocols at the same time.
>>
>> *Vindula Jayawardana*
>> Computer Science and Engineering Dept.
>> University of Moratuwa
>> mobile : +713462554
>> Email : vindula...@cse.mrt.ac.lk
>>
>> <https://www.facebook.com/vindula.jayawardana>
>> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
>> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
>> <https://twitter.com/vindulajay>
>>
>> *“Respect is how to treat everyone, not just those you want to impress. "*
>>
>>
>> *-Richard Branson-*
>>
>>
>>
>> On 30 August 2017 at 18:33, Sathya Bandara <sat...@wso2.com> wrote:
>>
>>> Hi Thilina,
>>>
>>> If we enable both SCIM1 and SCIM2 listeners at the same time two
>>> different SCIM IDs will be generated for the same user when adding a new
>>> user through SCIM. Also both SCIM1 and SCIM2 claims are mapped to the same
>>> LDAP user attributes. Even though both listeners get triggered only the
>>> SCIM1 ID is mapped to the user ID attribute. But the SCIM2 user creation
>>> response will contain the SCIM ID generated by SCIM2 listener.
>>>
>>
> This is not a SCIM related problem instead a limitation of our
> implementation, SCIM is just a interface or wrapping  layer for our
> user/role management  layer. Ideally  it should not perform tasks such as
> ID generation by it's own, instead once the SCIM protocol  specific
> processing is completed  both SCIM1 and SCIM2 implementations should
> delegate requests into a common layer, in that way we can provide
> interoperability  between SCIM1 and SCIM2.
>
> +1 for Vindula's suggestion on multi-protocol approach.
>
Technically this is possible so +1 for doing this for 5.4.0.

But I don't see any value supporting both together since these are only
user management API and sonner or later we have to depricate SCIM 1.1.

Thanks,
Ishara

>
> Thanks !
>
>>
>>> Thanks,
>>> Sathya
>>>
>>> On Wed, Aug 30, 2017 at 6:25 PM, Thilina Madumal <thilina...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> Hi all,
>>>>
>>>> While I was trying to fix IDENTITY-6315
>>>> <https://wso2.org/jira/browse/IDENTITY-6315> I got to know that we
>>>> can't enable both SCIM1 and SCIM2 at the same time in WSO2 Identity Server.
>>>> Is it because of this specific issue or is there any other reasons?
>>>>
>>>> Thanks & Regards,
>>>> Thilina.
>>>>
>>>> --
>>>> *Thilina Madumal*
>>>> *Software Engineer | **WSO2*
>>>> Email: thilina...@wso2.com
>>>> Mobile: *+ <+94%2077%20767%201807>94 774553167*
>>>> Web:  <http://goog_716986954>http://wso2.com
>>>>
>>>> <http://wso2.com/signature>
>>>>
>>>>
>>>
>>>
>>> --
>>> Sathya Bandara
>>> Software Engineer
>>> WSO2 Inc. http://wso2.com
>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>>
>>> <+94%2071%20411%205032>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Sagara Gunathunga
>
> Associate Director / Architect; WSO2, Inc.;  http://wso2.com
> V.P Apache Web Services;http://ws.apache.org/
> Linkedin; http://www.linkedin.com/in/ssagara
> Blog ;  http://ssagara.blogspot.com
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [GSOC-2017] [IS] [OAuth DCRM] Integration Test for the implementation of OAuth 2.0 DCRM protocol

[Ishara Karunarathna]

Hi,

Thanks Abilashini, will review the PR

-Ishara

On Wed, Aug 9, 2017 at 1:05 PM, Abilashini Thiyagarajah <
abilashini...@cse.mrt.ac.lk> wrote:

> Hi,
>
> Please find the PR of the integration test cases [1] for the
> implementation of OAuth DCRM protocol [2].
>
> Covered test cases in this PR as follow,
>
>1. Successful Read service provider
>2. Read request with invalid client ID in the endpoint URL
>3. Successful update service provider
>4. Update request with invalid client ID in the endpoint URL
>5. Update request with invalid client ID
>6. Update request with invalid client secret
>7. Update request without grant type
>8. Update request with invalid grant type
>9. Successful Delete service provider
>10. Delete request with invalid client ID in the endpoint URL
>
> Please share your feedback to improve further
>
> [1] https://github.com/wso2/product-is/pull/1293
> [2] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/pull/396
>
> Best Regards,
> Abilashini
>
> *Thiyagarajah Abilashini*
> Student
> Department of Computer Science and Engineering
> University of Moratuwa, Sri Lanka
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Carbon Kernel 4.4.17 RC2

[Ishara Karunarathna]

HI Chandana,

IS team is waiting on this kernel release.
You have already fixed the issue raised by Lahiru. Can you give us an
update of this release.

-Ishara

On Wed, Jul 19, 2017 at 12:45 PM, Lahiru Manohara <lahir...@wso2.com> wrote:

> Hi Chandana,
>
> I have created an issue [1].
>
> 1. https://github.com/wso2/carbon-kernel/issues/1442
>
> Best Regards,
>
> On Wed, Jul 19, 2017 at 11:56 AM, Chandana Napagoda <chand...@wso2.com>
> wrote:
>
>> Hi All,
>>
>> We are dropping the carbon kernel 4.4.17 RC2 and will share the new
>> release candidate soon.
>>
>> @Lahiru, Could you please create an issue for this?
>>
>> Regards,
>> Chandana
>>
>> On Tue, Jul 18, 2017 at 2:45 PM, Lahiru Manohara <lahir...@wso2.com>
>> wrote:
>>
>>> The provided public certificate in the default keystore is expired. It
>>> is issued only for 3 months and it is already expired. Please update the
>>> certificate with a longer duration.
>>>
>>> [x] Broken - Do not release
>>>
>>> Best Regards,
>>>
>>> On Fri, Jul 14, 2017 at 11:40 PM, Rushmin Fernando <rush...@wso2.com>
>>> wrote:
>>>
>>>> Built IS 5.x.x branch with the integrations tests.
>>>>
>>>> Manually tested user management.
>>>>   1) In tenants
>>>>   2) Using the embedded LDAP primary user store
>>>>   3) Using a JDBC secondary user store
>>>>
>>>>
>>>> Found no issues.
>>>>
>>>> [ x] Stable  - Go ahead and release
>>>>
>>>> On Fri, Jul 14, 2017 at 2:04 PM, Chandana Napagoda <chand...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> This is the 2nd release candidate of WSO2 Carbon Kernel 4.4.17.
>>>>>
>>>>> This release fixes the following issues
>>>>> https://github.com/wso2/carbon-kernel/milestone/15?closed=1
>>>>>
>>>>> Please download and test your products with kernel 4.4.17 RC2 and
>>>>> vote. The vote will be open for 72 hours or as long as needed.
>>>>>
>>>>> Maven staging repository:
>>>>> https://maven.wso2.org/nexus/content/repositories/orgwso2carbon-1184/
>>>>>
>>>>> The tag to be voted upon:
>>>>> https://github.com/wso2/carbon-kernel/releases/tag/v4.4.17-rc2
>>>>>
>>>>> [ ] Broken - Do not release (explain why)
>>>>> [ ] Stable  - Go ahead and release
>>>>>
>>>>> Thank you
>>>>> Platform Team
>>>>>
>>>>> --
>>>>> *Chandana Napagoda*
>>>>> Associate Technical Lead
>>>>> WSO2 Inc. - http://wso2.org
>>>>>
>>>>> *Email  :  chand...@wso2.com <chand...@wso2.com>**Mobile :
>>>>> +94718169299 <+94%2071%20816%209299>*
>>>>>
>>>>> *Blog  :http://cnapagoda.blogspot.com
>>>>> <http://cnapagoda.blogspot.com> | http://chandana.napagoda.com
>>>>> <http://chandana.napagoda.com>*
>>>>>
>>>>> *Linkedin : http://www.linkedin.com/in/chandananapagoda
>>>>> <http://www.linkedin.com/in/chandananapagoda>*
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> *Best Regards*
>>>>
>>>> *Rushmin Fernando*
>>>> *Technical Lead*
>>>>
>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>>>>
>>>> mobile : +94775615183
>>>>
>>>>
>>>>
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>> *Lahiru Manohara*
>>> *Software Engineer*
>>> Mobile: +94716561576
>>> WSO2 Inc. | http://wso2.com
>>> lean.enterprise.middleware
>>>
>>>
>>
>>
>> --
>> *Chandana Napagoda*
>> Associate Technical Lead
>> WSO2 Inc. - http://wso2.org
>>
>> *Email  :  chand...@wso2.com <chand...@wso2.com>**Mobile : +94718169299
>> <+94%2071%20816%209299>*
>>
>> *Blog  :http://cnapagoda.blogspot.com <http://cnapagoda.blogspot.com>
>> | http://chandana.napagoda.com <http://chandana.napagoda.com>*
>>
>> *Linkedin : http://www.linkedin.com/in/chandananapagoda
>> <http://www.linkedin.com/in/chandananapagoda>*
>>
>>
>
>
> --
> *Lahiru Manohara*
> *Software Engineer*
> Mobile: +94716561576
> WSO2 Inc. | http://wso2.com
> lean.enterprise.middleware
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Please increase the TOKEN_SCOPE column length in IDN_OAUTH2_ACCESS_TOKEN_SCOPE table

[Ishara Karunarathna]

On Thu, Jun 22, 2017 at 3:44 PM, Bhathiya Jayasekara <bhath...@wso2.com>
wrote:

> I think the problem is we have sent the list as comma-separated list. Due
> to that IS may think that's a single scope.
>
Yes, only space should be use to separate scops.

-Ishara

>
> @Naduni: Please try again with space separated list, and update if it
> works.
>
> Thanks,
> Bhathiya
>
> On Thu, Jun 22, 2017 at 3:37 PM, Maduranga Siriwardena <madura...@wso2.com
> > wrote:
>
>> Hi Naduni,
>>
>> Please note that scope in [1] is a single scope value and other 2 places
>> has the whole scope string for a token (or authorization code).
>>
>> As you get this error, seems to be your single scope values are more than
>> 60 characters in length.
>>
>> [1] https://github.com/wso2/carbon-identity-framework/blob/m
>> aster/features/identity-core/org.wso2.carbon.identity.core.s
>> erver.feature/resources/dbscripts/mysql.sql#L105
>>
>> Thanks,
>>
>> On Thu, Jun 22, 2017 at 12:53 PM, Naduni Pamudika <nad...@wso2.com>
>> wrote:
>>
>>> Thanks a lot Indunil.
>>>
>>> On Thu, Jun 22, 2017 at 12:38 PM, Isura Karunaratne <is...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> On Thu, Jun 22, 2017 at 12:21 PM, Nuwan Dias <nuw...@wso2.com> wrote:
>>>>
>>>>> Please remember to include this change in the migration script (5.3.0
>>>>> to 5.4.0) as well.
>>>>>
>>>> Noted. [1] is used to maintain the changes from 5.3.0 to 5.4.0.
>>>>
>>>> [1] https://wso2.org/jira/browse/IDENTITY-6094
>>>>
>>>> Thanks
>>>> Isura.
>>>>
>>>>>
>>>>> On Thu, Jun 22, 2017 at 12:19 PM, Indunil Upeksha Rathnayake <
>>>>> indu...@wso2.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Created a JIRA for this in [1], will be fixed in 5.4.0-m2.
>>>>>>
>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-6093
>>>>>>
>>>>>> Thanks and Regards
>>>>>>
>>>>>> On Thu, Jun 22, 2017 at 11:54 AM, Naduni Pamudika <nad...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi IS Team,
>>>>>>>
>>>>>>> I am working on the SSO Login feature in APIM, and there I need to
>>>>>>> have a bit longer scopes list. When I was trying to send the access 
>>>>>>> token
>>>>>>> request it gave an error saying "Value too long for column
>>>>>>> "TOKEN_SCOPE VARCHAR(60) NOT NULL"".
>>>>>>>
>>>>>>> Noticed that you have size 2048 for the scopes in other places
>>>>>>> [1,2]. Can you please increase this [3] as well?
>>>>>>>
>>>>>>> [1] https://github.com/wso2/carbon-identity-framework/blob/m
>>>>>>> aster/features/identity-core/org.wso2.carbon.identity.core.s
>>>>>>> erver.feature/resources/dbscripts/mysql.sql#L31
>>>>>>> [2] https://github.com/wso2/carbon-identity-framework/blob/m
>>>>>>> aster/features/identity-core/org.wso2.carbon.identity.core.s
>>>>>>> erver.feature/resources/dbscripts/mysql.sql#L86
>>>>>>> [3] https://github.com/wso2/carbon-identity-framework/blob/m
>>>>>>> aster/features/identity-core/org.wso2.carbon.identity.core.s
>>>>>>> erver.feature/resources/dbscripts/mysql.sql#L105
>>>>>>>
>>>>>>> Thank you.
>>>>>>> Naduni
>>>>>>>
>>>>>>> --
>>>>>>> *Naduni Pamudika*
>>>>>>> Software Engineer | WSO2
>>>>>>> Mobile: +94 719 143658 <+94%2071%20914%203658>
>>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Indunil Upeksha Rathnayake
>>>>>> Software Engineer | WSO2 Inc
>>>>>> Emailindu...@wso2.com
>>>>>> Mobile   0772182255 <077%20218%202255>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Nuwan Dias
>>>>>
>>>>>

Re: [Dev] Improvements to OAuth Dynamic Client Registration

[Ishara Karunarathna]

>>>>>> University of Moratuwa, Sri Lanka
>>>>>>>>>>>
>>>>>>>>>>> On 9 May 2017 at 09:16, Maduranga Siriwardena <
>>>>>>>>>>> madura...@wso2.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Abilashini,
>>>>>>>>>>>>
>>>>>>>>>>>> As discussed can you start working on [1] and [2] to improve
>>>>>>>>>>>> the existing DCR functionality. If you need any clarification or 
>>>>>>>>>>>> help,
>>>>>>>>>>>> please get back to us.
>>>>>>>>>>>>
>>>>>>>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-5529
>>>>>>>>>>>> [2] https://wso2.org/jira/browse/IDENTITY-5185
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> --
>>>>>>>>>>>> Maduranga Siriwardena
>>>>>>>>>>>> Senior Software Engineer
>>>>>>>>>>>> WSO2 Inc; http://wso2.com/
>>>>>>>>>>>>
>>>>>>>>>>>> Email: madura...@wso2.com
>>>>>>>>>>>> Mobile: +94718990591 <+94%2071%20899%200591>
>>>>>>>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/
>>>>>>>>>>>> <https://madurangasiriwardena.wordpress.com/>*
>>>>>>>>>>>> <http://wso2.com/signature>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ___
>>>>>>>>>>> Dev mailing list
>>>>>>>>>>> Dev@wso2.org
>>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Dimuthu De Lanerolle
>>>>>>>>>> Software Engineer
>>>>>>>>>> WSO2 Inc.
>>>>>>>>>> lean . enterprise . middlewear.
>>>>>>>>>> http://wso2.com/
>>>>>>>>>> Tel. : +94 11 2145345 <011%202%20145345>  Fax : +94 11 2145300
>>>>>>>>>> <011%202%20145300>  email : dimut...@wso2.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Maduranga Siriwardena
>>>>>>> Senior Software Engineer
>>>>>>> WSO2 Inc; http://wso2.com/
>>>>>>>
>>>>>>> Email: madura...@wso2.com
>>>>>>> Mobile: +94718990591 <+94%2071%20899%200591>
>>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/
>>>>>>> <https://madurangasiriwardena.wordpress.com/>*
>>>>>>> <http://wso2.com/signature>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ___
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Pushpalanka.
>>>>> --
>>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>>>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>>>>> Mobile: +94779716248
>>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>>>>> ushpalanka/ | Twitter: @pushpalanka
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Pushpalanka.
>>> --
>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>>> Mobile: +94779716248
>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>>> ushpalanka/ | Twitter: @pushpalanka
>>>
>>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Bhathiya Jayasekara*
> *Associate Technical Lead,*
> *WSO2 inc., http://wso2.com <http://wso2.com>*
>
> *Phone: +94715478185 <+94%2071%20547%208185>*
> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
> <http://www.linkedin.com/in/bhathiyaj>*
> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>*
> *Blog: http://movingaheadblog.blogspot.com
> <http://movingaheadblog.blogspot.com/>*
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Implemeting Scope Validator

[Ishara Karunarathna]

intension of using scope validate is to handle OIDC support in a single
place.


On Tue, May 16, 2017 at 7:52 PM, Farasath Ahamed  wrote:

>
> On Tue, May 16, 2017 at 7:38 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>> In our current OIDC implementation we support below four grant types and
>> issue id tokens and user info claims for all the below grant type.
>>
>>- authorization_code
>>- implicit
>>- client_credential
>>- password
>>
>> What about extension grant types like SAML2BearerGrant, JWTBearer or any
> other custom grant type we write?
> AFAIR we do issue id_tokens to any grant type when "openid" scope is
> present.
>
>
>> Among those 4 grant types that we have implemented, OIDC spec discusses
>> about only implict and authorization_code grant types. According to the
>> spec "openid" scope value is a must to Inform the Authorization Server
>> that the client is making an OpenID Connect request. So we have introduced
>> a new property in identity.xml as below and we have implemented a scope
>> validator to validate whether the grant types are authorization_code ,
>> implicit or password if the scope is openid.
>>
>
>> 
>> 

Re: [Dev] [APIM][C5] - Best Way to get the end user information

[Ishara Karunarathna]

On Sun, May 14, 2017 at 12:54 PM, Nuwan Dias <nuw...@wso2.com> wrote:

> Ok. All of these are extensions anyway. If some IDP sends the same
> responses as IS the benefit is that we can just plug and play. If there are
> differences we basically have to write code and deploy as extensions.
>
Yes this implementations can be differ fom IDP to IDP.
So better to do the default implementation with IS and keep extension for
other implementations

>
> On Sun, 14 May 2017 at 12:44 pm, Farasath Ahamed <farasa...@wso2.com>
> wrote:
>
>> On Sun, May 14, 2017 at 12:30 PM, Nuwan Dias <nuw...@wso2.com> wrote:
>>
>>> It looks like we may have to use the introspect to validate the token
>>> and use a proprietary api in IS to get user claims.
>>>
>>
>> Sending username of the authorized user in the introspection response is
>> not mandatory. IS sends by default. This may not be the same with external
>> Key Managers. So we might have to consider that as well.
>>
>>
>>> When using an external KM we will have to override the part that gets
>>> user claims. That's of course if they want to send JWT to target endpoints
>>> only.
>>>
>>> On Sun, 14 May 2017 at 8:57 am, Bhathiya Jayasekara <bhath...@wso2.com>
>>> wrote:
>>>
>>>> Hi Ishara,
>>>>
>>>> On Sun, May 14, 2017 at 8:51 AM, Ishara Karunarathna <isha...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> On Sun, May 14, 2017 at 8:42 AM, Ishara Karunarathna <isha...@wso2.com
>>>>> > wrote:
>>>>>
>>>>>> Hi Bhathiya,
>>>>>>
>>>>>> On Sun, May 14, 2017 at 8:18 AM, Bhathiya Jayasekara <
>>>>>> bhath...@wso2.com> wrote:
>>>>>>
>>>>>>> Hi Ishara,
>>>>>>>
>>>>>>> On Sun, May 14, 2017 at 7:16 AM, Ishara Karunarathna <
>>>>>>> isha...@wso2.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> In the current implementations you get a JWT token from token
>>>>>>>> validation service regardless of the grant types.
>>>>>>>> But this would be a problem when you go with standards only. For
>>>>>>>> example you may not be able to get and ID token from IDP if its only
>>>>>>>> supporting specifications.
>>>>>>>>
>>>>>>>
>>>>>>> We thought of using "openid" scope when generating token and then
>>>>>>> call userinfo after validating (introspect) the token. I expect that 
>>>>>>> should
>>>>>>> work if the IDP is complient with the specs. WDYT?
>>>>>>>
>>>>>> What I'm saying is for all the oauth grant types does not work with
>>>>>> OIDC
>>>>>> For example in password grant type you can't use OIDC. OIDC define
>>>>>> only authorization code and implicit grant types (it has a hybrid flow as
>>>>>> well )
>>>>>> In that case you can't expect to get ID token for all grant types.
>>>>>>
>>>>>
>>>> Oh that's going to be a problem.
>>>>
>>>>
>>>>> So do you need this user information in all the cases ??
>>>>>
>>>>
>>>> Yes we may need, specially in passwrod grant type. If this is not going
>>>> to work, we will have to think of a different solution (like the SCIM one
>>>> you suggested.)
>>>>
>>>> Thanks,
>>>> Bhathiya
>>>>
>>>>
>>>>>
>>>>> one option that come to my mind is.
>>>>> in the token introspection response get the user name.
>>>>> And then call a SCIM endpoint (or any other api to get the user
>>>>> information) to get user information.
>>>>>
>>>>> But this also has a issue, this username is a optional parameter
>>>>>
>>>>>
>>>>>>
>>>>>> So do you need this user information in all the cases ??
>>>>>>
>>>>>>
>>>>>>> Thanks,
>>>>>>> Bhathiya
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> so this has to be address ca

Re: [Dev] [APIM][C5] - Best Way to get the end user information

[Ishara Karunarathna]

Hi,

On Sun, May 14, 2017 at 8:42 AM, Ishara Karunarathna <isha...@wso2.com>
wrote:

> Hi Bhathiya,
>
> On Sun, May 14, 2017 at 8:18 AM, Bhathiya Jayasekara <bhath...@wso2.com>
> wrote:
>
>> Hi Ishara,
>>
>> On Sun, May 14, 2017 at 7:16 AM, Ishara Karunarathna <isha...@wso2.com>
>> wrote:
>>
>>> Hi,
>>>
>>> In the current implementations you get a JWT token from token validation
>>> service regardless of the grant types.
>>> But this would be a problem when you go with standards only. For example
>>> you may not be able to get and ID token from IDP if its only supporting
>>> specifications.
>>>
>>
>> We thought of using "openid" scope when generating token and then call
>> userinfo after validating (introspect) the token. I expect that should work
>> if the IDP is complient with the specs. WDYT?
>>
> What I'm saying is for all the oauth grant types does not work with OIDC
> For example in password grant type you can't use OIDC. OIDC define only
> authorization code and implicit grant types (it has a hybrid flow as well )
> In that case you can't expect to get ID token for all grant types.
>

one option that come to my mind is.
in the token introspection response get the user name.
And then call a SCIM endpoint (or any other api to get the user
information) to get user information.

But this also has a issue, this username is a optional parameter


>
> So do you need this user information in all the cases ??
>
>
>> Thanks,
>> Bhathiya
>>
>>
>>>
>>> so this has to be address case by case.
>>> -Ishara
>>>
>>> On Sat, May 13, 2017 at 10:40 PM, Bhathiya Jayasekara <bhath...@wso2.com
>>> > wrote:
>>>
>>>> Thanks for the explanation Farasath.
>>>>
>>>> So this means we have to do a DCR call and another service call to
>>>> register claims to SP. @Tharindu: looks like we don't have a choice here.
>>>>
>>>> Thanks,
>>>> Bhathiya
>>>>
>>>> On Sat, May 13, 2017 at 1:49 PM, Farasath Ahamed <farasa...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On Sat, May 13, 2017 at 1:15 PM, Bhathiya Jayasekara <
>>>>> bhath...@wso2.com> wrote:
>>>>>
>>>>>> Hi Farasath,
>>>>>>
>>>>>> That's going to be a problem when we use DCR, I guess. Shouldn't we
>>>>>> send the claims given in the spec for each scope by default, without any
>>>>>> special configurations in SP?
>>>>>>
>>>>>
>>>>> Not really.
>>>>>
>>>>> Even the spec says[1],
>>>>>
>>>>> In some cases, the End-User will be given the option to have the
>>>>>> OpenID Provider decline to provide some or all information requested by
>>>>>> RPs. To minimize the amount of information that the End-User is being 
>>>>>> asked
>>>>>> to disclose, an RP can elect to only request a subset of the information
>>>>>> available from the UserInfo Endpoint.
>>>>>
>>>>>
>>>>> Simply put we are not bound to provide all the claims a client(Relying
>>>>> party) asks for using a 'scope'. There should be a way to control the
>>>>> claims that are sent out based on the application. This is because the
>>>>> sensitive nature of a claim depends on the application and other factors 
>>>>> as
>>>>> well. For example, 'phone number' might be a sensitive claim for some 
>>>>> apps.
>>>>> Therefore for such apps, we need to have a  way to control a client from
>>>>> getting hold of that claim using scope 'phone'.
>>>>>
>>>>> So we can consider "requested claims" in Service Provider config as
>>>>> our way of allowing an application admin to decide what claims an external
>>>>> client can retrieve and what not.
>>>>>
>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>>>>>
>>>>>
>>>>>> Thanks,
>>>>>> Bhathiya
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, May 13, 2017 at 1:09 PM, Farasath Ahamed <farasa...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>&g

Re: [Dev] [APIM][C5] - Best Way to get the end user information

[Ishara Karunarathna]

Hi Bhathiya,

On Sun, May 14, 2017 at 8:18 AM, Bhathiya Jayasekara <bhath...@wso2.com>
wrote:

> Hi Ishara,
>
> On Sun, May 14, 2017 at 7:16 AM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi,
>>
>> In the current implementations you get a JWT token from token validation
>> service regardless of the grant types.
>> But this would be a problem when you go with standards only. For example
>> you may not be able to get and ID token from IDP if its only supporting
>> specifications.
>>
>
> We thought of using "openid" scope when generating token and then call
> userinfo after validating (introspect) the token. I expect that should work
> if the IDP is complient with the specs. WDYT?
>
What I'm saying is for all the oauth grant types does not work with OIDC
For example in password grant type you can't use OIDC. OIDC define only
authorization code and implicit grant types (it has a hybrid flow as well )
In that case you can't expect to get ID token for all grant types.

So do you need this user information in all the cases ??


> Thanks,
> Bhathiya
>
>
>>
>> so this has to be address case by case.
>> -Ishara
>>
>> On Sat, May 13, 2017 at 10:40 PM, Bhathiya Jayasekara <bhath...@wso2.com>
>> wrote:
>>
>>> Thanks for the explanation Farasath.
>>>
>>> So this means we have to do a DCR call and another service call to
>>> register claims to SP. @Tharindu: looks like we don't have a choice here.
>>>
>>> Thanks,
>>> Bhathiya
>>>
>>> On Sat, May 13, 2017 at 1:49 PM, Farasath Ahamed <farasa...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> On Sat, May 13, 2017 at 1:15 PM, Bhathiya Jayasekara <bhath...@wso2.com
>>>> > wrote:
>>>>
>>>>> Hi Farasath,
>>>>>
>>>>> That's going to be a problem when we use DCR, I guess. Shouldn't we
>>>>> send the claims given in the spec for each scope by default, without any
>>>>> special configurations in SP?
>>>>>
>>>>
>>>> Not really.
>>>>
>>>> Even the spec says[1],
>>>>
>>>> In some cases, the End-User will be given the option to have the OpenID
>>>>> Provider decline to provide some or all information requested by RPs. To
>>>>> minimize the amount of information that the End-User is being asked to
>>>>> disclose, an RP can elect to only request a subset of the information
>>>>> available from the UserInfo Endpoint.
>>>>
>>>>
>>>> Simply put we are not bound to provide all the claims a client(Relying
>>>> party) asks for using a 'scope'. There should be a way to control the
>>>> claims that are sent out based on the application. This is because the
>>>> sensitive nature of a claim depends on the application and other factors as
>>>> well. For example, 'phone number' might be a sensitive claim for some apps.
>>>> Therefore for such apps, we need to have a  way to control a client from
>>>> getting hold of that claim using scope 'phone'.
>>>>
>>>> So we can consider "requested claims" in Service Provider config as our
>>>> way of allowing an application admin to decide what claims an external
>>>> client can retrieve and what not.
>>>>
>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>>>>
>>>>
>>>>> Thanks,
>>>>> Bhathiya
>>>>>
>>>>>
>>>>>
>>>>> On Sat, May 13, 2017 at 1:09 PM, Farasath Ahamed <farasa...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Yes. We do support openid scopes (address, email, phone, profile).
>>>>>> (Refer [1])
>>>>>> But as Tharindu has mentioned this too requires the relevant claims
>>>>>> that fall under these scopes to be configured as requested claims in the
>>>>>> Service Provider.
>>>>>>
>>>>>> For example,
>>>>>> OIDC scope 'address' would return "address" and "street" claims. But
>>>>>> unless you have these claims as requested claims in the claim 
>>>>>> configuration
>>>>>> of the SP. These claims won't be returned although you requested the 
>>>>>> token
>>>>>> with a scope 

Re: [Dev] [APIM][C5] - Best Way to get the end user information

[Ishara Karunarathna]

er claims. I think we can 
>>>>>> use
>>>>>> them here. So when generating tokens, these scopes should be used as per
>>>>>> the requirement.
>>>>>>
>>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>>>>>>
>>>>>> Thanks,
>>>>>> Bhathiya
>>>>>>
>>>>>> On Sat, May 13, 2017 at 12:18 AM, Tharindu Dharmarathna <
>>>>>> tharin...@wso2.com> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> We had a use case on APIM to send the user claims in the JWT Header
>>>>>>> to the backend server.
>>>>>>>
>>>>>>> Currently APIM C4 architecture was Getting the user claims and
>>>>>>> generate JWT from Key manager node.
>>>>>>>
>>>>>>> As in C5 architecture, we have to get the user claims from the IS or
>>>>>>> the third party key manager.
>>>>>>>
>>>>>>> I had observed below two ways of getting user claims into the
>>>>>>> Gateway from IS.
>>>>>>>
>>>>>>> 1. Generate token with OpenID scope.
>>>>>>> 2. Call userinfo endpoint with above generated token
>>>>>>> 3. Call OAuth2TokenValidation Service and get the token.
>>>>>>>
>>>>>>> When considering [2] in order to receive user info we have to set
>>>>>>> the requested claims in service provider according to the App.
>>>>>>>
>>>>>>> And from Current C4 architecture, we don't mandate to send openid
>>>>>>> token as a scope.
>>>>>>>
>>>>>>> Is there any other alternative ways to achieve above task.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> *Tharindu Dharmarathna*Senior Software Engineer
>>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>> lean.enterprise.middleware
>>>>>>>
>>>>>>> mobile: *+94779109091 <077%20910%209091>*
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Bhathiya Jayasekara*
>>>>>> *Associate Technical Lead,*
>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>*
>>>>>>
>>>>>> *Phone: +94715478185 <071%20547%208185>*
>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
>>>>>> <http://www.linkedin.com/in/bhathiyaj>*
>>>>>> *Twitter: https://twitter.com/bhathiyax
>>>>>> <https://twitter.com/bhathiyax>*
>>>>>> *Blog: http://movingaheadblog.blogspot.com
>>>>>> <http://movingaheadblog.blogspot.com/>*
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Bhathiya Jayasekara*
>>>>> *Associate Technical Lead,*
>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>*
>>>>>
>>>>> *Phone: +94715478185 <+94%2071%20547%208185>*
>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
>>>>> <http://www.linkedin.com/in/bhathiyaj>*
>>>>> *Twitter: https://twitter.com/bhathiyax
>>>>> <https://twitter.com/bhathiyax>*
>>>>> *Blog: http://movingaheadblog.blogspot.com
>>>>> <http://movingaheadblog.blogspot.com/>*
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> *Bhathiya Jayasekara*
>>> *Associate Technical Lead,*
>>> *WSO2 inc., http://wso2.com <http://wso2.com>*
>>>
>>> *Phone: +94715478185 <+94%2071%20547%208185>*
>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
>>> <http://www.linkedin.com/in/bhathiyaj>*
>>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>*
>>> *Blog: http://movingaheadblog.blogspot.com
>>> <http://movingaheadblog.blogspot.com/>*
>>>
>>
>>
>
>
> --
> *Bhathiya Jayasekara*
> *Associate Technical Lead,*
> *WSO2 inc., http://wso2.com <http://wso2.com>*
>
> *Phone: +94715478185 <+94%2071%20547%208185>*
> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
> <http://www.linkedin.com/in/bhathiyaj>*
> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>*
> *Blog: http://movingaheadblog.blogspot.com
> <http://movingaheadblog.blogspot.com/>*
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

[Ishara Karunarathna]

obtain 
>>>>> a
>>>>> new access token for the saas-disabled application by using the issued
>>>>> refresh token for a different tenant user.
>>>>>
>>>>> For this I have added functionality to validate tenant domain and to
>>>>> check if the SP is SaaS enabled before granting access to the userInfo
>>>>> endpoint. It is evident that we should revoke the refresh token such that
>>>>> user is not permitted to obtain further access tokens for the application.
>>>>> In addition to this is it required to invalidate the already-issued access
>>>>> token?
>>>>>
>>>>> Appreciate your help on this.
>>>>>
>>>>> [1] https://wso2.org/jira/browse/IDENTITY-4981
>>>>>
>>>>> Best regards,
>>>>> Sathya
>>>>>
>>>>> --
>>>>> Sathya Bandara
>>>>> Software Engineer
>>>>> WSO2 Inc. http://wso2.com
>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>>>>
>>>>> <+94%2071%20411%205032>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> *Pulasthi Mahawithana*
>>>> Senior Software Engineer
>>>> WSO2 Inc., http://wso2.com/
>>>> Mobile: +94-71-5179022 <+94%2071%20517%209022>
>>>> Blog: https://medium.com/@pulasthi7/
>>>>
>>>> <https://wso2.com/signature>
>>>>
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Senior Software Engineer | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
> --
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 <https://twitter.com/farazath619>
> <http://wso2.com/signature>
>
>
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Clarification on 'Use tenant domain in local subject identifier' attribute

[Ishara Karunarathna]

as [1],[2],[3],[4] reported related to the above
>>>>>> attribute and thought of discussing the expected behavior of this 
>>>>>> attribute.
>>>>>>
>>>>>> AFAIU if the above attribute is checked in both federated and local
>>>>>> scenarios:
>>>>>> -  the tenant domain should append with the sub claim even when the
>>>>>> username is added as a requested claim or username is set as the subject
>>>>>> claim uri.
>>>>>>
>>>>> This is little bit tricky. If we think of an occasion without a local
> association in a federated scenario, does it really make sense to append
> our local user store domain or tenant domain to user name? I think it's an
> invalid information, as a federated user is not present in our user stores
> unless provisioned or associated.
>
> We can argue, if the SP is configured with federated authentication we
> shouldn't select the above options. But the concerns around this become
> more complex when we consider this together with multi-option
> authentication. An SP can allow user to select authentication from either
> local or federated. As such case we should be able to dynamically decide we
> shouldn't be attaching user store and tenant names to federated user
> attributes. WDYT?
>
I also agree with Lanka, we can append tenant domain only to the local
claims so there won't be a issue with Federated claims.

-Ishara

>
>>>>>> If the above attribute is unchecked :
>>>>>> - The tenant domain should not append with the sub claim even when
>>>>>> the user name is subject claim uri or a requested claim.
>>>>>>
>>>>>
>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-5013
>>>>>> [2] https://wso2.org/jira/browse/IDENTITY-4931
>>>>>> [3]https://wso2.org/jira/browse/IDENTITY-4956
>>>>>> [4]https://wso2.org/jira/browse/IDENTITY-4470
>>>>>>
>>>>>> Please let me know if the behavior of this attribute is something
>>>>>> different.
>>>>>>
>>>>> Yes. That is the behavior of 'Use tenant domain in local subject
>>>>> identifier" attribute.
>>>>>
>>>>> Thanks
>>>>> Isura.
>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Hasanthi Dissanayake
>>>>>>
>>>>>> Software Engineer | WSO2
>>>>>>
>>>>>> E: hasan...@wso2.com
>>>>>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/>
>>>>>>
>>>>>> ___
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Isura Dilhara Karunaratne*
>>>>> Senior Software Engineer | WSO2
>>>>> Email: is...@wso2.com
>>>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>>>> Blog : http://isurad.blogspot.com/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>
>>
>>
>> --
>>
>> *Ruwan Abeykoon*
>> *Associate Director/Architect**,*
>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> *
>> *lean.enterprise.middleware.*
>>
>>
>
>
> --
> Pushpalanka.
> --
> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
> Mobile: +94779716248
> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/
> pushpalanka/ | Twitter: @pushpalanka
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] IS 5.2.0 DB2 migration scripts

[Ishara Karunarathna]

Thanks Rajith for finding out this.

@Dinali Can you please update the scripts.

-Ishara

On Fri, May 5, 2017 at 11:52 PM, Rajith Roshan <raji...@wso2.com> wrote:

> The migration resources for db2 specified in step 11 of doc [1] is giving
> errors. It tries to insert boolean values to columns which have type
> smallint. They should be replaced with 0s and 1s. Please find the modified
> script below [2]
>
> [1] - https://docs.wso2.com/display/IS520/Upgrading+from+
> a+Previous+Release
>
> [2] -
> INSERT INTO UM_CLAIM (
> UM_DIALECT_ID,
> UM_CLAIM_URI,
> UM_DISPLAY_TAG,
> UM_DESCRIPTION,
> UM_MAPPED_ATTRIBUTE,
> UM_TENANT_ID,
> UM_READ_ONLY,
>UM_SUPPORTED,
>UM_REQUIRED,
>UM_DISPLAY_ORDER,
>UM_CHECKED_ATTRIBUTE)
> VALUES ((SELECT UM_ID FROM UM_DIALECT WHERE UM_DIALECT_URI='http://wso2.
> org/claims' AND UM_TENANT_ID=-1234),
> 'http://wso2.org/claims/identity/lastLoginTime','Last Login Time','Last
> Login Time','carLicense',-1234,1,0,0,7,0)/
>
>
> INSERT INTO UM_CLAIM (
>UM_DIALECT_ID,
>UM_CLAIM_URI,
>UM_DISPLAY_TAG,
>UM_DESCRIPTION,
>UM_MAPPED_ATTRIBUTE,
>UM_TENANT_ID,
>UM_READ_ONLY)
>
> SELECT DIALECT.UM_ID,
>   'http://wso2.org/claims/identity/lastLoginTime',
>'Last Login Time',
>'Last Login Time',
>'carLicense',
>   DIALECT.UM_TENANT_ID,
>1
>FROM UM_DIALECT as DIALECT JOIN UM_TENANT as TENANT ON
> DIALECT.UM_TENANT_ID=TENANT.UM_ID WHERE DIALECT.UM_DIALECT_URI='http:/
> /wso2.org/claims'/
>
>
> INSERT INTO UM_CLAIM (
> UM_DIALECT_ID,
> UM_CLAIM_URI,
> UM_DISPLAY_TAG,
> UM_DESCRIPTION,
> UM_MAPPED_ATTRIBUTE,
> UM_TENANT_ID,
> UM_READ_ONLY,
>UM_SUPPORTED,
>UM_REQUIRED,
>UM_DISPLAY_ORDER,
>UM_CHECKED_ATTRIBUTE)
> VALUES ((SELECT UM_ID FROM UM_DIALECT WHERE UM_DIALECT_URI='http://wso2.
> org/claims' AND UM_TENANT_ID=-1234),
> 'http://wso2.org/claims/identity/lastPasswordUpdateTime','Last Password
> Update','Last Password Update','businessCategory',-1234,1,0,0,7,0)/
>
>
> INSERT INTO UM_CLAIM (
>UM_DIALECT_ID,
>UM_CLAIM_URI,
>UM_DISPLAY_TAG,
>UM_DESCRIPTION,
>UM_MAPPED_ATTRIBUTE,
>UM_TENANT_ID,
>UM_READ_ONLY)
>
> SELECT DIALECT.UM_ID,
> 'http://wso2.org/claims/identity/lastPasswordUpdateTime',
> 'Last Password Update',
> 'Last Password Update',
> 'businessCategory',
> DIALECT.UM_TENANT_ID,
> 1
> FROM UM_DIALECT as DIALECT JOIN UM_TENANT as TENANT ON
> DIALECT.UM_TENANT_ID=TENANT.UM_ID WHERE DIALECT.UM_DIALECT_URI='http:/
> /wso2.org/claims'/
>
>
> CREATE INDEX REG_LOG_IND_BY_P1
> ON REG_LOG(REG_LOGGED_TIME, REG_TENANT_ID)/
>
> CREATE INDEX REG_RESOURCE_IND_3
> ON REG_RESOURCE(REG_UUID)/
>
> CREATE INDEX REG_RESOURCE_IND_4
> ON REG_RESOURCE(REG_TENANT_ID, REG_UUID)/
>
> CREATE INDEX REG_RESOURCE_IND_5
> ON REG_RESOURCE(REG_TENANT_ID, REG_MEDIA_TYPE)/
> --
> Rajith Roshan
> Software Engineer, WSO2 Inc.
> Mobile: +94-72-642-8350 <%2B94-71-554-8430>
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Please review and merge

[Ishara Karunarathna]

Hi connector team,

Can we get this merged ?

-Ishara

On Fri, May 5, 2017 at 10:11 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Kathees
>
> Fixed the comments.
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>
> On Fri, May 5, 2017 at 9:45 AM, Kathees Rajendram <kath...@wso2.com>
> wrote:
>
>> Thanks Hasanthi for your fix.
>>
>> Please fix those comments in the PR.
>>
>> Thanks,
>> Kathees
>>
>> On Thu, May 4, 2017 at 3:16 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi connector team,
>>> Please review and merge [1] which fixes [2].
>>> [1]https://github.com/wso2-extensions/identity-oauth2-grant-jwt/pull/14
>>> [2]https://wso2.org/jira/browse/IDENTITY-5888
>>>
>>> Thanks,
>>>
>>> Hasanthi Dissanayake
>>>
>>> Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133| http://wso2.com <http://wso2.com/>
>>>
>>
>>
>>
>> --
>> Kathees
>> Software Engineer,
>> email: kath...@wso2.com
>> mobile: +94772596173 <+94%2077%20259%206173>
>>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Client credential grant type for ID token generation

[Ishara Karunarathna]

Hi,

On Fri, May 5, 2017 at 11:42 AM, Isura Karunaratne <is...@wso2.com> wrote:

> Hi all,
>
> On Thu, May 4, 2017 at 3:03 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>>
>> On Thu, May 4, 2017 at 2:41 PM, Pushpalanka Jayawardhana <la...@wso2.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> This is in relation to issue [1] which happened when we issue ID_token
>>> for client credentials grant.
>>>
>>> Client credentials grant type is not really a part of OpenID Connect
>>> specification, as it only mentions of authorization code grant flow(Basic
>>> Profile) and implicit grant flow (Implicit profile), and hybrid flow.
>>> This is an additional thing when we issue id_token for client
>>> credentials grant.
>>>
>>> Also this does not make much sense when we issue an ID_token to an
>>> application which is presented in client credentials grant.
>>> In my opinion we should get rid of this, if noone is currently using it.
>>> Appreciate your inputs.
>>>
>> Also OpenID Connect specification does not talk about issuing ID_token
>> for password grant type as well. Apart from specification POV issuing
>> ID_token for password grant type is not logically wrong.
>> Issuing ID_token for client credentials grant type is logically wrong
>> hence +1 to remove the functionality.
>>
> Yes. +1 to remove ID token for client credentials grant type.
>
> +1
Since there is no user authentication, this is logically wrong. so better
to fix this with removing ID token. But in the password grant type even its
not there in the spec still there are usecases with this to let keep it and
fix related issues.

-Ishara

>
> Thanks
> Isura.
>
>>
>>> [1] - https://wso2.org/jira/browse/IDENTITY-4915
>>>
>>> Thanks,
>>> --
>>> Pushpalanka.
>>> --
>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>>> Mobile: +94779716248
>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>>> ushpalanka/ | Twitter: @pushpalanka
>>>
>>>
>>
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Senior Software Engineer | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] GSOC : OAuth 2.0 Dynamic Client Registration Management Protocol Support

[Ishara Karunarathna]

On Fri, May 5, 2017 at 10:53 AM, Abilashini Thiyagarajah <
abilashini...@cse.mrt.ac.lk> wrote:

> Yeah we can have.
>
Then lets arrange a hangout from 2-3 pm

>
> *Thiyagarajah Abilashini*
> Student
> Department of Computer Science and Engineering
> University of Moratuwa, Sri Lanka
>
> On 5 May 2017 at 10:25, Ishara Karunarathna <isha...@wso2.com> wrote:
>
>>
>>
>> On Fri, May 5, 2017 at 10:21 AM, Abilashini Thiyagarajah <
>> abilashini...@cse.mrt.ac.lk> wrote:
>>
>>> Hi Ishara,
>>>
>>> Thank you.
>>>
>>> Tomorrow in the sense do you mean Saturday(6.4.2017)?
>>>
>> Its today 5/5/2017 if you available we can have a meeting in the evening.
>>
>> -Ishara
>>
>>>
>>>
>>>
>>> *Thiyagarajah Abilashini*
>>> Student
>>> Department of Computer Science and Engineering
>>> University of Moratuwa, Sri Lanka
>>>
>>> On 5 May 2017 at 00:51, Ishara Karunarathna <isha...@wso2.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Congratz Abilashini,
>>>>
>>>> On Thu, May 4, 2017 at 11:42 PM, Abilashini Thiyagarajah <
>>>> abilashini...@cse.mrt.ac.lk> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> Thank you so much for accepting my proposal and selecting me to work
>>>>> on the project "*OAuth 2.0 Dynamic Client Registration Management
>>>>> Protocol support for WSO2 Identity Server*" in GSOC 2017. I am so
>>>>> happy to work on a WSO2 project after the internship.
>>>>>
>>>>> I would like to clarify the plan through out the program. Shall we
>>>>> stick to my project plan in my proposal?
>>>>>
>>>> We may have to do some slight modification. Shall we arrange a meeting
>>>> and discuss tomorrow. ?
>>>>
>>>> Thanks,
>>>> Ishara
>>>>
>>>>>
>>>>> Looking forward to have a fabulous project experience with WSO2 for
>>>>> next 4 months of period.
>>>>>
>>>>> Thankyou and best regards,
>>>>> Abilashini
>>>>>
>>>>> *Thiyagarajah Abilashini*
>>>>> Student
>>>>> Department of Computer Science and Engineering
>>>>> University of Moratuwa, Sri Lanka
>>>>>
>>>>> On 3 April 2017 at 20:15, Abilashini Thiyagarajah <
>>>>> abilashini...@cse.mrt.ac.lk> wrote:
>>>>>
>>>>>> Hi Maduranga,
>>>>>>
>>>>>> I have already submitted the final proposal. I would like to thank
>>>>>> you for your guidance throughout the process of understanding the project
>>>>>> and preparing the proposal. Looking forward to work on the project.
>>>>>>
>>>>>> Best Regards,
>>>>>> Abilashini
>>>>>>
>>>>>> *Thiyagarajah Abilashini*
>>>>>> Student
>>>>>> Department of Computer Science and Engineering
>>>>>> University of Moratuwa, Sri Lanka
>>>>>>
>>>>>> On 3 April 2017 at 19:54, Maduranga Siriwardena <madura...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Abishalani,
>>>>>>>
>>>>>>> I will not have time to go through your proposal now. As the
>>>>>>> deadline is getting closer, please go ahead and submit the proposal.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> On Sun, Apr 2, 2017 at 10:12 PM, Abilashini Thiyagarajah <
>>>>>>> abilashini...@cse.mrt.ac.lk> wrote:
>>>>>>>
>>>>>>>> Hi Maduranga,
>>>>>>>>
>>>>>>>> I have included the initial design in the proposal. I kindly
>>>>>>>> request your feedback on it.
>>>>>>>>
>>>>>>>> Thank you,
>>>>>>>> Abilashini
>>>>>>>>
>>>>>>>> *Thiyagarajah Abilashini*
>>>>>>>> Student
>>>>>>>> Department of Computer Science and Engineering
>>>>>>>> University of Moratuwa, Sri Lanka
>>>>>>>>
>>>>>>>> On 

Re: [Dev] GSOC : OAuth 2.0 Dynamic Client Registration Management Protocol Support

[Ishara Karunarathna]

On Fri, May 5, 2017 at 10:21 AM, Abilashini Thiyagarajah <
abilashini...@cse.mrt.ac.lk> wrote:

> Hi Ishara,
>
> Thank you.
>
> Tomorrow in the sense do you mean Saturday(6.4.2017)?
>
Its today 5/5/2017 if you available we can have a meeting in the evening.

-Ishara

>
>
>
> *Thiyagarajah Abilashini*
> Student
> Department of Computer Science and Engineering
> University of Moratuwa, Sri Lanka
>
> On 5 May 2017 at 00:51, Ishara Karunarathna <isha...@wso2.com> wrote:
>
>> Hi,
>>
>> Congratz Abilashini,
>>
>> On Thu, May 4, 2017 at 11:42 PM, Abilashini Thiyagarajah <
>> abilashini...@cse.mrt.ac.lk> wrote:
>>
>>> Hi all,
>>>
>>> Thank you so much for accepting my proposal and selecting me to work on
>>> the project "*OAuth 2.0 Dynamic Client Registration Management Protocol
>>> support for WSO2 Identity Server*" in GSOC 2017. I am so happy to work
>>> on a WSO2 project after the internship.
>>>
>>> I would like to clarify the plan through out the program. Shall we stick
>>> to my project plan in my proposal?
>>>
>> We may have to do some slight modification. Shall we arrange a meeting
>> and discuss tomorrow. ?
>>
>> Thanks,
>> Ishara
>>
>>>
>>> Looking forward to have a fabulous project experience with WSO2 for next
>>> 4 months of period.
>>>
>>> Thankyou and best regards,
>>> Abilashini
>>>
>>> *Thiyagarajah Abilashini*
>>> Student
>>> Department of Computer Science and Engineering
>>> University of Moratuwa, Sri Lanka
>>>
>>> On 3 April 2017 at 20:15, Abilashini Thiyagarajah <
>>> abilashini...@cse.mrt.ac.lk> wrote:
>>>
>>>> Hi Maduranga,
>>>>
>>>> I have already submitted the final proposal. I would like to thank you
>>>> for your guidance throughout the process of understanding the project and
>>>> preparing the proposal. Looking forward to work on the project.
>>>>
>>>> Best Regards,
>>>> Abilashini
>>>>
>>>> *Thiyagarajah Abilashini*
>>>> Student
>>>> Department of Computer Science and Engineering
>>>> University of Moratuwa, Sri Lanka
>>>>
>>>> On 3 April 2017 at 19:54, Maduranga Siriwardena <madura...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Abishalani,
>>>>>
>>>>> I will not have time to go through your proposal now. As the deadline
>>>>> is getting closer, please go ahead and submit the proposal.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> On Sun, Apr 2, 2017 at 10:12 PM, Abilashini Thiyagarajah <
>>>>> abilashini...@cse.mrt.ac.lk> wrote:
>>>>>
>>>>>> Hi Maduranga,
>>>>>>
>>>>>> I have included the initial design in the proposal. I kindly request
>>>>>> your feedback on it.
>>>>>>
>>>>>> Thank you,
>>>>>> Abilashini
>>>>>>
>>>>>> *Thiyagarajah Abilashini*
>>>>>> Student
>>>>>> Department of Computer Science and Engineering
>>>>>> University of Moratuwa, Sri Lanka
>>>>>>
>>>>>> On 27 March 2017 at 21:14, Abilashini Thiyagarajah <
>>>>>> abilashini...@cse.mrt.ac.lk> wrote:
>>>>>>
>>>>>>> Hi Maduranga,
>>>>>>>
>>>>>>> Sorry for the inconvenience occurred with the wrong link.
>>>>>>>
>>>>>>> Thank you for your comments and I am updating the proposal
>>>>>>> respectively. Also I have replied to some of the comments for
>>>>>>> clarification. It would be so helpful if I get your comment on those.
>>>>>>>
>>>>>>> I will include the initial design and the the fixed jira issues as
>>>>>>> soon as possible.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Abilashini
>>>>>>>
>>>>>>> *Thiyagarajah Abilashini*
>>>>>>> Student
>>>>>>> Department of Computer Science and Engineering
>>>>>>> University of Moratuwa, Sri Lanka
>>>>>>>
>>>>>>> On 27 March 2017 at 20:07, Maduranga Siriwardena <madura...@wso2.c

Re: [Dev] GSOC : OAuth 2.0 Dynamic Client Registration Management Protocol Support

[Ishara Karunarathna]

gt;>>>>>>> to the product, you can build the jar and then create folder 
>>>>>>>>>> patch0001
>>>>>>>>>> (format of the folder name should be "patch" and then a four digit 
>>>>>>>>>> number.
>>>>>>>>>> Patches are applied in the order of the number) in
>>>>>>>>>> /repository/components/patches and place the newly
>>>>>>>>>> built jar inside that. After this you have to restart the server. 
>>>>>>>>>> Please
>>>>>>>>>> note that the for jars you are going patch name should be equal to 
>>>>>>>>>> the
>>>>>>>>>> original jar in dropins folder.
>>>>>>>>>>
>>>>>>>>>> If you successfully installed the changes, you will be able to
>>>>>>>>>> notice a log like below at the next start up.
>>>>>>>>>>
>>>>>>>>>> [2017-01-31 21:07:39,035]  INFO 
>>>>>>>>>> {org.wso2.carbon.server.extensions.PatchInstaller}
>>>>>>>>>> -  Patch changes detected  {org.wso2.carbon.server.exten
>>>>>>>>>> sions.PatchInstaller}
>>>>>>>>>> [2017-01-31 21:07:39,513]  INFO 
>>>>>>>>>> {org.wso2.carbon.server.util.PatchUtils.console}
>>>>>>>>>> -  Backed up plugins to patch {org.wso2.carbon.server.util.P
>>>>>>>>>> atchUtils.console}
>>>>>>>>>> [2017-01-31 21:07:39,525]  INFO 
>>>>>>>>>> {org.wso2.carbon.server.util.PatchUtils.console}
>>>>>>>>>> -  Patch verification started {org.wso2.carbon.server.util.P
>>>>>>>>>> atchUtils.console}
>>>>>>>>>> [2017-01-31 21:07:39,530]  INFO 
>>>>>>>>>> {org.wso2.carbon.server.util.PatchUtils.console}
>>>>>>>>>> -  Patch verification successfully completed. 
>>>>>>>>>> {org.wso2.carbon.server.util.P
>>>>>>>>>> atchUtils.console}
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> On Sat, Mar 18, 2017 at 7:26 AM, Abilashini Thiyagarajah <
>>>>>>>>>> abilashini...@cse.mrt.ac.lk> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I have worked to understand the specifications and code base
>>>>>>>>>>> related to OAuth 2.0 DCR protocol management. Now I am trying to 
>>>>>>>>>>> fix some
>>>>>>>>>>> of the issues that you have shared with me. Can I know the location 
>>>>>>>>>>> of dcr
>>>>>>>>>>> component in the server? Or else the way to try my code changes in 
>>>>>>>>>>> the dcr
>>>>>>>>>>> component?
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance,
>>>>>>>>>>> Abilashini
>>>>>>>>>>>
>>>>>>>>>>> *Thiyagarajah Abilashini*
>>>>>>>>>>> Student
>>>>>>>>>>> Department of Computer Science and Engineering
>>>>>>>>>>> University of Moratuwa, Sri Lanka
>>>>>>>>>>>
>>>>>>>>>>> On 15 March 2017 at 10:26, Abilashini Thiyagarajah <
>>>>>>>>>>> abilashini...@cse.mrt.ac.lk> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Maduranga,
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you so much for your reply and references. I will work on
>>>>>>>>>>>> to understand the code and fix jira as you said.
>>>>>>>>>>>>
>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>> Abilashini
>>>>>>>>>>>>
>>>>>>>>>>>> *Thiyagarajah Abilashini*
>>>>>>>>>>>> Student
>>>>>>>>>>>> Department of Computer Science and Engineering
>>>>>>>>>>>> University of Moratuwa, Sri Lanka
>>>>>>>>>>>>
>>>>>>>>>>>> On 15 March 2017 at 01:52, Maduranga Siriwardena <
>>>>>>>>>>>> madura...@wso2.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Abilashini,
>>>>>>>>>>>>>
>>>>>>>>>>>>> We are glad to see your interest in doing GSoC with WSO2.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The requirement of the project is to fully implement
>>>>>>>>>>>>> the Dynamic Client Registration Management Protocol [1]. The 
>>>>>>>>>>>>> current
>>>>>>>>>>>>> implementation of Dynamic Client Registration is in repo [2] and
>>>>>>>>>>>>> particularly component in [3]. Documentation for OpenID Connect 
>>>>>>>>>>>>> Dynamic
>>>>>>>>>>>>> Client Registration is in [4].
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you need to get familiarize with the code, you can fix jira
>>>>>>>>>>>>> already reported regarding dcr implementation which are in [5] 
>>>>>>>>>>>>> (or you can
>>>>>>>>>>>>> fix any jira in Identity Server project as a start).
>>>>>>>>>>>>>
>>>>>>>>>>>>> [1] https://tools.ietf.org/html/rfc7592
>>>>>>>>>>>>> [2] https://github.com/wso2-extensions/identity-inbound-auth
>>>>>>>>>>>>> -oauth
>>>>>>>>>>>>> [3] https://github.com/wso2-extensions/identity-inbound-auth
>>>>>>>>>>>>> -oauth/tree/master/components/org.wso2.carbon.identity.oauth
>>>>>>>>>>>>> .dcr
>>>>>>>>>>>>> [4] https://docs.wso2.com/display/IS530/OpenID+Connect+Dynam
>>>>>>>>>>>>> ic+Client+Registration
>>>>>>>>>>>>> [5] https://goo.gl/ghqqgE
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Mar 14, 2017 at 1:06 AM, Abilashini Thiyagarajah <
>>>>>>>>>>>>> abilashini...@cse.mrt.ac.lk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am Abilashini from Department of Computer Science and
>>>>>>>>>>>>>> Engineering, University of Moratuwa. I have done my internship 
>>>>>>>>>>>>>> at WSO2 last
>>>>>>>>>>>>>> year (July - December) and worked in the implementation of 
>>>>>>>>>>>>>> tomcat extension
>>>>>>>>>>>>>> of OpenID Connect [1]. So I am a little bit familiar with OAuth 
>>>>>>>>>>>>>> 2.0 and
>>>>>>>>>>>>>> OpenID Connect protocols. I found the project 'OAuth 2.0
>>>>>>>>>>>>>> Dynamic Client Registration Management Protocol Support' as
>>>>>>>>>>>>>> interesting to work on. Can I have some assistance to understand 
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> details and requirements more clearly behind this project idea?
>>>>>>>>>>>>>> Also can I have the locations of documentation and code base
>>>>>>>>>>>>>> related to dynamic client registration?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [1] https://github.com/wso2-extensions/tomcat-extension-open
>>>>>>>>>>>>>> idsso
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks and Regards
>>>>>>>>>>>>>> Abilashini
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Thiyagarajah Abilashini*
>>>>>>>>>>>>>> Student
>>>>>>>>>>>>>> Department of Computer Science and Engineering
>>>>>>>>>>>>>> University of Moratuwa, Sri Lanka
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Maduranga Siriwardena
>>>>>>>>>>>>> Software Engineer
>>>>>>>>>>>>> WSO2 Inc; http://wso2.com/
>>>>>>>>>>>>>
>>>>>>>>>>>>> Email: madura...@wso2.com
>>>>>>>>>>>>> Mobile: +94718990591 <+94%2071%20899%200591>
>>>>>>>>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/
>>>>>>>>>>>>> <https://madurangasiriwardena.wordpress.com/>*
>>>>>>>>>>>>> <http://wso2.com/signature>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Maduranga Siriwardena
>>>>>>>>>> Software Engineer
>>>>>>>>>> WSO2 Inc; http://wso2.com/
>>>>>>>>>>
>>>>>>>>>> Email: madura...@wso2.com
>>>>>>>>>> Mobile: +94718990591 <+94%2071%20899%200591>
>>>>>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/
>>>>>>>>>> <https://madurangasiriwardena.wordpress.com/>*
>>>>>>>>>> <http://wso2.com/signature>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Maduranga Siriwardena
>>>>>>>> Software Engineer
>>>>>>>> WSO2 Inc; http://wso2.com/
>>>>>>>>
>>>>>>>> Email: madura...@wso2.com
>>>>>>>> Mobile: +94718990591 <+94%2071%20899%200591>
>>>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/
>>>>>>>> <https://madurangasiriwardena.wordpress.com/>*
>>>>>>>> <http://wso2.com/signature>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Maduranga Siriwardena
>>>>>> Senior Software Engineer
>>>>>> WSO2 Inc; http://wso2.com/
>>>>>>
>>>>>> Email: madura...@wso2.com
>>>>>> Mobile: +94718990591 <+94%2071%20899%200591>
>>>>>> Blog: *https://madurangasiriwardena.wordpress.com/
>>>>>> <https://madurangasiriwardena.wordpress.com/>*
>>>>>> <http://wso2.com/signature>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Maduranga Siriwardena
>>> Senior Software Engineer
>>> WSO2 Inc; http://wso2.com/
>>>
>>> Email: madura...@wso2.com
>>> Mobile: +94718990591 <+94%2071%20899%200591>
>>> Blog: *https://madurangasiriwardena.wordpress.com/
>>> <https://madurangasiriwardena.wordpress.com/>*
>>> <http://wso2.com/signature>
>>>
>>
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] GSoC 2017 - Proposal 20: [IS] OAuth 2.0 Dynamic Client Registration Management Protocol Support

[Ishara Karunarathna]

;>>>>>>>>>>
>>>>>>>>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth
>>>>>>>>>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth
>>>>>>>>>>> .dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/proces
>>>>>>>>>>> sor/DCRProcessor.java
>>>>>>>>>>> [2] https://github.com/wso2-extensions/identity-inbound-auth
>>>>>>>>>>> -oauth/blob/master/components/org.wso2.carbon.identity.oidc.
>>>>>>>>>>> dcr/src/main/java/org/wso2/carbon/identity/oidc/dcr/processo
>>>>>>>>>>> r/OIDCDCRProcessor.java
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Mar 22, 2017 at 10:53 AM, Dinuksha Ishwari <
>>>>>>>>>>> dinuksha.ishw...@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Maduranga,
>>>>>>>>>>>>
>>>>>>>>>>>> I have referred the given code [1] and observed that
>>>>>>>>>>>> DCRProcessor will only process requests that call the endpoint
>>>>>>>>>>>> /identity/register as OAuth2.0 specification and will not process 
>>>>>>>>>>>> the the
>>>>>>>>>>>> calls to /identity/connect/register which is the endpoint 
>>>>>>>>>>>> specified in
>>>>>>>>>>>> OpenIDConnect specification for DCR. Correct me if I am wrong.
>>>>>>>>>>>>
>>>>>>>>>>>> I would appreciate if you could provide me some more
>>>>>>>>>>>> information regarding exposing an endpoint for the custom 
>>>>>>>>>>>> component of DCRM.
>>>>>>>>>>>>
>>>>>>>>>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth
>>>>>>>>>>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth
>>>>>>>>>>>> .dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/proces
>>>>>>>>>>>> sor/DCRProcessor.java
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you,
>>>>>>>>>>>> Dinuksha.
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Mar 21, 2017 at 11:54 PM, Maduranga Siriwardena <
>>>>>>>>>>>> madura...@wso2.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Dinuksha,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Glad to hear that you have made progress with the project.
>>>>>>>>>>>>>
>>>>>>>>>>>>> As a start, exposing a separate servlet would be okay. But
>>>>>>>>>>>>> going forward with the project, you may have to use the approach 
>>>>>>>>>>>>> used in
>>>>>>>>>>>>> the DCR endpoint which is [1] (or may have to use a cxf endpoint).
>>>>>>>>>>>>>
>>>>>>>>>>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth
>>>>>>>>>>>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth
>>>>>>>>>>>>> .dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/proces
>>>>>>>>>>>>> sor/DCRProcessor.java
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Mar 21, 2017 at 12:26 PM, Dinuksha Ishwari <
>>>>>>>>>>>>> dinuksha.ishw...@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Devs/Mentors,
>>>>>>>>>>>>>>
>

Re: [Dev] GSoC 2017 - Proposal 20: [IS] OAuth 2.0 Dynamic Client Registration Management Protocol Support

[Ishara Karunarathna]

On Fri, Feb 24, 2017 at 11:16 AM, Dinuksha Ishwari <
dinuksha.ishw...@gmail.com> wrote:
[+ dev]

> Hi Ishara,
>
> Thank you for the information. I'm in the process of reading the related
> specifications and getting familiar with the code base further. Will get
> back to you soon.
>
> Thanks,
> Dinuksha.
>
> On Fri, Feb 24, 2017 at 10:14 AM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Dinuksha,
>>
>> Thank you for your interest in GSoC and the effort on WSO2IS DCRM
>> implementation.
>> It’s great  that you have already started working with IS code base.
>> Further you can go through current DCR implementation from
>> here[1] and go through that code.
>>
>> You may find open jiras here[2]. Following are related to current DCR
>> implementation
>> https://wso2.org/jira/browse/IDENTITY-5185
>> https://wso2.org/jira/browse/IDENTITY-5184
>>
>> Thanks,
>> Ishara
>>
>> [1] https://github.com/wso2-extensions/identity-inbound-auth-oauth
>> [2] https://wso2.org/jira/projects/IDENTITY/issues/IDENTITY-
>> 5723?filter=allopenissues
>>
>>
>> On Mon, Feb 20, 2017 at 4:45 PM, Dinuksha Ishwari <
>> dinuksha.ishw...@gmail.com> wrote:
>>
>>> Hi All,
>>>
>>>
>>> I am Dinuksha Kanda Samanage, a 3rd year undergraduate from Sri Lanka
>>> Institute of Information Technology, following the Software Engineering
>>> specialization.
>>>
>>>
>>> This is to convey my interest in implementing the OAuth 2.0 Dynamic
>>> Client Registration Management Protocol Support for Identity Server
>>> (Proposal 20) in GSoC 2017.
>>>
>>>
>>> I am well versed in Java and also familiar with Maven and Git. I have
>>> been involved in implementing an OAuth 2.0 and OpenID Connect related
>>> project for almost 7 months during my internship.
>>>
>>>
>>> I have already started to get familiar with WSO2 codebase and fixed the
>>> JIRA [1] where the pull request is already merged to the WSO2 codebase. I
>>> will continue fixing more open JIRA tickets on Identity Server. (If you can
>>> suggest some, that would be great too)
>>>
>>>
>>> In order to get ready for this project, I already setup OAuth 2.0
>>> Playground2 sample with Identity Server 5.3.0 and wrote the blog post [2]
>>> for sharing my experience. When running this flow, I faced an issue and
>>> raised it in the Dev mail [3] and have got the answer now.
>>>
>>>
>>> My GitHub profile can be found at [4].
>>>
>>>
>>> Therefore I believe I can learn the required concepts/technologies and
>>> implement this project for GSoC 2017.
>>>
>>>
>>> I appreciate if you can guide me on proceeding further with the project.
>>>
>>>
>>> [1] https://wso2.org/jira/browse/IDENTITY-5241
>>>
>>> [2] http://dinukshaish.blogspot.com/2017/02/getting-started-with
>>> -oauth-20-using.html
>>>
>>> [3] [Dev] Mandatory Claims in OAuth 2.0 with Identity Server 5.3.0
>>>
>>> [4] https://github.com/dinuish94
>>>
>>>
>>> Best Regards,
>>>
>>> Dinuksha
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791 <+94%2071%20799%206791>
>>
>>
>>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] GSoC 2017 - Proposal 20: [IS] OAuth 2.0 Dynamic Client Registration Management Protocol Support

[Ishara Karunarathna]

Hi Dinuksha,

Thank you for your interest in GSoC and the effort on WSO2IS DCRM
implementation.
It’s great  that you have already started working with IS code base.
Further you can go through current DCR implementation from
here[1] and go through that code.

You may find open jiras here[2]. Following are related to current DCR
implementation
https://wso2.org/jira/browse/IDENTITY-5185
https://wso2.org/jira/browse/IDENTITY-5184

Thanks,
Ishara

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth
[2]
https://wso2.org/jira/projects/IDENTITY/issues/IDENTITY-5723?filter=allopenissues


On Mon, Feb 20, 2017 at 4:45 PM, Dinuksha Ishwari <
dinuksha.ishw...@gmail.com> wrote:

> Hi All,
>
>
> I am Dinuksha Kanda Samanage, a 3rd year undergraduate from Sri Lanka
> Institute of Information Technology, following the Software Engineering
> specialization.
>
>
> This is to convey my interest in implementing the OAuth 2.0 Dynamic
> Client Registration Management Protocol Support for Identity Server
> (Proposal 20) in GSoC 2017.
>
>
> I am well versed in Java and also familiar with Maven and Git. I have been
> involved in implementing an OAuth 2.0 and OpenID Connect related project
> for almost 7 months during my internship.
>
>
> I have already started to get familiar with WSO2 codebase and fixed the
> JIRA [1] where the pull request is already merged to the WSO2 codebase. I
> will continue fixing more open JIRA tickets on Identity Server. (If you can
> suggest some, that would be great too)
>
>
> In order to get ready for this project, I already setup OAuth 2.0
> Playground2 sample with Identity Server 5.3.0 and wrote the blog post [2]
> for sharing my experience. When running this flow, I faced an issue and
> raised it in the Dev mail [3] and have got the answer now.
>
>
> My GitHub profile can be found at [4].
>
>
> Therefore I believe I can learn the required concepts/technologies and
> implement this project for GSoC 2017.
>
>
> I appreciate if you can guide me on proceeding further with the project.
>
>
> [1] https://wso2.org/jira/browse/IDENTITY-5241
>
> [2] http://dinukshaish.blogspot.com/2017/02/getting-started-
> with-oauth-20-using.html
>
> [3] [Dev] Mandatory Claims in OAuth 2.0 with Identity Server 5.3.0
>
> [4] https://github.com/dinuish94
>
>
> Best Regards,
>
> Dinuksha
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SCIM User Add Operation in C5

[Ishara Karunarathna]

Hi All,

I think here we have a confusion between immutable attributes and Unique
attributes.

*Immutable Attributes* : Will not change over the time (Using this
attribute can track the identity over the time)
*Unique Attribute* : this is unique to the system but can be changed over
the time and this can be tracked with a immutable attribute.

With the new design UserID would be the Immutable attribute (But read only
identity stores this can be changed)
And user name is a unique attribute.

So in new implementation also isUserExist should return true if there is a
user with given user name. And this is applicable to all unique attributes.

Thanks,
Ishara


On Fri, Feb 3, 2017 at 9:42 AM, Farasath Ahamed <farasa...@wso2.com> wrote:

> IIRC, Our plan in C5 was to use the SCIM API for user signup, user
> provisioning etc.
>
> So if the username is a special attribute in SCIM while user core can
> accommodate duplicate usernames(ie. username need not be unique), when we
> use SCIM API in the product won't there be a mismatch?
>
>
>
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 <https://twitter.com/farazath619>
> <http://wso2.com/signature>
>
>
>
> On Thu, Feb 2, 2017 at 7:41 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>>
>> On Fri, Feb 3, 2017 at 8:29 AM, Johann Nallathamby <joh...@wso2.com>
>> wrote:
>>
>>> In our identity-mgt level we don't treat username as a special
>>> attribute. It's just another attribute. However in certain higher levels we
>>> may need to treat username as a special attribute. We do have a claim for
>>> username which I think is "http://wso2.org/claim/username;. We can
>>> treat this claim as the username in higher level implementations.
>>>
>>> On Fri, Feb 3, 2017 at 4:12 AM, Chamila Wijayarathna <
>>> cdwijayarat...@gmail.com> wrote:
>>>
>>>> Hi Gayan,
>>>>
>>>> If we can add multiple users with same user name, why do we need to
>>>> avoid adding multiple users in SCIM? I don't get the point here.
>>>>
>>>> If we consider two users with same username as two entities in server
>>>> level, it won't be a duplicate resource creation IMO, it will be two
>>>> different resources with same username.
>>>>
>>>
>>> I guess what Gayan means is in SCIM 2.0 username is a special attribute
>>> and we can't have two users with same username attribute. It is a
>>> specification of SCIM 2.0.
>>>
>> Yes exactly. There should be a way to identify duplicate resource in the
>> context of SCIM. For user resource it is user name.
>>
>>>
>>>> Regards!
>>>>
>>>> On Fri, Feb 3, 2017 at 5:52 AM, Gayan Gunawardana <ga...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> In C4 user name was an unique identifier and we returned http response
>>>>> 409 (Conflict) if user name already exist [1]. In C5 user name is just an
>>>>> another claim and we can add multiple users with same user name.
>>>>> IMO we should check isUserExist in SCIM level and avoid adding
>>>>> multiple users with same user name.
>>>>>
>>>>> WDYT ?
>>>>>
>>>>> [1] https://tools.ietf.org/html/rfc7644#section-3.12
>>>>>
>>>>> Thanks,
>>>>> Gayan
>>>>>
>>>>> --
>>>>> Gayan Gunawardana
>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>>>> Email: ga...@wso2.com
>>>>> Mobile: +94 (71) 8020933
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Chamila Dilshan Wijayarathna,
>>>> PhD Research Student
>>>> The University of New South Wales (UNSW Canberra)
>>>> Australian Centre for Cyber Security
>>>> Australian Defence Force Academy
>>>> PO Box 7916, Canberra BA ACT 2610
>>>> Australia
>>>> Mobile:(+61)416895795 <+61%20416%20895%20795>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>>
>>> *Johann Dilantha Nallathamby*
>>> Technical Lead & Product Lead of WSO2 Identity Server
>>> Governance Technologies Team
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile - *+9476950*
>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>
>>
>>
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] Account Lock/Disable Feature in IS 6.0.0

[Ishara Karunarathna]

Hi

On Fri, Jan 20, 2017 at 4:28 PM, Rushmin Fernando <rush...@wso2.com> wrote:

> Isura, as per my understanding, in most of the cases 'inactive' user are
> treated as non-existing users.
>
> So from the domain model side we should have a method to .
>
>  get the active users (since this the default case, we can even name
> the method as getUsers() )
>
> and another method to 
>
>  get the user including inactive users
>
+1 for this. Ideally in all user operation we can filter out the inactive
users.
Ex in JDBC user stores we may accound_inactive claim in LDAP we can filter
out with UserAccountControl attribute.

>
> When it comes to operations, we anyway have to have an interceptor in the
> authentication flow to refuse locked users (inative users will no even be
> considered)
>
> One down side is performance. If we check this before in authentication it
will reduce the performance.
so if the user store (Identity store ) support for account locking better
to use that implementation. if not we have to explicitly check the
account lock property.

-Ishara


>
>
> On Fri, Jan 20, 2017 at 3:32 PM, Isura Karunaratne <is...@wso2.com> wrote:
>
>> Hi all,
>>
>>
>> We are working on implementing account lock/disable features for IS
>> 6.0.0.
>>
>> *Account Lock: *
>>
>>- User *must not *be able to login to the system.
>>- Admin user *can* update the user attributes and assign roles
>>(account is active)
>>- User cannot start a  password recovery flow.
>>
>> *Account Disable: *
>>
>>- User *must not* be able to login to the system.
>>- Admin user *can not* update the user attributes and cannot assign
>>roles until enabling the account. (inactive state)
>>- User cannot start a  password recovery flow.
>>
>>
>>
>> *When will the account be locked?*
>>
>>
>>
>>- Self Signup users until account confirmation
>>- Try to login with invalid credentials more than configured number
>>of attempts. Then the account will be locked configured amount of time.
>>(Like 5 minutes). This lock time will be increased if the user locked 
>> again
>>based on a configuration.
>>- Provide invalid answers more than configured number of attempts,
>>when password recovery
>>- User onboarding with Email/SMS verification flow.
>>- When admin needs to block the user to login to the system
>>- When admin initiated password reset flow starts.
>>
>>
>>
>> *When will the account be disabled?*
>>
>>
>>
>>
>>
>>- When admin needs to inactivate user.
>>
>>
>>
>> What is the best way handle account disable check? We can do this from a
>> inceptor level, then we need to check account disable in each operation.
>>
>> Thanks
>> Isura.
>>
>>
>>
>>
>>
>> *Isura Dilhara Karunaratne*
>> Senior Software Engineer | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>> ___
>> Architecture mailing list
>> architect...@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> *Best Regards*
>
> *Rushmin Fernando*
> *Technical Lead*
>
> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>
> mobile : +94775615183
>
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS6 M1] LDAP Userstore implementation and documentation

[Ishara Karunarathna]

On Mon, Jan 16, 2017 at 10:24 AM, Niranjan Karunanandham <niran...@wso2.com>
wrote:

> Hi IsharaK,
>
> AFAIR we did not have a code review on this. Can you organize one please
> before we can merge the PR?
>
Niranjan We did this after the Thanus one, and we need thanus PR merged

>
> Regards,
> Nira
>
> On Sun, Jan 15, 2017 at 7:14 AM, Samuel Gnaniah <sam...@wso2.com> wrote:
>
>> I checked the readme in Github and it doesn't have any content added. Is
>> it possible to provide tested steps for this for documentation?
>>
>> Also, will this be common to all C5 products or is it only for IS?
>>
>> *Samuel Gnaniah*
>> Lead Technical Writer
>>
>> WSO2 (pvt.) Ltd.
>> Colombo, Sri Lanka
>> (+94) 773131798 <+94%2077%20313%201798>
>>
>> On Sat, Jan 14, 2017 at 10:41 PM, KasunG Gajasinghe <kas...@wso2.com>
>> wrote:
>>
>>>
>>>
>>> On Sat, Jan 14, 2017 at 9:29 PM, Ishara Karunarathna <isha...@wso2.com>
>>> wrote:
>>>
>>>> Hi Kasun,
>>>>
>>>> On Sat, Jan 14, 2017 at 6:58 PM, KasunG Gajasinghe <kas...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Opening this thread to keep track of the LDAP userstore feature that
>>>>> goes into the M1. We are on the final stage of this implementation which 
>>>>> is
>>>>> maintained at [1]. @Ishara is working on this.
>>>>>
>>>> Are we going to track all the features via mails ?
>>>> I think all should be tracked with users stories.
>>>>
>>>
>>> Yes. User stories and mails serve for two different purposes, isn't it?
>>> This is to have discussions, make sure that everyone is on the same page.
>>>
>>>
>>>
>>>>
>>>>> We need to get the PR for carbon-jndi merged [2] since the current
>>>>> JNDI impl does not load JNDI provides coming from the JRE.
>>>>>
>>>>> @Samuel, please note on docs.
>>>>>
>>>>> [1] https://github.com/wso2-extensions/carbon-security-user-store-ldap
>>>>> [2] https://github.com/wso2/carbon-jndi/pull/32
>>>>>
>>>>> --
>>>>>
>>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
>>>>> email: kasung AT spamfree wso2.com
>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe
>>>>> blog: http://kasunbg.org
>>>>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Ishara Karunarathna
>>>> Associate Technical Lead
>>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>>
>>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>>>> +94717996791 <071%20799%206791>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
>>> email: kasung AT spamfree wso2.com
>>> linked-in: http://lk.linkedin.com/in/gajasinghe
>>> blog: http://kasunbg.org
>>> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813
>>>
>>>
>>
>>
>
>
> --
>
>
> *Niranjan Karunanandham*
> Associate Technical Lead - WSO2 Inc.
> WSO2 Inc.: http://www.wso2.com
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS6 M1] LDAP Userstore implementation and documentation

[Ishara Karunarathna]

Hi Kasun,

On Sat, Jan 14, 2017 at 6:58 PM, KasunG Gajasinghe <kas...@wso2.com> wrote:

> Hi,
>
> Opening this thread to keep track of the LDAP userstore feature that goes
> into the M1. We are on the final stage of this implementation which is
> maintained at [1]. @Ishara is working on this.
>
Are we going to track all the features via mails ?
I think all should be tracked with users stories.

>
> We need to get the PR for carbon-jndi merged [2] since the current JNDI
> impl does not load JNDI provides coming from the JRE.
>
> @Samuel, please note on docs.
>
> [1] https://github.com/wso2-extensions/carbon-security-user-store-ldap
> [2] https://github.com/wso2/carbon-jndi/pull/32
>
> --
>
> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
> email: kasung AT spamfree wso2.com
> linked-in: http://lk.linkedin.com/in/gajasinghe
> blog: http://kasunbg.org
> phone: +1 650-745-4499 <(650)%20745-4499>, 77 678 0813
>
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.3.0- RC3

[Ishara Karunarathna]

Hi,

Tested,
OAuth Discovery
OAuth DCR
IS Analytics with IS Runtime.

Worked fine without any issues.
[+] Stable - go ahead and release

-Ishara


On Fri, Jan 6, 2017 at 10:06 PM, Pulasthi Mahawithana <pulast...@wso2.com>
wrote:

> Hi All,
>
> This is the 3rd Release Candidate of WSO2 Identity Server 5.3.0.
>
> Please download, test the product and vote. Vote will be open for 72 hours
> or as needed.
>
> This release fixes the following issues:
>
> Runtime : https://wso2.org/jira/issues/?filter=13612
> Analytics : https://wso2.org/jira/issues/?filter=13614
>
> Source and distribution
>
> Run-time : https://github.com/wso2/product-is/releases/tag/v5.3.0-rc3
> Analytics : https://github.com/wso2/analytics-is/releases/tag/v5.
> 3.0-rc3
>
> Please vote as follows.
> [+] Stable - go ahead and release
> [-] Broken - do not release (explain why)
>
> Thanks,
> - WSO2 Identity Server Team -
>
> --
> *Pulasthi Mahawithana*
> Senior Software Engineer
> WSO2 Inc., http://wso2.com/
> Mobile: +94-71-5179022 <+94%2071%20517%209022>
> Blog: http://blog.pulasthi.org
>
> <https://wso2.com/signature>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] C5 Carbon JNDI implementation does not support for LDAP

[Ishara Karunarathna]

Hi Kishanthan,

I have added support to load built in JRE providers[1]. Since JRE already
has LDAP provider we can use this.

-Ishara
[1] https://github.com/wso2/carbon-jndi/pull/32



On Wed, Jan 4, 2017 at 4:37 PM, Kishanthan Thangarajah <kishant...@wso2.com>
wrote:

>
>
> On Tue, Jan 3, 2017 at 11:24 AM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Kernel team,
>>
>> Current carbon JNDI Implementation does not support for LDAPs. Basically
>> it does not support for
>> DirContext operations.
>>
>
> We did not have a requirement to support this that is why it is not
> implemented. Since IS will mostly be using LDAP related JNDI lookups and it
> should be supported with the provider implementation (may be apache
> directory and need to check whether this would work with jre supported
> providers), it is best that if you guys can work on it and add to
> carbon-jndi?
>
>
>
>> In addition to that it need to support to load JRE supported context
>> providers.
>>
>> To implement LDAP connector for User management core in C5 base IS we
>> need this.
>> Can we get improvement  ?
>>
>> Thanks,
>> Ishara
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791 <+94%2071%20799%206791>
>>
>>
>>
>
>
> --
> *Kishanthan Thangarajah*
> Technical Lead,
> Platform Technologies Team,
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - +94773426635 <+94%2077%20342%206635>
> Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>*
> Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>*
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [C5] Self sign-up in C5 User Portal

[Ishara Karunarathna]

On Tue, Jan 3, 2017 at 12:52 PM, Johann Nallathamby <joh...@wso2.com> wrote:

> What are the new user stories we are trying to implement that are not
> already there in IS 5.3.0? Can we come up with a list of new requirements?
> Isn't most of the above user stories already there in IS 5.3.0?
>
Yes in 5.3.0 we have almost complete user store. But when it comes to C5
implementation we can't cover it with a single milestone release,So we need
to start with a simple user story and use different version of that adding
other use cases associated with that.

-Ishara


> On Tue, Jan 3, 2017 at 10:30 AM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Indunil,
>>
>> When we think about self sign up.
>> basic use case is User comes to self sign up page and add his user
>> informations, system will create a account and let user to login.
>>
>> But there are lot of associated use cases with this. For example.
>> 1. Once user self signed up need to send a verification mail.
>> 2. self sign up should go through a approval process.
>> 3. User should be assign to a particular roles.
>>
>> To cater those requirements we need additional features.  And we may need
>> several version of this user story to complete this feature.
>> For the 1st implementation better to implement the simple case. where use
>> self sign up and login (with login permission only )
>>
>> Thanks,
>> -Ishara
>>
>>
>>
>> On Tue, Jan 3, 2017 at 9:54 AM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> In IS C5, we are currently implementing self sign-up in the User Portal
>>> and having following considerations regarding the self sign-up
>>> functionality.
>>>
>>> what would be the correct way of achieving self sign-up and would like
>>> to know how it has been implemented in other C5 based products.
>>> If self sign up is enabled, *users should be create their own user
>>> accounts and will be able to logged in immediately?* or there should be
>>> an *account confirmation through the email* which helps to confirm an
>>> actual user? or there should be configurations to enable/disable both
>>> registration and account confirmation?
>>>
>>> And when it comes to self sign-up, specially if there are no account
>>> confirmation, in C5, I think it's better to include improvements such as a
>>> way to *allow anyone to sign up (no restrictions) or restrict users to
>>> specific domains* and also a way to choose whether *administrators
>>> should receive an email when a new account is created*.
>>>
>>> I would appreciate your ideas/suggestions on this.
>>>
>>> Thanks and Regards
>>> --
>>> Indunil Upeksha Rathnayake
>>> Software Engineer | WSO2 Inc
>>> Emailindu...@wso2.com
>>> Mobile   0772182255
>>>
>>
>>
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791 <+94%2071%20799%206791>
>>
>>
>>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Technical Lead & Product Lead of WSO2 Identity Server
> Governance Technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] C5 Carbon JNDI implementation does not support for LDAP

[Ishara Karunarathna]

Hi Kernel team,

Current carbon JNDI Implementation does not support for LDAPs. Basically it
does not support for
DirContext operations. In addition to that it need to support to load JRE
supported context providers.

To implement LDAP connector for User management core in C5 base IS we need
this.
Can we get improvement  ?

Thanks,
Ishara

-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [C5] Self sign-up in C5 User Portal

[Ishara Karunarathna]

Hi Indunil,

When we think about self sign up.
basic use case is User comes to self sign up page and add his user
informations, system will create a account and let user to login.

But there are lot of associated use cases with this. For example.
1. Once user self signed up need to send a verification mail.
2. self sign up should go through a approval process.
3. User should be assign to a particular roles.

To cater those requirements we need additional features.  And we may need
several version of this user story to complete this feature.
For the 1st implementation better to implement the simple case. where use
self sign up and login (with login permission only )

Thanks,
-Ishara



On Tue, Jan 3, 2017 at 9:54 AM, Indunil Upeksha Rathnayake <indu...@wso2.com
> wrote:

> Hi,
>
> In IS C5, we are currently implementing self sign-up in the User Portal
> and having following considerations regarding the self sign-up
> functionality.
>
> what would be the correct way of achieving self sign-up and would like to
> know how it has been implemented in other C5 based products.
> If self sign up is enabled, *users should be create their own user
> accounts and will be able to logged in immediately?* or there should be
> an *account confirmation through the email* which helps to confirm an
> actual user? or there should be configurations to enable/disable both
> registration and account confirmation?
>
> And when it comes to self sign-up, specially if there are no account
> confirmation, in C5, I think it's better to include improvements such as a
> way to *allow anyone to sign up (no restrictions) or restrict users to
> specific domains* and also a way to choose whether *administrators should
> receive an email when a new account is created*.
>
> I would appreciate your ideas/suggestions on this.
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Delete operation on /Me endpoint in SCIM 2.0

[Ishara Karunarathna]

Hi,

As I remember we are not supporting this with C4 User core.
But better to support this and then we should be able to associate
workflow  to set some approval for deleted users.

-Ishara


On Fri, Nov 11, 2016 at 10:27 AM, Vindula Jayawardana <vind...@wso2.com>
wrote:

> Hi All,
>
> In SCIM /Me endpoint, an authenticated user should be able to delete
> himself as mentioned in specification [1]. However when I try to do that
> using the current user core, I get a user store exception saying
> 'LoggedInUser Cannot delete logged in user'.
>
> One way of how I can handle this is , as mentioned in specification itself
> [2], can respond to HTTP DELETE on /Me endpoint with a HTTP status code 501
> as we can not support it. Or else is there any other good way of handling
> this ?
>
> Any thoughts on this is highly appreciated.
>
> [1] https://tools.ietf.org/html/rfc7644#section-3.2
> [2] https://tools.ietf.org/html/rfc7644#section-3.11
> --
> *Vindula Jayawardana*
> Trainee Software Engineer
> Mobile : +94 713 462554
> Email : vind...@wso2.com
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] What are the REST APIs in WSO2IS-5.3.0 that need to be secured?

[Ishara Karunarathna]

On Thu, Oct 20, 2016 at 1:40 PM, Harsha Thirimanna <hars...@wso2.com> wrote:

>
>
> *Harsha Thirimanna*
> Associate Tech Lead | WSO2
>
> Email: hars...@wso2.com
> Mob: +94715186770
> Blog: http://harshathirimanna.blogspot.com/
> Twitter: http://twitter.com/harshathirimann
> Linked-In: linked-in: http://www.linkedin.com/pub/
> harsha-thirimanna/10/ab8/122
> <http://wso2.com/signature>
>
> On Thu, Oct 20, 2016 at 1:39 PM, Harsha Thirimanna <hars...@wso2.com>
> wrote:
>
>> Moving to DEV...
>>
>> *Harsha Thirimanna*
>> Associate Tech Lead | WSO2
>>
>> Email: hars...@wso2.com
>> Mob: +94715186770
>> Blog: http://harshathirimanna.blogspot.com/
>> Twitter: http://twitter.com/harshathirimann
>> Linked-In: linked-in: http://www.linkedin.com/pub/ha
>> rsha-thirimanna/10/ab8/122
>> <http://wso2.com/signature>
>>
>> On Thu, Oct 20, 2016 at 12:49 PM, Harsha Thirimanna <hars...@wso2.com>
>> wrote:
>>
> Hi,

At this point I don't think that its good idea to remove already available
authentication mechanism and use this instead, for secured APIs since those
may have some logics those apis need.

Instead only check with the REST APIs that need security.
WDYT ?

-Ishara

> If there any REST API that already secured within itself the feature, then
>>> we have to remove it and use this. As ex : DCR. in DCR we expect user in
>>> request payload for now and that APIs are not secured. After apply this we
>>> can remove the user from request payload and rely on this. And same as we
>>> may have to check other REST APIs whether those are rely on any other
>>> secure mechanism.
>>>
>>> @Isura, Can you please confirm in identity management REST API like
>>> inforecovery ?
>>>
>>> @Ayesha,
>>> Ishara already test the DCR and you can fix that removing user in
>>> payload, apply this and test.
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead | WSO2
>>>
>>> Email: hars...@wso2.com
>>> Mob: +94715186770
>>> Blog: http://harshathirimanna.blogspot.com/
>>> Twitter: http://twitter.com/harshathirimann
>>> Linked-In: linked-in: http://www.linkedin.com/pub/ha
>>> rsha-thirimanna/10/ab8/122
>>> <http://wso2.com/signature>
>>>
>>> On Thu, Oct 20, 2016 at 12:34 PM, Ishara Karunarathna <isha...@wso2.com>
>>> wrote:
>>>
>>>> Hi Ayesha,
>>>>
>>>> This feature provide a authentication layer in front of any unsecured
>>>> REST APIs. So do we need to test this with all the REST APIs ?
>>>>
>>>> -Ishara
>>>>
>>>>
>>>> On Thu, Oct 20, 2016 at 12:05 PM, Ayesha Dissanayaka <aye...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I have started testing the"Generic Authentication Mechanism to all the
>>>>> REST APIs" feature [1] in IS-5.3.0.
>>>>> Please mention details on REST APIs in IS services which needs to be
>>>>> secured, so that I can test those APIs with this feature.
>>>>>
>>>>> [1] https://wso2.org/jira/browse/IDENTITY-4742
>>>>>
>>>>> Thanks!
>>>>> -Ayesha
>>>>>
>>>>> --
>>>>> *Ayesha Dissanayaka*
>>>>> Software Engineer,
>>>>> WSO2, Inc : http://wso2.com
>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com=D=1=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
>>>>> 20, Palmgrove Avenue, Colombo 3
>>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Ishara Karunarathna
>>>> Associate Technical Lead
>>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>>
>>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>>>> +94717996791
>>>>
>>>>
>>>>
>>>
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] login with multiple user stores

[Ishara Karunarathna]

Hi All,

While going through Apachi Shiro Noticed that it support for login with
multiple realms and
providing a unified view of a user [1].
This is some thing similar to our domain model where user exist in multiple
identity stores and credential stores with C5

Better to have a look on this when we model our C5 API

Thanks,
Ishara
[1] http://shiro.apache.org/authentication-features.html

-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] OSGI Service to provision users and roles based on the SAML response.

[Ishara Karunarathna]

tion in the end. The same happened to Carbon components. We have so
>>>>>> many components and can't make the head or tail out of it.
>>>>>>
>>>>>> thanks,
>>>>>> Dimuthu
>>>>>>
>>>>>>
>>>>>>> Thanks & Regards,
>>>>>>> Ishara Cooray
>>>>>>> Senior Software Engineer
>>>>>>> Mobile : +9477 262 9512
>>>>>>> WSO2, Inc. | http://wso2.com/
>>>>>>> Lean . Enterprise . Middleware
>>>>>>>
>>>>>>> On Wed, Aug 31, 2016 at 1:43 PM, Ishara Cooray <isha...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> + Prabath, Johann
>>>>>>>>
>>>>>>>> Thanks & Regards,
>>>>>>>> Ishara Cooray
>>>>>>>> Senior Software Engineer
>>>>>>>> Mobile : +9477 262 9512
>>>>>>>> WSO2, Inc. | http://wso2.com/
>>>>>>>> Lean . Enterprise . Middleware
>>>>>>>>
>>>>>>>> On Wed, Aug 31, 2016 at 1:27 PM, Pamod Sylvester <pa...@wso2.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Would it make sense to have it under "user-mgt.xml" ?
>>>>>>>>>
>>>>>>>>> On Wed, Aug 31, 2016 at 1:00 PM, Ishara Cooray <isha...@wso2.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>> I am working on the $Subject.
>>>>>>>>>>
>>>>>>>>>> *Motivation:*
>>>>>>>>>> I have a use case where i want to authorize users who are logged
>>>>>>>>>> into API publisher/ store but APIM does not have the access to 
>>>>>>>>>> underline
>>>>>>>>>> user store.
>>>>>>>>>>
>>>>>>>>>> *Plan:*
>>>>>>>>>> The plan is to write an osgi service that should do the Just In
>>>>>>>>>> Time provisioning before the permission check to authorize the user. 
>>>>>>>>>> And it
>>>>>>>>>> will get the roles from the SAML response and do the provisioning.
>>>>>>>>>>
>>>>>>>>>> But we will have to do the same role/permission mapping manually
>>>>>>>>>> for now.
>>>>>>>>>>
>>>>>>>>>> If we write a generic service  we can plug it into any wso2
>>>>>>>>>> product that need JIT provision initiated by the Service provider.
>>>>>>>>>> However we need to maintain few configurations here.
>>>>>>>>>>
>>>>>>>>>>1. isServiceProvierInitiatedJITProvisioningEnabled
>>>>>>>>>>2. User store to be provisioned
>>>>>>>>>>3. Implementation class (extension point)
>>>>>>>>>>
>>>>>>>>>> What could be the best place to maintain this configuration if
>>>>>>>>>> the component is written as a generic component to any wso2 product?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks & Regards,
>>>>>>>>>> Ishara Cooray
>>>>>>>>>> Senior Software Engineer
>>>>>>>>>> Mobile : +9477 262 9512
>>>>>>>>>> WSO2, Inc. | http://wso2.com/
>>>>>>>>>> Lean . Enterprise . Middleware
>>>>>>>>>>
>>>>>>>>>> ___
>>>>>>>>>> Architecture mailing list
>>>>>>>>>> architect...@wso2.org
>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> *Pamod Sylvester *
>>>>>>>>>
>>>>>>>>> *WSO2 Inc.; http://wso2.com <http://wso2.com>*
>>>>>>>>> cell: +94 77 7779495
>>>>>>>>>
>>>>>>>>> ___
>>>>>>>>> Architecture mailing list
>>>>>>>>> architect...@wso2.org
>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> ___
>>>>>>> Architecture mailing list
>>>>>>> architect...@wso2.org
>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Dimuthu Leelarathne
>>>>>> Director, Solutions Architecture
>>>>>>
>>>>>> WSO2, Inc. (http://wso2.com)
>>>>>> email: dimut...@wso2.com
>>>>>> Mobile: +94773661935
>>>>>> Blog: http://muthulee.blogspot.com
>>>>>>
>>>>>> Lean . Enterprise . Middleware
>>>>>>
>>>>>> ___
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Best Regards,
>>>>>
>>>>> Malaka Silva
>>>>> Senior Technical Lead
>>>>> M: +94 777 219 791
>>>>> Tel : 94 11 214 5345
>>>>> Fax :94 11 2145300
>>>>> Skype : malaka.sampath.silva
>>>>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
>>>>> Blog : http://mrmalakasilva.blogspot.com/
>>>>>
>>>>> WSO2, Inc.
>>>>> lean . enterprise . middleware
>>>>> https://wso2.com/signature
>>>>> http://www.wso2.com/about/team/malaka-silva/
>>>>> <http://wso2.com/about/team/malaka-silva/>
>>>>> https://store.wso2.com/store/
>>>>>
>>>>> Don't make Trees rare, we should keep them with care
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Thanks & Regards,
>>>>
>>>> *Johann Dilantha Nallathamby*
>>>> Technical Lead & Product Lead of WSO2 Identity Server
>>>> Governance Technologies Team
>>>> WSO2, Inc.
>>>> lean.enterprise.middleware
>>>>
>>>> Mobile - *+9476950*
>>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>>
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>> ___
>>> Architecture mailing list
>>> architect...@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>
> ___
> Architecture mailing list
> architect...@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.2.0- RC1

[Ishara Karunarathna]

Hi Devs,

Tested,

User dashboard,
XACMl,
Tenant creation


On Thu, Sep 15, 2016 at 12:33 PM, Kathees Rajendram <kath...@wso2.com>
wrote:

> Hi,
>
> Tested the following authenticators.
>
>- SMS OTP
>- Email OTP
>
> No blocking issue found.
>
> [+] Stable - go ahead and release
>
> Thanks,
> Kathees
>
> On Thu, Sep 15, 2016 at 12:13 PM, Darshana Gunawardana <darsh...@wso2.com>
> wrote:
>
>> Hi Devs,
>>
>> Tested,
>>
>>- SAML SSO
>>- Federation
>>- JIT Provisioning
>>- Google Provisioning
>>
>> Did not find any blocking issue.
>>
>> So here's my vote,
>>
>> [+] Stable - go ahead and release
>>
>> Thanks,
>>
>> On Wed, Sep 14, 2016 at 2:59 AM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>> Tested IS Analytics including
>>>
>>>
>>>1. Enabling and disabling analytics (publishers),
>>>2. Data publishing through publishers.
>>>3. Analytics Dashboard functionalities.
>>>4. Session Analytics
>>>5. Login Analytics
>>>
>>>
>>>-  Variation over time
>>>-  Drilling down from different attributes
>>>-  Content of data table
>>>
>>> No blocking issues found.
>>> [+] Stable - go ahead and release
>>>
>>>
>>> On Sat, Sep 10, 2016 at 7:48 AM, Kasun Bandara <kas...@wso2.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> This is the 1st Release Candidate of WSO2 Identity Server 5.2.0
>>>>
>>>> Please download, test the product and vote. Vote will be open for 72
>>>> hours or as needed.
>>>>
>>>> This release fixes the following issues:
>>>> https://wso2.org/jira/issues/?filter=13329
>>>>
>>>> Source and distribution
>>>>
>>>> Run-time   : https://github.com/wso2/produc
>>>> t-is/releases/tag/v5.2.0-rc1
>>>> Analytics   : https://github.com/wso2/analyt
>>>> ics-is/releases/tag/v5.2.0-rc1
>>>>
>>>> Please vote as follows.
>>>>
>>> No blocking issues found. Here my vote to release.

> [+] Stable - go ahead and release
>>>> [-] Broken - do not release (explain why)
>>>>
>>>> Thanks,
>>>> - WSO2 Identity Server Team -
>>>>
>>>> --
>>>> Kasun Bandara
>>>> *Software Engineer*
>>>> Mobile : +94 (0) 718 338 360
>>>> <%2B94%20%280%29%20773%20451194>
>>>> kas...@wso2.com <thili...@wso2.com>
>>>>
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453
>>>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Regards,
>>
>>
>> *Darshana Gunawardana*Associate Technical Lead
>> WSO2 Inc.; http://wso2.com
>>
>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Kathees
> Software Engineer,
> email: kath...@wso2.com
> mobile: +94772596173
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [AppM] SAML response signature validation in tenants

[Ishara Karunarathna]

Hi,

On Fri, Aug 19, 2016 at 9:47 AM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

>
>
> On Thu, Aug 18, 2016 at 4:43 PM, Rushmin Fernando <rush...@wso2.com>
> wrote:
>
>>
>> In current App Manager the service providers of tenants are getting
>> created in the super tenant space.
>>
>> We are in the process of creating the service providers in the relevant
>> tenants.
>>
>> In the app manager gateway, we use SAML SSO to authenticate the users,
>> and the aforementioned service providers are used.
>>
>> When it comes to validating the the SAML response signature, I can see
>> that we can re-use
>> *org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil::getX509CredentialImplForTenant()*
>>
>> As per the code, it uses the tenant key store to get the certificates.
>> And we can get the certificate by using the tenant name as the alias
>>
>> @IS team, do you see any issues with re-using this code in our gateway ?
>>
>
> Using this util makes gateway -which is a client side(sp) component-
> depends on the SAML component -which is server side(idp) component-
>
> IMO, its not nice to have that dependency. Once example is, this
> dependency will expose you a samlsso (idp) endpoint from the gateway. And
> also gateway profile would need to have saml components and makes you to
> have whole framework related dependencies as well.
>
> Thinking about client side (sp) components which already doing this there
> are two components we have in wso2 platform.
> 1. Carbon SAML authenticator : https://github.com/wso2-
> extensions/identity-carbon-auth-saml2
> 2. AS SSO valve : https://github.com/wso2/carbon-deployment/blob/4.7.x/
> components/webapp-mgt/org.wso2.carbon.webapp.mgt/src/
> main/java/org/wso2/carbon/webapp/mgt/sso/SAMLSignatureValidatorImpl.java
>
> Better to use utls from those two components, if we have such methods.
> Most suitable component for gateway is #2, since carbon authenticator don't
> have usage in gateway.
>
> I guess it's even worthy initiate separate component to handle all these
> saml utils, given that we have isolated components across the platform and
> we have to fix huge number of components if we identified a core issue.
>
+1 with darshans idea. And later better to have some common set of
libraries to handle this kind of scenarios.

>
> Thanks,
>
>
>> @Amila, in a cloud story do we need to configure the key aliases for each
>> tenant or can we live with the default alias (which is the tenant domain
>> name) ?
>>
>>
>>
>> --
>> *Best Regards*
>>
>> *Rushmin Fernando*
>> *Technical Lead*
>>
>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>>
>> mobile : +94772891266
>>
>>
>>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Associate Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [AppM] Creating XACML Policies and Service Providers in Tenants

[Ishara Karunarathna]

HI,

On Mon, Aug 8, 2016 at 5:51 PM, Dinusha Senanayaka <dinu...@wso2.com> wrote:

>
>
> On Mon, Aug 8, 2016 at 5:43 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Rushmin,
>>
>> On Mon, Aug 8, 2016 at 5:26 PM, Rushmin Fernando <rush...@wso2.com>
>> wrote:
>>
>>> Hi Ishara,
>>>
>>> We are currently using the following two admin services to create
>>> service providers.
>>>
>>> IdentitySAMLSSOConfigService
>>> IdentityApplicationManagementService
>>>
>> admin/manage
>>
>> permission should be there for both services
>>
>>  hmm .. admin/manage is admin rights ? This mean we need to assign admin
>> rights to publisher. :( . Is there any possibility of adding fine grained
>> permission for these two services as well, similar to XACML services ?
>>
> Nop,

Only manage permission is enough .
I just mention the permission path to mange permission

>
> Regards,
> Dinusha.
>
>>
>>> If we are to follow the above SAML authenticator method for this as
>>> well, what are the permissions should a role have ?
>>>
>>> Regards
>>> Rushmin
>>>
>>> On Mon, Aug 8, 2016 at 5:18 PM, Lahiru Cooray <lahi...@wso2.com> wrote:
>>>
>>>> Hi Ishara,
>>>> Thanks a lot for the info..
>>>>
>>>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Dinusha,
>>>>>
>>>>> In this case I think publisher user should be able to create those SP,
>>>>> XACML policies etc.
>>>>> Since publisher use is within the publisher role you can assign
>>>>> necessary permission to that role.
>>>>> Once user login (SSO) to publisher with his credential  he can get a
>>>>> cookie for that
>>>>> and he can use that  cookie to authenticate to the admin services.
>>>>>
>>>>> @Rushmin,
>>>>> We don't have a authenticator for OAuth token. Better to get a ID
>>>>> token using OIDC or after validating OAuth token
>>>>> and create a carbon authenticator like saml carbon authenticator.
>>>>>
>>>>> Thanks,
>>>>> Ishara
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> In addition to creating these entries from the UI, we need to create
>>>>>> the same using our ReST API as well. And the API is OAuth protected.
>>>>>>
>>>>>> Is there an authenticator which gives back a cookie for an OAuth
>>>>>> token as well ?
>>>>>>
>>>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <isha...@wso2.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Hi Lahiru.
>>>>>>>
>>>>>>>
>>>>>>> Its not the admin user.User trying to do this operation should have
>>>>>>> enough permission to do this.
>>>>>>>
>>>>>>> Use
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *entitlement/policy/view*
>>>>>>>
>>>>>>> Add this permission to the user who is trying to view those policies.
>>>>>>>
>>>>>>>
>>>>>>> BR,
>>>>>>>
>>>>>>> Ishara
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> + [DEV]
>>>>>>>>
>>>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> *Current behaviour:*
>>>>>>>>> Currently in AppM, when we are creating XACML policies/Service
>>>>>>>>> Providers via IS admin services, we are providing the super tenant 
>>>>>>>>> admin
>>>>>>>>> credentials (where the credentials are st

Re: [Dev] [AppM] Creating XACML Policies and Service Providers in Tenants

[Ishara Karunarathna]

Hi Rushmin,

On Mon, Aug 8, 2016 at 5:26 PM, Rushmin Fernando <rush...@wso2.com> wrote:

> Hi Ishara,
>
> We are currently using the following two admin services to create service
> providers.
>
> IdentitySAMLSSOConfigService
> IdentityApplicationManagementService
>
admin/manage

permission should be there for both services



>
> If we are to follow the above SAML authenticator method for this as well,
> what are the permissions should a role have ?
>
> Regards
> Rushmin
>
> On Mon, Aug 8, 2016 at 5:18 PM, Lahiru Cooray <lahi...@wso2.com> wrote:
>
>> Hi Ishara,
>> Thanks a lot for the info..
>>
>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com>
>> wrote:
>>
>>> Hi Dinusha,
>>>
>>> In this case I think publisher user should be able to create those SP,
>>> XACML policies etc.
>>> Since publisher use is within the publisher role you can assign
>>> necessary permission to that role.
>>> Once user login (SSO) to publisher with his credential  he can get a
>>> cookie for that
>>> and he can use that  cookie to authenticate to the admin services.
>>>
>>> @Rushmin,
>>> We don't have a authenticator for OAuth token. Better to get a ID token
>>> using OIDC or after validating OAuth token
>>> and create a carbon authenticator like saml carbon authenticator.
>>>
>>> Thanks,
>>> Ishara
>>>
>>>
>>>
>>>
>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com>
>>> wrote:
>>>
>>>> In addition to creating these entries from the UI, we need to create
>>>> the same using our ReST API as well. And the API is OAuth protected.
>>>>
>>>> Is there an authenticator which gives back a cookie for an OAuth token
>>>> as well ?
>>>>
>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <isha...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Lahiru.
>>>>>
>>>>>
>>>>> Its not the admin user.User trying to do this operation should have
>>>>> enough permission to do this.
>>>>>
>>>>> Use
>>>>>
>>>>>
>>>>>
>>>>> *entitlement/policy/view*
>>>>>
>>>>> Add this permission to the user who is trying to view those policies.
>>>>>
>>>>>
>>>>> BR,
>>>>>
>>>>> Ishara
>>>>>
>>>>>
>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> + [DEV]
>>>>>>
>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> *Current behaviour:*
>>>>>>> Currently in AppM, when we are creating XACML policies/Service
>>>>>>> Providers via IS admin services, we are providing the super tenant admin
>>>>>>> credentials (where the credentials are stored in a config) to get
>>>>>>> authenticated. Further, XACML policies/Service providers are only 
>>>>>>> created
>>>>>>> in super tenant and marked as a SAAS app to be used in tenants.
>>>>>>>
>>>>>>> *Problem:*
>>>>>>> As we are moving for AppM - Cloud integration, we are trying to
>>>>>>> deploy these in relevant tenant spaces. So as a solution we have tried 
>>>>>>> to
>>>>>>> use *SAML2SSOAuthenticator*[1]  (retrieving a cookie passing the
>>>>>>> SAML response and use the same in subsequent service calls) but figured
>>>>>>> that this is not applicable for non admin users.
>>>>>>> (*eg:* In AppM user story, non admin users should be allowed to
>>>>>>> create apps with XAML policies)
>>>>>>>
>>>>>>> Any suggestions for this would be highly appreciated!
>>>>>>>
>>>>>>>
>>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6
>>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato
>>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti
>&g

Re: [Dev] [AppM] Creating XACML Policies and Service Providers in Tenants

[Ishara Karunarathna]

Hi Dinusha,

In this case I think publisher user should be able to create those SP,
XACML policies etc.
Since publisher use is within the publisher role you can assign necessary
permission to that role.
Once user login (SSO) to publisher with his credential  he can get a cookie
for that
and he can use that  cookie to authenticate to the admin services.

@Rushmin,
We don't have a authenticator for OAuth token. Better to get a ID token
using OIDC or after validating OAuth token
and create a carbon authenticator like saml carbon authenticator.

Thanks,
Ishara




On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com> wrote:

> In addition to creating these entries from the UI, we need to create the
> same using our ReST API as well. And the API is OAuth protected.
>
> Is there an authenticator which gives back a cookie for an OAuth token as
> well ?
>
> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Lahiru.
>>
>>
>> Its not the admin user.User trying to do this operation should have
>> enough permission to do this.
>>
>> Use
>>
>>
>>
>> *entitlement/policy/view*
>>
>> Add this permission to the user who is trying to view those policies.
>>
>>
>> BR,
>>
>> Ishara
>>
>>
>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> wrote:
>>
>>> + [DEV]
>>>
>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> *Current behaviour:*
>>>> Currently in AppM, when we are creating XACML policies/Service
>>>> Providers via IS admin services, we are providing the super tenant admin
>>>> credentials (where the credentials are stored in a config) to get
>>>> authenticated. Further, XACML policies/Service providers are only created
>>>> in super tenant and marked as a SAAS app to be used in tenants.
>>>>
>>>> *Problem:*
>>>> As we are moving for AppM - Cloud integration, we are trying to deploy
>>>> these in relevant tenant spaces. So as a solution we have tried to use
>>>> *SAML2SSOAuthenticator*[1]  (retrieving a cookie passing the SAML
>>>> response and use the same in subsequent service calls) but figured that
>>>> this is not applicable for non admin users.
>>>> (*eg:* In AppM user story, non admin users should be allowed to create
>>>> apps with XAML policies)
>>>>
>>>> Any suggestions for this would be highly appreciated!
>>>>
>>>>
>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6
>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato
>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti
>>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe
>>>> nticator/saml2/sso/SAML2SSOAuthenticator.java
>>>>
>>>> --
>>>> *Lahiru Cooray*
>>>> Software Engineer
>>>> WSO2, Inc.;http://wso2.com/
>>>> lean.enterprise.middleware
>>>>
>>>> Mobile: +94 715 654154
>>>>
>>>
>>>
>>>
>>> --
>>> *Lahiru Cooray*
>>> Software Engineer
>>> WSO2, Inc.;http://wso2.com/
>>> lean.enterprise.middleware
>>>
>>> Mobile: +94 715 654154
>>>
>>
>>
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791
>>
>>
>>
>
>
> --
> *Best Regards*
>
> *Rushmin Fernando*
> *Technical Lead*
>
> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>
> mobile : +94772891266
>
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [AppM] Creating XACML Policies and Service Providers in Tenants

[Ishara Karunarathna]

Hi Lahiru.


Its not the admin user.User trying to do this operation should have enough
permission to do this.

Use



*entitlement/policy/view*

Add this permission to the user who is trying to view those policies.


BR,

Ishara


On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> wrote:

> + [DEV]
>
> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> wrote:
>
>> Hi all,
>>
>> *Current behaviour:*
>> Currently in AppM, when we are creating XACML policies/Service Providers
>> via IS admin services, we are providing the super tenant admin credentials
>> (where the credentials are stored in a config) to get authenticated.
>> Further, XACML policies/Service providers are only created in super tenant
>> and marked as a SAAS app to be used in tenants.
>>
>> *Problem:*
>> As we are moving for AppM - Cloud integration, we are trying to deploy
>> these in relevant tenant spaces. So as a solution we have tried to use
>> *SAML2SSOAuthenticator*[1]  (retrieving a cookie passing the SAML
>> response and use the same in subsequent service calls) but figured that
>> this is not applicable for non admin users.
>> (*eg:* In AppM user story, non admin users should be allowed to create
>> apps with XAML policies)
>>
>> Any suggestions for this would be highly appreciated!
>>
>>
>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6
>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato
>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.
>> authenticator.saml2.sso/src/main/java/org/wso2/carbon/
>> identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java
>>
>> --
>> *Lahiru Cooray*
>> Software Engineer
>> WSO2, Inc.;http://wso2.com/
>> lean.enterprise.middleware
>>
>> Mobile: +94 715 654154
>>
>
>
>
> --
> *Lahiru Cooray*
> Software Engineer
> WSO2, Inc.;http://wso2.com/
> lean.enterprise.middleware
>
> Mobile: +94 715 654154
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users

[Ishara Karunarathna]

Hi Prabath,

Maduranga is running same test in the openstack once its completed will
compare all.

BR,
Ishara

On Sun, Jul 31, 2016 at 10:14 PM, Prabath Siriwardana <prab...@wso2.com>
wrote:

> Can you please compare the results you are getting now with the results we
> got a week before in the same setup...? I guess we could get  ~1200 tps
> with 500 concurrency for 1M users, without any drop in the tps...?
>
> Thanks & regards,
> -Prabath
>
> On Sun, Jul 31, 2016 at 12:34 AM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>>
>>
>> On Sun, Jul 31, 2016 at 12:59 PM, Malith Jayasinghe <mali...@wso2.com>
>> wrote:
>>
>>>
>>>
>>> On Sun, Jul 31, 2016 at 12:49 PM, Ishara Karunarathna <isha...@wso2.com>
>>> wrote:
>>>
>>>> Hi Malith,
>>>>
>>>> On Sun, Jul 31, 2016 at 12:37 PM, Malith Jayasinghe <mali...@wso2.com>
>>>> wrote:
>>>>
>>>>> HI Indunil,
>>>>> Just a few question regarding this performance test you have done:
>>>>>
>>>>> What is the reason for selecting the concurrency = 500 here?
>>>>>
>>>> This is the user expected concurrency level. Thats the reason we user
>>>> this.
>>>>
>>>>>
>>>>> Have you tested the behaviour for lower concurrency levels?
>>>>>
>>>>> *"currently the TPS is dropping from the initial TPS 1139.5/s to
>>>>> 198.1/s in around 610 user count.(User Add)" - *How did you
>>>>> notice/measure this drop in TPS? Did you analyze the jmeter results
>>>>> offline? After it drops, does it improve after some time or does it stay
>>>>> the same?
>>>>>
>>>> We test this with the Jmeter summery report.
>>>> with latest results if we start again few min (2min) we can get this
>>>> max tps and come down to around 250tps
>>>>
>>>
>>> Ok so it comes down to 250tps and stays there?  Are you running these
>>> tests without a warm-up period?
>>>
>> Nop.
>>
>> With 2s worm up and then 10s ramp up period
>>
>>>
>>>>>
>>>>> Did you look at the behaviour of latency?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Malith
>>>>>
>>>>>
>>>>> On Fri, Jul 29, 2016 at 2:57 PM, Indunil Upeksha Rathnayake <
>>>>> indu...@wso2.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> We are currently engaged into a performance analysis where we are
>>>>>> analyzing performance for User Add, Update, Authentication operations. 
>>>>>> The
>>>>>> testing has been carried out in a following environment with 500
>>>>>> concurrency and users up to 10 million.
>>>>>>
>>>>>> *Environment :*
>>>>>>
>>>>>> m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances.
>>>>>> MySQL 5.7
>>>>>> Ubuntu 14.04
>>>>>> Openldap-2.4.31
>>>>>> IS 5.1.0
>>>>>>
>>>>>> In order to optimize the MYSQL server, following server parameters
>>>>>> have been tuned accordingly. We have referred MYSQL documentation [1] as
>>>>>> well as have performed analysis using several MYSQL tuners in [2].
>>>>>>
>>>>>> (1) *max_connections : 1000* (The maximum permitted number of
>>>>>> simultaneous client connections.)
>>>>>>
>>>>>> (2) *join_buffer_size : 259968* (The minimum size of the buffer that
>>>>>> is used for plain index scans, range index scans, and joins that do not 
>>>>>> use
>>>>>> indexes and thus perform full table scans.)
>>>>>>
>>>>>> (3) *innodb_buffer_pool_size : 5207959552 <5207959552>* (size of the
>>>>>> memory area where InnoDB caches table and index data)
>>>>>>
>>>>>> (4) *innodb_log_buffer_size : 16777216* (size of the buffer for
>>>>>> transactions that have not been committed yet)
>>>>>>
>>>>>> (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool
>>>>>> instances. According to the mysql documentation[1], on systems with a 
>>>>>> large
>>>&g

Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users

[Ishara Karunarathna]

On Sun, Jul 31, 2016 at 12:59 PM, Malith Jayasinghe <mali...@wso2.com>
wrote:

>
>
> On Sun, Jul 31, 2016 at 12:49 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Malith,
>>
>> On Sun, Jul 31, 2016 at 12:37 PM, Malith Jayasinghe <mali...@wso2.com>
>> wrote:
>>
>>> HI Indunil,
>>> Just a few question regarding this performance test you have done:
>>>
>>> What is the reason for selecting the concurrency = 500 here?
>>>
>> This is the user expected concurrency level. Thats the reason we user
>> this.
>>
>>>
>>> Have you tested the behaviour for lower concurrency levels?
>>>
>>> *"currently the TPS is dropping from the initial TPS 1139.5/s to 198.1/s
>>> in around 610 user count.(User Add)" - *How did you notice/measure
>>> this drop in TPS? Did you analyze the jmeter results offline? After it
>>> drops, does it improve after some time or does it stay the same?
>>>
>> We test this with the Jmeter summery report.
>> with latest results if we start again few min (2min) we can get this max
>> tps and come down to around 250tps
>>
>
> Ok so it comes down to 250tps and stays there?  Are you running these
> tests without a warm-up period?
>
Nop.

With 2s worm up and then 10s ramp up period

>
>>>
>>> Did you look at the behaviour of latency?
>>>
>>> Thanks
>>>
>>> Malith
>>>
>>>
>>> On Fri, Jul 29, 2016 at 2:57 PM, Indunil Upeksha Rathnayake <
>>> indu...@wso2.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> We are currently engaged into a performance analysis where we are
>>>> analyzing performance for User Add, Update, Authentication operations. The
>>>> testing has been carried out in a following environment with 500
>>>> concurrency and users up to 10 million.
>>>>
>>>> *Environment :*
>>>>
>>>> m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances.
>>>> MySQL 5.7
>>>> Ubuntu 14.04
>>>> Openldap-2.4.31
>>>> IS 5.1.0
>>>>
>>>> In order to optimize the MYSQL server, following server parameters have
>>>> been tuned accordingly. We have referred MYSQL documentation [1] as well as
>>>> have performed analysis using several MYSQL tuners in [2].
>>>>
>>>> (1) *max_connections : 1000* (The maximum permitted number of
>>>> simultaneous client connections.)
>>>>
>>>> (2) *join_buffer_size : 259968* (The minimum size of the buffer that
>>>> is used for plain index scans, range index scans, and joins that do not use
>>>> indexes and thus perform full table scans.)
>>>>
>>>> (3) *innodb_buffer_pool_size : 5207959552 <5207959552>* (size of the
>>>> memory area where InnoDB caches table and index data)
>>>>
>>>> (4) *innodb_log_buffer_size : 16777216* (size of the buffer for
>>>> transactions that have not been committed yet)
>>>>
>>>> (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool
>>>> instances. According to the mysql documentation[1], on systems with a large
>>>> amount of memory, we can improve concurrency by dividing the buffer pool
>>>> into multiple buffer pool instances. But couldn't change since it's a read
>>>> only variable)
>>>>
>>>> (6) *key_buffer_size : 38400* (size of the buffer used for index
>>>> blocks)
>>>>
>>>> (7) *table_open_cache : 4000* (The number of open tables for all
>>>> threads)
>>>>
>>>> (8) *sort_buffer_size : 400* (Each session that must perform a
>>>> sort allocates a buffer of this size)
>>>>
>>>> (9) *read_buffer_size : 100* (Each thread that does a sequential
>>>> scan for a table allocates a buffer of this size for each table it scans.
>>>> If we do many sequential scans, we might want to increase this value)
>>>>
>>>> (10) *query_cache_type : 0 *
>>>>
>>>> (11) *query_cache_limit : 1048576* (Do not cache results that are
>>>> larger than this number of bytes)
>>>>
>>>> (12) *query_cache_size : 1048576* (The amount of memory allocated for
>>>> caching query results)
>>>>
>>>> (13) *thread_stack : 262144* (The stack size for each thread)
>>>>
>>>> (14) *net_buffer_le

Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users

[Ishara Karunarathna]

>> (4) Added following additional parameters to optimize database connection
>> pool.
>>
>> 6
>>
>> 600
>>
>> 20
>>
>> (5) Tuning Tomcat parameters in
>> /repository/conf/tomcat/catalina-server.xml.
>>
>> *acceptorThreadCount = 8 *
>>
>> *maxThreads="750" *
>>
>> *minSpareThreads="150" *
>>
>> *maxKeepAliveRequests="600" *
>>
>> *acceptCount="600"*
>>
>>
>>
>> JMeter has been configured as follows to optimize the performance.
>>
>> (1) JVM Heap Settings (-Xms -Xmx) changed as follows:
>>
>> *Xms : 1g *
>>
>> *Xmx : 1g *
>>
>>
>> We were able to optimize the environment up to some level. But*
>> currently the TPS is dropping from the initial TPS 1139.5/s to 198.1/s in
>> around 610 user count.(User Add)*
>>
>> Appreciate your help on figuring out whether we need to do any
>> modifications to the optimizations in MYSQL, IS and JMeter servers or to
>> identify the exact issue for this sudden TPS dropping.
>>
>> [1] http://dev.mysql.com/doc/refman/5.7/en/optimizing-server.html
>>
>> [2] http://www.askapache.com/mysql/mysql-performance-tuning.html
>>
>>
>> Thanks and Regards
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>> Mobile   0772182255
>>
>
>
>
> --
> Malith Jayasinghe
>
>
> WSO2, Inc. (http://wso2.com)
> Email   : mali...@wso2.com
> Mobile : 0770704040
> Lean . Enterprise . Middleware
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users

[Ishara Karunarathna]

HI Indunil,

Today I did some changes to jmeter scripts Still testing locally, will
provide you those.

And before we use EC2 instances we had some openstack. I think its better
if we can run a backup test there as well.
If EC2  give any issues we can eliminate the risk.

@Chamath can we get those again ?

Thanks,
Ishara






On Fri, Jul 29, 2016 at 3:19 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> I have attached the JMeter Script file which we use in adding users[1].
> May be we need to do some modifications to the script. Appreciate your
> comments.
> @Ishara: I'll send those results.
>
> [1]
> https://drive.google.com/a/wso2.com/folderview?id=0Bz_EQkE2mOgBMmFDNzFpNk5CTFE=sharing
>
> On Fri, Jul 29, 2016 at 3:05 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Indunil,
>>
>> Can we get the distribution of the throughput then we can figure out how
>> its coming down
>> and better if we can get the resource utilization of servers.
>>
>> Thanks,
>> Ishara
>>
>> On Fri, Jul 29, 2016 at 2:57 PM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> We are currently engaged into a performance analysis where we are
>>> analyzing performance for User Add, Update, Authentication operations. The
>>> testing has been carried out in a following environment with 500
>>> concurrency and users up to 10 million.
>>>
>>> *Environment :*
>>>
>>> m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances.
>>> MySQL 5.7
>>> Ubuntu 14.04
>>> Openldap-2.4.31
>>> IS 5.1.0
>>>
>>> In order to optimize the MYSQL server, following server parameters have
>>> been tuned accordingly. We have referred MYSQL documentation [1] as well as
>>> have performed analysis using several MYSQL tuners in [2].
>>>
>>> (1) *max_connections : 1000* (The maximum permitted number of
>>> simultaneous client connections.)
>>>
>>> (2) *join_buffer_size : 259968* (The minimum size of the buffer that is
>>> used for plain index scans, range index scans, and joins that do not use
>>> indexes and thus perform full table scans.)
>>>
>>> (3) *innodb_buffer_pool_size : 5207959552 <5207959552>* (size of the
>>> memory area where InnoDB caches table and index data)
>>>
>>> (4) *innodb_log_buffer_size : 16777216* (size of the buffer for
>>> transactions that have not been committed yet)
>>>
>>> (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool
>>> instances. According to the mysql documentation[1], on systems with a large
>>> amount of memory, we can improve concurrency by dividing the buffer pool
>>> into multiple buffer pool instances. But couldn't change since it's a read
>>> only variable)
>>>
>>> (6) *key_buffer_size : 38400* (size of the buffer used for index
>>> blocks)
>>>
>>> (7) *table_open_cache : 4000* (The number of open tables for all
>>> threads)
>>>
>>> (8) *sort_buffer_size : 400* (Each session that must perform a sort
>>> allocates a buffer of this size)
>>>
>>> (9) *read_buffer_size : 100* (Each thread that does a sequential
>>> scan for a table allocates a buffer of this size for each table it scans.
>>> If we do many sequential scans, we might want to increase this value)
>>>
>>> (10) *query_cache_type : 0 *
>>>
>>> (11) *query_cache_limit : 1048576* (Do not cache results that are
>>> larger than this number of bytes)
>>>
>>> (12) *query_cache_size : 1048576* (The amount of memory allocated for
>>> caching query results)
>>>
>>> (13) *thread_stack : 262144* (The stack size for each thread)
>>>
>>> (14) *net_buffer_length : 16384* (Each client thread is associated with
>>> a connection buffer and result buffer. Both begin with a size given by
>>> net_buffer_length but are dynamically enlarged up to max_allowed_packet
>>> bytes as needed)
>>>
>>> (15) *max_allowed_packet : 4194304* (The maximum size of one packet or
>>> any generated/intermediate string)
>>>
>>> (16) *thread_cache_size : 30* (no of threads the server should cache
>>> for reuse)
>>>
>>>
>>>
>>> IS has been configured as follows to optimize the performance.
>>>
>>> (1) JVM Heap Settings (-Xms -Xmx) changed as follows:
>>>
>>> *Xms : 2g *
>>>
>>> 

Re: [Dev] ACT tests in an EC2 environment tps drops in a few min

[Ishara Karunarathna]

HI Isuru,

Thank for the help its much better now.

let you know if we get any issues in the environment.

BR,
Ishara

On Fri, Jul 29, 2016 at 3:04 PM, Isuru Rupasinghe <isur...@wso2.com> wrote:

> Hi Ishara,
>
> AWS support had confirmed that there had being a network connectivity
> issue with the stated region and it should be resolved now. You could find
> the mail thread below:
>
>
> -- Forwarded message --
> From: no-reply-...@amazon.com <no-reply-...@amazon.com>
> Date: Thu, Jul 28, 2016 at 5:10 PM
>
>
> Hi There,
>
> Luigi here from AWS. I hope this email finds you well.
>
> I've checked the service status history in this region (
> http://status.aws.amazon.com/) and it seems there were connectivity
> issues which should be resolved now.
>
> If you are still experiencing issues with this, we also have forums
> available to help. The forums allow you to post your questions to our
> developers who monitor and respond to these daily. The below link will help
> you get there.
>
> https://forums.aws.amazon.com/forum.jspa?forumID=30=0
>
> You can create a forum profile following these steps:
> 1. Go to https://forums.aws.amazon.com/index.jspa
> 2. Click on Login.
> 3. Sign in using your AWS credentials.
> 4. Create a AWS Nickname and a Forum Email.
>
> I hope you find this information helpful. I am happy to answer any
> additional questions you may have.
>
> Best regards,
>
> Luigi
> Amazon Web Services
> We value your feedback. Please rate my response using the link below.
> ===
>
> (If you are connecting by federation, log in before following the link.)
>
> *Please note: this e-mail was sent from an address that cannot accept
> incoming e-mail. Please use the link above if you need to contact us again
> about this same issue.
>
> 
> Learn to work with the AWS Cloud. Get started with free online videos and
> self-paced labs at
> http://aws.amazon.com/training/
> 
>
> Amazon Web Services, Inc. is an affiliate of Amazon.com, Inc. Amazon.com
> is a registered trademark of Amazon.com, Inc. or its affiliates.
>
> Thanks & Regards,
>
>
>
> On Fri, Jul 29, 2016 at 2:27 PM, Dhanushka Ranasinghe <dhanush...@wso2.com
> > wrote:
>
>>
>>
>> On Thu, Jul 28, 2016 at 11:19 AM, Miyuru Wanninayaka <miy...@wso2.com>
>> wrote:
>>
>>> EC2 might throttling network as we are flooding it with requests. We
>>> observed same behavior when we do ESB performance tests. Due to that, we
>>> ran client, server and backend in a single EC2 instance.
>>>
>>> On Thu, Jul 28, 2016 at 11:15 AM, Ishara Karunarathna <isha...@wso2.com>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> We have 3 m3.2xlarge EC2 instances each for jmeter, IS and Mysql.
>>>> we are running with 500 concurrent threads.  And to the user add
>>>> operation only.
>>>>
>>>> Even with 5m users we get 1000+ tps for few min and it get down to 200
>>>> tps after that.
>>>> But last day same test ran without any issues.
>>>>
>>>> Can there be a issue in EC2 configs or can be a any other issue ?
>>>> Appreciate your fed back on this.
>>>>
>>>> Thanks,
>>>> Ishara
>>>>
>>>> --
>>>> Ishara Karunarathna
>>>> Associate Technical Lead
>>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>>
>>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>>>> +94717996791
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Miyuru Wanninayaka
>>> Associate Director / Architect
>>> WSO2 Inc. : http://wso2.com
>>>
>>> Mobile : +94 77 209 9788
>>>
>>
>>
>>
>> --
>> Dhanushka Ranasinghe,
>> WSO2 lnc  http://wso2.com
>> E-mail : dhanush...@wso2.com
>> Mobile : +94771928269
>>
>
>
>
> --
>
>
>
>
> *Isuru RupasingheWSO2 Inc.: http://wso2.com
> <http://wso2.com/>lean.enterprise.middle-waremobile: +94 77 590 4545
> <%2B94%2077%20352%C2%A05930>*
> *office: +94 11 214 5345 / +94 11 7**43 5800 ext: 5739*
>
> <http://wso2.com/signature>
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] EC2 Performance Analysis : Sudden TPS drop in User Add in 500 concurrency with 10million users

[Ishara Karunarathna]

Hi Indunil,

Can we get the distribution of the throughput then we can figure out how
its coming down
and better if we can get the resource utilization of servers.

Thanks,
Ishara

On Fri, Jul 29, 2016 at 2:57 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> We are currently engaged into a performance analysis where we are
> analyzing performance for User Add, Update, Authentication operations. The
> testing has been carried out in a following environment with 500
> concurrency and users up to 10 million.
>
> *Environment :*
>
> m3.2xlarge ( 8 core, 30GB, SSD 2x80 GB) 3 instances.
> MySQL 5.7
> Ubuntu 14.04
> Openldap-2.4.31
> IS 5.1.0
>
> In order to optimize the MYSQL server, following server parameters have
> been tuned accordingly. We have referred MYSQL documentation [1] as well as
> have performed analysis using several MYSQL tuners in [2].
>
> (1) *max_connections : 1000* (The maximum permitted number of
> simultaneous client connections.)
>
> (2) *join_buffer_size : 259968* (The minimum size of the buffer that is
> used for plain index scans, range index scans, and joins that do not use
> indexes and thus perform full table scans.)
>
> (3) *innodb_buffer_pool_size : 5207959552 <5207959552>* (size of the
> memory area where InnoDB caches table and index data)
>
> (4) *innodb_log_buffer_size : 16777216* (size of the buffer for
> transactions that have not been committed yet)
>
> (5) *innodb_buffer_pool_instances : 1* (The number of buffer pool
> instances. According to the mysql documentation[1], on systems with a large
> amount of memory, we can improve concurrency by dividing the buffer pool
> into multiple buffer pool instances. But couldn't change since it's a read
> only variable)
>
> (6) *key_buffer_size : 38400* (size of the buffer used for index
> blocks)
>
> (7) *table_open_cache : 4000* (The number of open tables for all threads)
>
> (8) *sort_buffer_size : 400* (Each session that must perform a sort
> allocates a buffer of this size)
>
> (9) *read_buffer_size : 100* (Each thread that does a sequential scan
> for a table allocates a buffer of this size for each table it scans. If we
> do many sequential scans, we might want to increase this value)
>
> (10) *query_cache_type : 0 *
>
> (11) *query_cache_limit : 1048576* (Do not cache results that are larger
> than this number of bytes)
>
> (12) *query_cache_size : 1048576* (The amount of memory allocated for
> caching query results)
>
> (13) *thread_stack : 262144* (The stack size for each thread)
>
> (14) *net_buffer_length : 16384* (Each client thread is associated with a
> connection buffer and result buffer. Both begin with a size given by
> net_buffer_length but are dynamically enlarged up to max_allowed_packet
> bytes as needed)
>
> (15) *max_allowed_packet : 4194304* (The maximum size of one packet or
> any generated/intermediate string)
>
> (16) *thread_cache_size : 30* (no of threads the server should cache for
> reuse)
>
>
>
> IS has been configured as follows to optimize the performance.
>
> (1) JVM Heap Settings (-Xms -Xmx) changed as follows:
>
> *Xms : 2g *
>
> *Xmx : 2g *
>
> (2) Removed following entry from
> /repository/conf/tomcat/catalina-server.xml to disable http access
> logs.
>
>  directory="${carbon.home}/repository/logs" prefix="http_access_"
> suffix=".log" pattern="combined" />
>
> (3) Tuned following parameters in axis2client.xml file.
>
> 1000
>
> 3
>
> (4) Added following additional parameters to optimize database connection
> pool.
>
> 6
>
> 600
>
> 20
>
> (5) Tuning Tomcat parameters in
> /repository/conf/tomcat/catalina-server.xml.
>
> *acceptorThreadCount = 8 *
>
> *maxThreads="750" *
>
> *minSpareThreads="150" *
>
> *maxKeepAliveRequests="600" *
>
> *acceptCount="600"*
>
>
>
> JMeter has been configured as follows to optimize the performance.
>
> (1) JVM Heap Settings (-Xms -Xmx) changed as follows:
>
> *Xms : 1g *
>
> *Xmx : 1g *
>
>
> We were able to optimize the environment up to some level. But* currently
> the TPS is dropping from the initial TPS 1139.5/s to 198.1/s in around
> 610 user count.(User Add)*
>
> Appreciate your help on figuring out whether we need to do any
> modifications to the optimizations in MYSQL, IS and JMeter servers or to
> identify the exact issue for this sudden TPS dropping.
>
> [1] http://dev.mysql.com/doc/refman/5.7/en/optimizing-server.html
>
> [2] http://www.askapache.com/mysql/mysql-performance-tuning.html
>
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] ACT tests in an EC2 environment tps drops in a few min

[Ishara Karunarathna]

Hi All,

We have 3 m3.2xlarge EC2 instances each for jmeter, IS and Mysql.
we are running with 500 concurrent threads.  And to the user add operation
only.

Even with 5m users we get 1000+ tps for few min and it get down to 200 tps
after that.
But last day same test ran without any issues.

Can there be a issue in EC2 configs or can be a any other issue ?
Appreciate your fed back on this.

Thanks,
Ishara

-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Error JWT grant type

[Ishara Karunarathna]

Hi,

We cant use id token that we get from IS 5.1.0 since we can't configure Aud
there but this should be fixed in IS 5.2.0.

And I used sample jwt generator class to build a JWT and test the scenario.

Thanks,
Ishara

On Wed, Jul 6, 2016 at 11:58 PM, Malaka Silva <mal...@wso2.com> wrote:

> +Keerthika
>
> On Wed, Jul 6, 2016 at 11:56 AM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi,
>>
>> I tried to use JWT grant type using ID token I got from password grant
>> type.
>>
>> Then I got the following error
>> "Error occurred while decoding public certificate of Identity Provider
>> default for tenant domain carbon.super"
>>
>> But I have imported the pub key to the IDP
>>
>> Is this a known issue ?
>> Or do we have any other sample to generate a JWT if this ID token is not
>> valid.
>>
>> https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type
>>
>> Thanks,
>> Ishara
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791
>>
>
>
>
> --
>
> Best Regards,
>
> Malaka Silva
> Senior Technical Lead
> M: +94 777 219 791
> Tel : 94 11 214 5345
> Fax :94 11 2145300
> Skype : malaka.sampath.silva
> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
> Blog : http://mrmalakasilva.blogspot.com/
>
> WSO2, Inc.
> lean . enterprise . middleware
> http://www.wso2.com/
> http://www.wso2.com/about/team/malaka-silva/
> <http://wso2.com/about/team/malaka-silva/>
> https://store.wso2.com/store/
>
> Save a tree -Conserve nature & Save the world for your future. Print this
> email only if it is absolutely necessary.
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Error JWT grant type

[Ishara Karunarathna]

Hi,

I tried to use JWT grant type using ID token I got from password grant type.

Then I got the following error
"Error occurred while decoding public certificate of Identity Provider
default for tenant domain carbon.super"

But I have imported the pub key to the IDP

Is this a known issue ?
Or do we have any other sample to generate a JWT if this ID token is not
valid.

https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type

Thanks,
Ishara

-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [DEV][IS]Some information about Dynamic Client Registration and Resource Registration

[Ishara Karunarathna]

Hi Sanjeewa,

On Thu, Oct 29, 2015 at 7:12 PM, Sanjeewa Malalgoda <sanje...@wso2.com>
wrote:

> Hi All,
> I would like to know some information about Oauth dynamic client
> registration[1] and resource registration APIs available in IS.
> AFAIK we were discussing about subject for some time and i think we
> already implemented it.
> So my question is do we have resource registration APIs and DCR APIs
> available with IS?
>
Still we don't have this implementations in IS.

Thanks,
Ishara

> If so can someone please point me endpoint details or some sample.
>
> [1]https://datatracker.ietf.org/doc/rfc7591/?include_text=1
>
>
> Thanks,
> sanjeewa.
> --
>
> *Sanjeewa Malalgoda*
> WSO2 Inc.
> Mobile : +94713068779
>
> <http://sanjeewamalalgoda.blogspot.com/>blog
> :http://sanjeewamalalgoda.blogspot.com/
> <http://sanjeewamalalgoda.blogspot.com/>
>
>
>


-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Ishara Karunarathna]

Hi Nadeesha,

On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

> Hi Nadeesha,
>
> Have you checked whether the assertion is encrypted in the response IS
> send back to travelocity app?
>
> And please provide the SSO Trace (save as a text file and attach in the
> mail) for the whole flow.
>
> Thanks,
> Darshana
>
> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda <nadees...@wso2.com>
> wrote:
>
>> Hi.
>>
>> I have configured the setup to Login to the Identity Server Using Another
>> Identity Server as per the details in [1] in Super tenant mode. With the
>> happy scenario according to the documentation this works fine. But I have
>> enabled some additional properties in IDP and SP used for IDP as following :
>>
>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO
>> Configuration
>>
>> 1. Enabled Assertion Encryption
>> 2. Enable Assertion Signing
>> 3. Enable Authentication Response Signing
>>
>> *Properties enabled fo SP used for IDP *
>>
>> 1. Enabled Assertion Encryption
>> 2. Enabled Response Signing
>>
>> *Properties enabled fo SP used for travelocity app*
>>
>> 1. Enabled Assertion Encryption
>>
> What is the Certificate Alias you used here ?
is that the public key in travelocity app ?

> 2. Enabled Response Signing
>>
>> In the travelocity.properties file also I have enabled Assertion
>> Encryption,Response signing and Assertion signing. I have already imported
>> the Identity Provider Public Certificate to IDP
>>
>> When I'm signing in to travelocity.com I get Unable to decrypt the SAML
>> Assertion error and error in [2] in tomcat.
>>
>> Note that only enabling "assertion signing" in IDP I was successfully
>> able to login and no error was displayed. When I enabled the Assertion
>> Encryption this error occurred. Why is this error occurred when I enable
>> this property as mentioned above?
>>
>> Any help regarding this is highly appreciated!
>>
>>
>>
>> [1] -
>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510
>>
>> [2] - Oct 02, 2015 2:10:47 PM
>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter
>> SEVERE: An error has occurred
>> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable to
>> decrypt the SAML Assertion
>> at
>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254)
>> at
>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198)
>> at
>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>> at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>>
>>
>>
>>
>> Th

Re: [Dev] Should mysql database scripts work with old mysql versions.

[Ishara Karunarathna]

Hi Ruwan,

On Fri, Oct 2, 2015 at 1:09 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote:

> Hi Ishara,
> >>In Identity server we started to persist session date with its updated
> timestamp. And retrieve the latest data object related to
> given session.
> >>If it's only supported for seconds we get duplicate entries. In that
> case we have to go for fractional seconds in timestamp
> or will have to store it in another data type.
>
> I think tying up with timestamp for any uniqueness is going to be
> problematic even if we select the most granular time resolution provided by
> the hardware.
>
Thats true and its depend on the use case too.
In our use case we don't depend only on the timestamp and we can't expect
nano second level time different between session participants.
In that case I believe we can go ahead with our approach.

Thanks,
Ishara

> For example lets say an IoT device sends more than one request in fraction
> of nano second and this might be causing problems down the pipeline/in the
> future.
> So I would suggest a changing the dependency of using timestamp for any
> uniqueness/ latest check by adding/appending a sequence number, if it is
> the case.
>
> Cheers,
> Ruwan
>
>
> On Fri, Oct 2, 2015 at 10:05 AM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Shankar,
>>
>> On Thu, Oct 1, 2015 at 9:54 PM, Selvaratnam Uthaiyashankar <
>> shan...@wso2.com> wrote:
>>
>>> Is this support (fraction of second) there in other RDBMS (Oracle,
>>> MSSQL, etc?). If it is only Mysql 5.6.4 +, then we shouldn't use IMO. If
>>> this support is there in all other RDBMS, then it should be ok.
>>>
>>> I checked with Oracle, MSSQL, PostgreSQL, Informix and DB2. All support
>> for fraction of seconds.
>>
>> Thanks,
>> Ishara
>> [1]
>> http://docs.oracle.com/cd/B19306_01/server.102/b14200/sql_elements001.htm#i54330
>> [2] https://msdn.microsoft.com/en-us/library/ms187819.aspx
>> [3] http://www.postgresql.org/docs/9.1/static/datatype-datetime.html
>> [4]
>> https://www-01.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.sqlr.doc/ids_sqr_110.htm
>> [5]
>> https://www-304.ibm.com/support/knowledgecenter/SSEPEK_10.0.0/com.ibm.db2z10.doc.intro/src/tpc/db2z_datetimetimestamp.dita
>>
>>> On Thu, Oct 1, 2015 at 9:40 PM, Ishara Karunarathna <isha...@wso2.com>
>>> wrote:
>>>
>>>> Hi Shankar,
>>>>
>>>> On Thu, Oct 1, 2015 at 7:45 PM, Selvaratnam Uthaiyashankar <
>>>> shan...@wso2.com> wrote:
>>>>
>>>>> Normally, we should keep the compatibility with older versions.
>>>>>
>>>>> Is there any specific reason why you need upto microsecond precision
>>>>> for the timestamp?
>>>>>
>>>> by default mysql support for seconds.
>>>> In Identity server we started to persist session date with its updated
>>>> timestamp. And retrieve the latest data object related to
>>>> given session.
>>>> If it's only supported for seconds we get duplicate entries. In that
>>>> case we have to go for fractional seconds in timestamp
>>>> or will have to store it in another data type.
>>>>
>>>> Thanks,
>>>> Ishara
>>>>
>>>>>
>>>>> On Wed, Sep 30, 2015 at 10:35 PM, Ishara Karunarathna <
>>>>> isha...@wso2.com> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> For example In mysql version 5.6.4 (released on February 5, 2013 )
>>>>>> onwards [1] it support for
>>>>>> fractional seconds for TIMESTAMP values, with up to microseconds (6
>>>>>> digits)
>>>>>>
>>>>>> But if we write scripts to get that features it won't work with older
>>>>>> versions.
>>>>>> So can we write scripts to work only with mysql version 5.6.4 and
>>>>>> latest or should we support for old versions ?.
>>>>>>
>>>>>> Thanks,
>>>>>> Ishara
>>>>>>
>>>>>> [1]
>>>>>> http://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html#mysql-nutshell-additions
>>>>>> --
>>>>>> Ishara Karunarathna
>>>>>> Senior Software Engineer
>>>>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>>>>
>>>>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>&

Re: [Dev] Should mysql database scripts work with old mysql versions.

[Ishara Karunarathna]

Hi Shankar,

On Thu, Oct 1, 2015 at 7:45 PM, Selvaratnam Uthaiyashankar <shan...@wso2.com
> wrote:

> Normally, we should keep the compatibility with older versions.
>
> Is there any specific reason why you need upto microsecond precision for
> the timestamp?
>
by default mysql support for seconds.
In Identity server we started to persist session date with its updated
timestamp. And retrieve the latest data object related to
given session.
If it's only supported for seconds we get duplicate entries. In that case
we have to go for fractional seconds in timestamp
or will have to store it in another data type.

Thanks,
Ishara

>
> On Wed, Sep 30, 2015 at 10:35 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi all,
>>
>> For example In mysql version 5.6.4 (released on February 5, 2013 )
>> onwards [1] it support for
>> fractional seconds for TIMESTAMP values, with up to microseconds (6
>> digits)
>>
>> But if we write scripts to get that features it won't work with older
>> versions.
>> So can we write scripts to work only with mysql version 5.6.4 and latest
>> or should we support for old versions ?.
>>
>> Thanks,
>> Ishara
>>
>> [1]
>> http://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html#mysql-nutshell-additions
>> --
>> Ishara Karunarathna
>> Senior Software Engineer
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791
>>
>
>
>
> --
> S.Uthaiyashankar
> VP Engineering
> WSO2 Inc.
> http://wso2.com/ - "lean . enterprise . middleware"
>
> Phone: +94 714897591
>



-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Should mysql database scripts work with old mysql versions.

[Ishara Karunarathna]

Hi Shankar,

On Thu, Oct 1, 2015 at 9:54 PM, Selvaratnam Uthaiyashankar <shan...@wso2.com
> wrote:

> Is this support (fraction of second) there in other RDBMS (Oracle, MSSQL,
> etc?). If it is only Mysql 5.6.4 +, then we shouldn't use IMO. If this
> support is there in all other RDBMS, then it should be ok.
>
> I checked with Oracle, MSSQL, PostgreSQL, Informix and DB2. All support
for fraction of seconds.

Thanks,
Ishara
[1]
http://docs.oracle.com/cd/B19306_01/server.102/b14200/sql_elements001.htm#i54330
[2] https://msdn.microsoft.com/en-us/library/ms187819.aspx
[3] http://www.postgresql.org/docs/9.1/static/datatype-datetime.html
[4]
https://www-01.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.sqlr.doc/ids_sqr_110.htm
[5]
https://www-304.ibm.com/support/knowledgecenter/SSEPEK_10.0.0/com.ibm.db2z10.doc.intro/src/tpc/db2z_datetimetimestamp.dita

> On Thu, Oct 1, 2015 at 9:40 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Shankar,
>>
>> On Thu, Oct 1, 2015 at 7:45 PM, Selvaratnam Uthaiyashankar <
>> shan...@wso2.com> wrote:
>>
>>> Normally, we should keep the compatibility with older versions.
>>>
>>> Is there any specific reason why you need upto microsecond precision for
>>> the timestamp?
>>>
>> by default mysql support for seconds.
>> In Identity server we started to persist session date with its updated
>> timestamp. And retrieve the latest data object related to
>> given session.
>> If it's only supported for seconds we get duplicate entries. In that case
>> we have to go for fractional seconds in timestamp
>> or will have to store it in another data type.
>>
>> Thanks,
>> Ishara
>>
>>>
>>> On Wed, Sep 30, 2015 at 10:35 PM, Ishara Karunarathna <isha...@wso2.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> For example In mysql version 5.6.4 (released on February 5, 2013 )
>>>> onwards [1] it support for
>>>> fractional seconds for TIMESTAMP values, with up to microseconds (6
>>>> digits)
>>>>
>>>> But if we write scripts to get that features it won't work with older
>>>> versions.
>>>> So can we write scripts to work only with mysql version 5.6.4 and
>>>> latest or should we support for old versions ?.
>>>>
>>>> Thanks,
>>>> Ishara
>>>>
>>>> [1]
>>>> http://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html#mysql-nutshell-additions
>>>> --
>>>> Ishara Karunarathna
>>>> Senior Software Engineer
>>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>>
>>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>>>> +94717996791
>>>>
>>>
>>>
>>>
>>> --
>>> S.Uthaiyashankar
>>> VP Engineering
>>> WSO2 Inc.
>>> http://wso2.com/ - "lean . enterprise . middleware"
>>>
>>> Phone: +94 714897591
>>>
>>
>>
>>
>> --
>> Ishara Karunarathna
>> Senior Software Engineer
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791
>>
>
>
>
> --
> S.Uthaiyashankar
> VP Engineering
> WSO2 Inc.
> http://wso2.com/ - "lean . enterprise . middleware"
>
> Phone: +94 714897591
>



-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [DEV] Getting "localhost" as the saml2:Issuer in SAML authentication response

[Ishara Karunarathna]

Hi Nadeesha,

In you cluster nodes what are the MgtHostName and HostName values ?



On Wed, Sep 30, 2015 at 11:53 AM, Rajith Vitharana <raji...@wso2.com> wrote:

> Hi Nadeesha,
>
> As I remember you need to change the issuer in ResidentIDP config for this
> to work.
>
> Thanks,
>
> On Wed, Sep 30, 2015 at 11:48 AM, Nadeesha Meegoda <nadees...@wso2.com>
> wrote:
>
>> Hi IS team,
>>
>> I have configured a SAML SSO service provider (travelocity.com) in
>> tenant mode (ymc.com). My IS is running in cluster environment it's
>> https://mgt.is.wso2.com. When I was signing in to travelocity.com in the
>> SAML AuthnRequest the samlp:issuer is as follows :
>>
>> 
>> travelocity@ymc.com
>>
>> However in the SAML Response to the authentication request the
>> saml2:issuer is as follows:
>>
>> >   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>   >localhost
>>
>> May I know why the saml2:Issuer is localhost here? Do I need to do more
>> configurations to get it right? Can anyone explain please?
>>
>> I have attached the full authentication request and response with the
>> mail.
>>
>>
>> Thanks
>>
>> --
>> *Nadeesha Meegoda*
>> Software Engineer - QA
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>> email : nadees...@wso2.com
>> mobile: +94783639540
>> <%2B94%2077%202273555>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Rajith Vitharana
>
> Software Engineer,
> WSO2 Inc. : wso2.com
> Mobile : +94715883223
> Blog : http://lankavitharana.blogspot.com/
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Should mysql database scripts work with old mysql versions.

[Ishara Karunarathna]

Hi all,

For example In mysql version 5.6.4 (released on February 5, 2013 ) onwards
[1] it support for
fractional seconds for TIMESTAMP values, with up to microseconds (6 digits)

But if we write scripts to get that features it won't work with older
versions.
So can we write scripts to work only with mysql version 5.6.4 and latest or
should we support for old versions ?.

Thanks,
Ishara

[1]
http://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html#mysql-nutshell-additions
-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] - Single Sign out is not working when integrated with Google OpenID - Connect Authentication

[Ishara Karunarathna]

Hi Nadeesha.

This is an expected behavior. In this scenario not only SLO you involve in
Single login, Federated authentication.
Here involve protocols SAML between travelocity.com - IS and OIDC between
IS - Google. In this scenario SLO works
over application logged in with IS only.
In that case if you have a google session in your browser you should be
automatically logged in again.

Thanks,
Ishara


On Thu, Sep 17, 2015 at 6:29 PM, Nadeesha Meegoda <nadees...@wso2.com>
wrote:

> Hi Hasinthi,
>
> It works fine when I logout from Google account. But my concern is, Is
> that the expected behavior of  Single Logout? If so, when trying to sign in
> from travelocity app if we are sending request for Google for
> authentication why does the logout acts differently? Why can't it send a
> request for Google for single logout? Clicking logout in my point of view
> is to logout from the application/session, and when trying to login again
> Google credentials should be provided. Otherwise what is the point of the
> logout if the session stays persistent? Please clarify!
>
> On Thu, Sep 17, 2015 at 4:02 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Nadeesha,
>>
>> Once you logout from the travelocity app, please make sure to logout from
>> the google account too. Otherwise if there is a session of the google
>> account it will automatically redirect to travelocity app in the second
>> attempt without asking the permission. Please let us know if you face the
>> same issue even after logging out from the google account too.
>>
>> Thanks.
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com <nirosh...@wso2.com>
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>> On Thu, Sep 17, 2015 at 2:57 PM, Nadeesha Meegoda <nadees...@wso2.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Followed the blog in [1] and configured Google as OpenID Connect IDP.
>>> Login in to travelocity.com with SAML was successful with google
>>> authentication. Also when the logout was clicked it directed to
>>> http://localhost:8080/travelocity.com/index.jsp from the home.jsp so I
>>> thought the logout was successful. But when I tried to sign in with SAML
>>> again I got logged in automatically without asking for the Google
>>> authentication credentials. Have I missed some configurations?
>>>
>>> Note : I have enabled single logout in the SP I created and double
>>> checked the travelocity.properties file and there also it is marked as
>>> true. (SAML.EnableSLO=true). With the SAML tracer I monitored the logout
>>> but I couldn't see any request sent to google where I think is the issue.
>>>
>>> [1] - http://xacmlinfo.org/2014/12/02/621/
>>>
>>> Any help on above is highly appreciated.
>>>
>>>
>>> Thank you
>>> --
>>> *Nadeesha Meegoda*
>>> Software Engineer - QA
>>> WSO2 Inc.; http://wso2.com
>>> lean.enterprise.middleware
>>> email : nadees...@wso2.com
>>> mobile: +94783639540
>>> <%2B94%2077%202273555>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>
>
> --
> *Nadeesha Meegoda*
> Software Engineer - QA
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> email : nadees...@wso2.com
> mobile: +94783639540
> <%2B94%2077%202273555>
>



-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] OAuth2 support for Google spreadsheet API in DSS

[Ishara Karunarathna]

Hi Rajith,

On Wed, Jul 29, 2015 at 11:48 AM, Rajith Vitharana raji...@wso2.com wrote:

 Hi All,

 We are in the process of implementing Oauth2 support for google
 spreasheets API. We have used google-api-client for this
 purpose(dependency is in [1]) We are going to give a tool so that user can
 generate Access token, Refresh token and store them in the DBS file. (going
 to add the generation tool since google doesn't let us use Refresh tokens
 generated by other clients)


What are the validity period of these refresh and access tokens. If refresh
token has limited time this approach also  not going to work as you
expected.
In that case there should be a way to get a new toke if access token or
refresh token expired. even you should be able to handle token revocation
scenarios.

Thanks,
Ishara


 We thought of only to save Refresh token in the dbs file since the Access
 token will be expired after some time and it will make the dbs file contain
 wrong data. Our approach will be to request and get a access token in the
 dbs deployment time using the refresh token we have. Will this approach be
 good to tackle the situation?

 [1] - dependency
 groupIdcom.google.api-client/groupId
 artifactIdgoogle-api-client/artifactId
 version1.20.0/version
 /dependency

 Thanks,

 --
 Rajith Vitharana

 Software Engineer,
 WSO2 Inc. : wso2.com
 Mobile : +94715883223
 Blog : http://lankavitharana.blogspot.com/




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] OAuth2 support for Google spreadsheet API in DSS

[Ishara Karunarathna]

Hi,

On Wed, Jul 29, 2015 at 4:47 PM, Rajith Vitharana raji...@wso2.com wrote:

 Hi Ishara,

 Thanks for the response. As per [1], [2] google refresh tokens never
 expires, quoting the statement Refresh tokens are valid until the user
 revokes access. This field is only present if access_type=offline is
 included in the authorization code request normally access tokens
 expires in 60 mins. Further more there are no password grant type in
 google. So we have to go to consent page to get the tokens. (Although there
 is a service account concept where we need to a key to get access)


In that case I think its ok. But you will have to handle token revocations.


 [1] - https://developers.google.com/identity/protocols/OAuth2WebServer
 [2] -
 http://stackoverflow.com/questions/8953983/do-google-refresh-tokens-expire

 Thanks,



 On Wed, Jul 29, 2015 at 4:35 PM, Ishara Karunarathna isha...@wso2.com
 wrote:

 Hi Rajith,

 On Wed, Jul 29, 2015 at 11:48 AM, Rajith Vitharana raji...@wso2.com
 wrote:

 Hi All,

 We are in the process of implementing Oauth2 support for google
 spreasheets API. We have used google-api-client for this
 purpose(dependency is in [1]) We are going to give a tool so that user can
 generate Access token, Refresh token and store them in the DBS file. (going
 to add the generation tool since google doesn't let us use Refresh tokens
 generated by other clients)


 What are the validity period of these refresh and access tokens. If
 refresh token has limited time this approach also  not going to work as you
 expected.
 In that case there should be a way to get a new toke if access token or
 refresh token expired. even you should be able to handle token revocation
 scenarios.

 Thanks,
 Ishara


 We thought of only to save Refresh token in the dbs file since the
 Access token will be expired after some time and it will make the dbs file
 contain wrong data. Our approach will be to request and get a access token
 in the dbs deployment time using the refresh token we have. Will this
 approach be good to tackle the situation?

 [1] - dependency
 groupIdcom.google.api-client/groupId
 artifactIdgoogle-api-client/artifactId
 version1.20.0/version
 /dependency

 Thanks,

 --
 Rajith Vitharana

 Software Engineer,
 WSO2 Inc. : wso2.com
 Mobile : +94715883223
 Blog : http://lankavitharana.blogspot.com/




 --
 Ishara Karunarathna
 Senior Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
 +94717996791




 --
 Rajith Vitharana

 Software Engineer,
 WSO2 Inc. : wso2.com
 Mobile : +94715883223
 Blog : http://lankavitharana.blogspot.com/




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] User profile management - getNameAssociatedWith

[Ishara Karunarathna]

Hi Suhan,

On Fri, Jul 17, 2015 at 10:41 AM, Suhan Dharmasuriya suh...@wso2.com
wrote:

 Hi Ishara,

 Thank you for the guidance.
 Is it necessary to set the same resident IDP certificate to the IDP that
 we are creating [1] [@109]?
 If not, will it affect the retrieval of the Associated name functionality?

There shouldn't be a affect with certificate with Associated ID
functionality.

I'm not clear what your are going to do.Better if you explain what your are
going to do here.


 I'm trying to get the resident IDP in App Server but unable to do so.
 Therefore when creating the new IDP, I tried with setting up a dummy
 certificate value with BASE64 encoded.

 [1]
 https://github.com/wso2/product-is/blob/7c3cbe328ea37ecbbee995a9528d4de44495e633/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/identity/mgt/IdentityProviderMgtServiceTestCase.java

 Thanks,
 Suhan


 On Wed, Jul 15, 2015 at 6:07 PM, Ishara Karunarathna isha...@wso2.com
 wrote:

 Hi,

 On Wed, Jul 15, 2015 at 5:46 PM, Suhan Dharmasuriya suh...@wso2.com
 wrote:

 Hi,

 What is the functionality of $subject?

 If you did an account association. Sending Associated IDP, Associated
 subject ID you can get the Associated users (Who exist in the user store)
 user name.

 Thanks,
 Ishara

 I'm observing this operation inside UserProfileMgtService [1] when admin
 services are exposed in App Server latest build.

 I have added an IdP with basic details [2].

  mgt:identityProvider
 xsd:aliashttps://localhost:9443/oauth2/token//xsd:alias
 xsd:certificateBASE64 encoded String goes
 here/xsd:certificate
 xsd:displayNameSample IdP/xsd:displayName
 xsd:enabletrue/xsd:enable
 xsd:federationHubfalse/xsd:federationHub
 xsd:homeRealmIdlocalhost/xsd:homeRealmId
 xsd:identityProviderDescriptionSample
 Description/xsd:identityProviderDescription
 xsd:identityProviderNameTestIdP/xsd:identityProviderName
 xsd:primarytrue/xsd:primary
 xsd:provisioningRoletest/xsd:provisioningRole
  /mgt:identityProvider

 After performing associateID operation, I tried to call
 the getNameAssociatedWith through my custom client but getting a null
 object.

 Relevant sql is as follows [3].

 sql = SELECT DOMAIN_NAME, USER_NAME FROM IDN_ASSOCIATED_ID WHERE
 TENANT_ID = ? AND IDP_ID = (SELECT ID  +
   FROM IDP WHERE NAME = ? AND TENANT_ID = ?) AND
 IDP_USER_ID = ?;

 [1] https://localhost:9443/services/UserProfileMgtService?wsdl
 [2]
 https://github.com/wso2/carbon-identity/blob/master/components/idp-mgt/org.wso2.carbon.idp.mgt/src/main/java/org/wso2/carbon/idp/mgt/IdentityProviderManagementService.java
 [3]
 https://github.com/wso2/carbon-identity/blob/master/components/user-mgt/org.wso2.carbon.identity.user.profile/src/main/java/org/wso2/carbon/identity/user/profile/mgt/UserProfileAdmin.java

 Thanks,
 Suhan


 --
 Suhan Dharmasuriya
 Software Engineer - Test Automation

 *WSO2, Inc. *

 lean . enterprise . middleware
 Tel: +94 112 145345
 Mob: +94 779 869138
 Blog: http://suhan-opensource.blogspot.com/




 --
 Ishara Karunarathna
 Senior Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
 +94717996791




 --
 Suhan Dharmasuriya
 Software Engineer - Test Automation

 *WSO2, Inc. *

 lean . enterprise . middleware
 Tel: +94 112 145345
 Mob: +94 779 869138
 Blog: http://suhan-opensource.blogspot.com/




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] User profile management - getNameAssociatedWith

[Ishara Karunarathna]

HI

On Fri, Jul 17, 2015 at 4:00 PM, Suhan Dharmasuriya suh...@wso2.com wrote:

 Hi Ishara,

 Scenario I'm trying is as follows.
 I'm trying to test the associated ID functionality regarding the 
 UserProfileMgtService
 in App Server.
 Therefore to test the same I have to create an IDP first with basic
 details.
 I have successfully tested the following operations.
 1. associateID
 2. getAssociatedIDs
 3. removeAssociateID

 However I'm unable to get a value with getNameAssociatedWith.
 I have logged in to my AuthenticatorClient using default admin credentials.

 Can you please provide some related documentation or an article regarding
 the associated ID functionality?

You will find it here[1].

[1]
http://daytodayjava.blogspot.com/2015/04/manage-user-account-associations.html

 I would like to further analyse this scenario in depth.

 Thanks,
 Suhan


 On Fri, Jul 17, 2015 at 12:05 PM, Ishara Karunarathna isha...@wso2.com
 wrote:

 Hi Suhan,

 On Fri, Jul 17, 2015 at 10:41 AM, Suhan Dharmasuriya suh...@wso2.com
 wrote:

 Hi Ishara,

 Thank you for the guidance.
 Is it necessary to set the same resident IDP certificate to the IDP that
 we are creating [1] [@109]?
 If not, will it affect the retrieval of the Associated name
 functionality?

 There shouldn't be a affect with certificate with Associated ID
 functionality.

 I'm not clear what your are going to do.Better if you explain what your
 are going to do here.


 I'm trying to get the resident IDP in App Server but unable to do so.
 Therefore when creating the new IDP, I tried with setting up a dummy
 certificate value with BASE64 encoded.

 [1]
 https://github.com/wso2/product-is/blob/7c3cbe328ea37ecbbee995a9528d4de44495e633/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/identity/mgt/IdentityProviderMgtServiceTestCase.java

 Thanks,
 Suhan


 On Wed, Jul 15, 2015 at 6:07 PM, Ishara Karunarathna isha...@wso2.com
 wrote:

 Hi,

 On Wed, Jul 15, 2015 at 5:46 PM, Suhan Dharmasuriya suh...@wso2.com
 wrote:

 Hi,

 What is the functionality of $subject?

 If you did an account association. Sending Associated IDP, Associated
 subject ID you can get the Associated users (Who exist in the user store)
 user name.

 Thanks,
 Ishara

 I'm observing this operation inside UserProfileMgtService [1] when
 admin services are exposed in App Server latest build.

 I have added an IdP with basic details [2].

  mgt:identityProvider
 xsd:aliashttps://localhost:9443/oauth2/token/
 /xsd:alias
 xsd:certificateBASE64 encoded String goes
 here/xsd:certificate
 xsd:displayNameSample IdP/xsd:displayName
 xsd:enabletrue/xsd:enable
 xsd:federationHubfalse/xsd:federationHub
 xsd:homeRealmIdlocalhost/xsd:homeRealmId
 xsd:identityProviderDescriptionSample
 Description/xsd:identityProviderDescription

 xsd:identityProviderNameTestIdP/xsd:identityProviderName
 xsd:primarytrue/xsd:primary
 xsd:provisioningRoletest/xsd:provisioningRole
  /mgt:identityProvider

 After performing associateID operation, I tried to call
 the getNameAssociatedWith through my custom client but getting a null
 object.

 Relevant sql is as follows [3].

 sql = SELECT DOMAIN_NAME, USER_NAME FROM IDN_ASSOCIATED_ID WHERE
 TENANT_ID = ? AND IDP_ID = (SELECT ID  +
   FROM IDP WHERE NAME = ? AND TENANT_ID = ?) AND
 IDP_USER_ID = ?;

 [1] https://localhost:9443/services/UserProfileMgtService?wsdl
 [2]
 https://github.com/wso2/carbon-identity/blob/master/components/idp-mgt/org.wso2.carbon.idp.mgt/src/main/java/org/wso2/carbon/idp/mgt/IdentityProviderManagementService.java
 [3]
 https://github.com/wso2/carbon-identity/blob/master/components/user-mgt/org.wso2.carbon.identity.user.profile/src/main/java/org/wso2/carbon/identity/user/profile/mgt/UserProfileAdmin.java

 Thanks,
 Suhan


 --
 Suhan Dharmasuriya
 Software Engineer - Test Automation

 *WSO2, Inc. *

 lean . enterprise . middleware
 Tel: +94 112 145345
 Mob: +94 779 869138
 Blog: http://suhan-opensource.blogspot.com/




 --
 Ishara Karunarathna
 Senior Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
 +94717996791




 --
 Suhan Dharmasuriya
 Software Engineer - Test Automation

 *WSO2, Inc. *

 lean . enterprise . middleware
 Tel: +94 112 145345
 Mob: +94 779 869138
 Blog: http://suhan-opensource.blogspot.com/




 --
 Ishara Karunarathna
 Senior Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
 +94717996791




 --
 Suhan Dharmasuriya
 Software Engineer - Test Automation

 *WSO2, Inc. *

 lean . enterprise . middleware
 Tel: +94 112 145345
 Mob: +94 779 869138
 Blog: http://suhan-opensource.blogspot.com/




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean

Re: [Dev] User profile management - getNameAssociatedWith

[Ishara Karunarathna]

Hi,

On Wed, Jul 15, 2015 at 5:46 PM, Suhan Dharmasuriya suh...@wso2.com wrote:

 Hi,

 What is the functionality of $subject?

If you did an account association. Sending Associated IDP, Associated
subject ID you can get the Associated users (Who exist in the user store)
user name.

Thanks,
Ishara

 I'm observing this operation inside UserProfileMgtService [1] when admin
 services are exposed in App Server latest build.

 I have added an IdP with basic details [2].

  mgt:identityProvider
 xsd:aliashttps://localhost:9443/oauth2/token//xsd:alias
 xsd:certificateBASE64 encoded String goes
 here/xsd:certificate
 xsd:displayNameSample IdP/xsd:displayName
 xsd:enabletrue/xsd:enable
 xsd:federationHubfalse/xsd:federationHub
 xsd:homeRealmIdlocalhost/xsd:homeRealmId
 xsd:identityProviderDescriptionSample
 Description/xsd:identityProviderDescription
 xsd:identityProviderNameTestIdP/xsd:identityProviderName
 xsd:primarytrue/xsd:primary
 xsd:provisioningRoletest/xsd:provisioningRole
  /mgt:identityProvider

 After performing associateID operation, I tried to call
 the getNameAssociatedWith through my custom client but getting a null
 object.

 Relevant sql is as follows [3].

 sql = SELECT DOMAIN_NAME, USER_NAME FROM IDN_ASSOCIATED_ID WHERE
 TENANT_ID = ? AND IDP_ID = (SELECT ID  +
   FROM IDP WHERE NAME = ? AND TENANT_ID = ?) AND
 IDP_USER_ID = ?;

 [1] https://localhost:9443/services/UserProfileMgtService?wsdl
 [2]
 https://github.com/wso2/carbon-identity/blob/master/components/idp-mgt/org.wso2.carbon.idp.mgt/src/main/java/org/wso2/carbon/idp/mgt/IdentityProviderManagementService.java
 [3]
 https://github.com/wso2/carbon-identity/blob/master/components/user-mgt/org.wso2.carbon.identity.user.profile/src/main/java/org/wso2/carbon/identity/user/profile/mgt/UserProfileAdmin.java

 Thanks,
 Suhan


 --
 Suhan Dharmasuriya
 Software Engineer - Test Automation

 *WSO2, Inc. *

 lean . enterprise . middleware
 Tel: +94 112 145345
 Mob: +94 779 869138
 Blog: http://suhan-opensource.blogspot.com/




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [ES] Configuring a New Key store in ES 2.0 with SSO enabled via IS 5.0

[Ishara Karunarathna]

Hi,

On Mon, Jul 13, 2015 at 6:44 PM, Nadeesha Meegoda nadees...@wso2.com
wrote:

 Hi all,

 I have a concern regarding the steps followed when configuring a New Key
 store in ES where ES authenticates via IS.

I think you have configured SSO with SAML.


 These are the steps followed :

 1. Created a Key store for ES, Imported the key to Client Trust store in ES
 2. Configured ES to work with the new Key store
 3. Added the ES key to IS Client Trust Store - Note that IS is having the
 default wso2carbon.jks


Here you have created a new keystore and import your public key to your
existing client-truststore.jks

And to work sso scenario you will have to import public cert of IS to your
new keystore

Thanks,
Ishara


 We thought following the above steps will be enough for the Key store
 configurations since ES has the default wso2carbon.jks imported to its
 Client Trust store anyway.

 However ES login via IS was not successful due to *not* having the IS
 public key details imported into the key that I created in ES.So ultimately
 the data decryption didn't happen successfully. My concern is that All the
 third party public keys should be imported in to the client trust store not
 to the main key itself. What we do here is we are importing the IS public
 key details to the main key of ES.

 My question is do we need to follow all the above with importing the IS
 public key to the main key of ES or 1,2,3 steps would be enough for the New
 key store to work?


 Thanks  Regards,
 Nadeesha

 --
 *Nadeesha Meegoda*
 Software Engineer - QA
 WSO2 Inc.; http://wso2.com
 lean.enterprise.middleware
 email : nadees...@wso2.com
 mobile: +94783639540
 %2B94%2077%202273555

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [ES] Configuring a New Key store in ES 2.0 with SSO enabled via IS 5.0

[Ishara Karunarathna]

On Tue, Jul 14, 2015 at 9:59 AM, Pavithra Madurangi pavit...@wso2.com
wrote:



 On Tue, Jul 14, 2015 at 9:52 AM, Ishara Karunarathna isha...@wso2.com
 wrote:

 Hi,

 On Mon, Jul 13, 2015 at 6:44 PM, Nadeesha Meegoda nadees...@wso2.com
 wrote:

 Hi all,

 I have a concern regarding the steps followed when configuring a New Key
 store in ES where ES authenticates via IS.

 I think you have configured SSO with SAML.


 These are the steps followed :

 1. Created a Key store for ES, Imported the key to Client Trust store in
 ES
 2. Configured ES to work with the new Key store
 3. Added the ES key to IS Client Trust Store - Note that IS is having
 the default wso2carbon.jks


 Here you have created a new keystore and import your public key to your
 existing client-truststore.jks

 And to work sso scenario you will have to import public cert of IS to
 your new keystore


 ​Normally we add certificates from other parties that we expect to
 communicate with​
 ​,​

 ​to trust store (trust store of ES in this case).​ So instead of doing so,
 why do we have to add it to key store of ES ?

For the SSL communication yes we add trusted public keys to
client-truststore.jks.
But this case we keep IDP public keys in our main keystore.


 Thanks,
 Ishara


 We thought following the above steps will be enough for the Key store
 configurations since ES has the default wso2carbon.jks imported to its
 Client Trust store anyway.

 However ES login via IS was not successful due to *not* having the IS
 public key details imported into the key that I created in ES.So ultimately
 the data decryption didn't happen successfully. My concern is that All the
 third party public keys should be imported in to the client trust store not
 to the main key itself. What we do here is we are importing the IS public
 key details to the main key of ES.

 My question is do we need to follow all the above with importing the IS
 public key to the main key of ES or 1,2,3 steps would be enough for the New
 key store to work?


 Thanks  Regards,
 Nadeesha

 --
 *Nadeesha Meegoda*
 Software Engineer - QA
 WSO2 Inc.; http://wso2.com
 lean.enterprise.middleware
 email : nadees...@wso2.com
 mobile: +94783639540
 %2B94%2077%202273555

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Ishara Karunarathna
 Senior Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
 +94717996791

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 *Pavithra Madurangi*
 Associate Technical Lead - QA.
 WSO2 Inc.: http://wso2.com/
 Mobile: 0777207357 / 0112747089




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Please merge PR #280

[Ishara Karunarathna]

Hi,

Add some changes.

Please merge this to.

https://github.com/wso2/carbon4-kernel/pull/281

On Mon, Jul 6, 2015 at 12:51 PM, Johann Nallathamby joh...@wso2.com wrote:

 Merged.

 Thanks.

 On Mon, Jul 6, 2015 at 11:58 AM, Ishara Karunarathna isha...@wso2.com
 wrote:

 Hi,

 $subject pls for [1]

 Thanks,
 Ishara

 [1] https://github.com/wso2/carbon4-kernel/pull/280

 --
 Ishara Karunarathna
 Senior Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
 +94717996791




 --
 Thanks  Regards,

 *Johann Dilantha Nallathamby*
 Technical Lead  Product Lead of WSO2 Identity Server
 Integration Technologies Team
 WSO2, Inc.
 lean.enterprise.middleware

 Mobile - *+9476950*
 Blog - *http://nallaa.wordpress.com http://nallaa.wordpress.com*




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Please merge PR #263

[Ishara Karunarathna]

Hi,

$subject pls for [1]

Apart from this there are set of pull requests created by IS team better to
merge those as well.

Thanks,
Ishara
[1] https://github.com/wso2/carbon4-kernel/pull/263

-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Visibility of Internal Roles for the tenant admins

[Ishara Karunarathna]

Hi,

On Fri, Jun 26, 2015 at 5:01 PM, Bhathiya Jayasekara bhath...@wso2.com
wrote:

 Hi Tanya,

 On Fri, Jun 26, 2015 at 4:44 PM, Tanya Madurapperuma ta...@wso2.com
 wrote:

 Hi,

 In products like ES, APIM we have set of internal roles such as
 internal/publisher, internal/store, internal/reviewer etc that comes by
 default.

 These roles are visible when we log into the super tenant.

 But if we create a tenant and login to that tenant from management
 console as the tenant admin, those internal roles are not visible to the
 tenant admin.

 Is this the desired behaviour ?


 Yes, roles belong to a particular tenant.


 If so, is it the responsibility of the tenant admin to create those roles
 manually and assign the appropriate permission to that role?


 You can automate that by writing a tenant loading listener by extending
 AbstractAxis2ConfigurationContextObserver.

I think its better to use TenantMgtListener to  do this.

Thanks,
Ishara


 Thanks,
 Bhathiya



 Appreciate any insight.

 Thanks,
 Tanya


 --
 Tanya Madurapperuma

 Senior Software Engineer,
 WSO2 Inc. : wso2.com
 Mobile : +94718184439
 Blog : http://tanyamadurapperuma.blogspot.com

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 *Bhathiya Jayasekara*
 *Senior Software Engineer,*
 *WSO2 inc., http://wso2.com http://wso2.com*

 *Phone: +94715478185 %2B94715478185*
 *LinkedIn: http://www.linkedin.com/in/bhathiyaj
 http://www.linkedin.com/in/bhathiyaj*
 *Twitter: https://twitter.com/bhathiyax https://twitter.com/bhathiyax*
 *Blog: http://movingaheadblog.blogspot.com
 http://movingaheadblog.blogspot.com/*

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Please fix IDENTITY-3338

[Ishara Karunarathna]

Hi,

Will check on this.

Thanks,
Ishara

On Mon, Jun 8, 2015 at 2:33 PM, Tanya Madurapperuma ta...@wso2.com wrote:

 Hi IS team,

 We have faced the following issue in ES [1] and is affecting the ES beta
 release. We were able to reproduce the same issue in IS as well [2]

 Appreciate if you could fix [2] at your earliest possible.

 [1] https://wso2.org/jira/browse/STORE-744
 [2] https://wso2.org/jira/browse/IDENTITY-3338

 Thanks,
 Tanya



 --
 Tanya Madurapperuma

 Senior Software Engineer,
 WSO2 Inc. : wso2.com
 Mobile : +94718184439
 Blog : http://tanyamadurapperuma.blogspot.com




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] OAuth issues

[Ishara Karunarathna]

)
 at
 org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21)
 at
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
 at
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
 at
 org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
 at
 org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
 at
 org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
 at
 org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
 at
 org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
 at
 org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
 at
 org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
 at
 org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
 at
 org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticatorFrameworkValve.processResponse(WebappAuthenticatorFrameworkValve.java:46)
 at
 org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticatorFrameworkValve.invoke(WebappAuthenticatorFrameworkValve.java:38)
 at
 org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
 at
 org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
 at
 org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
 at
 org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
 at
 org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
 at
 org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
 at
 org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
 at
 org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
 at
 org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
 at
 org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
 at
 org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
 at
 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
 at
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
 at
 org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 at java.lang.Thread.run(Thread.java:744)
 [2015-05-15 20:49:33,887] ERROR
 {JAGGERY.site.blocks.subscription.subscription-add.ajax.subscription-add:jag}
 -  org.wso2.carbon.apimgt.api.APIManagementException: Exception occurred
 while trying to invoke service method renewAccessToken


 Thanks,

 Lakshitha Harshan
 Software Engineer
 Mobile: *+94724423048*
 Email: hars...@wso2.com
 Blog : http://harshanliyanage.blogspot.com/
 *WSO2, Inc. :** wso2.com http://wso2.com/*
 lean.enterprise.middleware.




 --
 Prabath Abeysekara
 Technical Lead
 WSO2 Inc.
 Email: praba...@wso2.com
 Mobile: +94774171471

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 /sumedha
 m: +94 773017743
 b :  bit.ly/sumedha





 --
 /sumedha
 m: +94 773017743
 b :  bit.ly/sumedha





 --
 /sumedha
 m: +94 773017743
 b :  bit.ly/sumedha




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] (no subject)

[Ishara Karunarathna]

Hi Suharsha,

Welcome to the list.

For a beginning better to get some understanding on OAuth and try out
sample scenarios with that.
Then go through the specifications attached to proposal 7 description

[1] You can download the WSo2 Identity server
[2] Documentation on OAuth concepts
[3] Try out OAuth sample

Thanks,
Ishara

[1] http://wso2.com/products/identity-server/
[2] https://docs.wso2.com/display/IS500/OAuth+Concepts
[3]
https://docs.wso2.com/display/IS450/OAuth+2.0+Playground+with+WSO2+Identity+Server

On Wed, Feb 18, 2015 at 6:44 AM, Suharsha fonseka 
suharshafonsek...@gmail.com wrote:

 Hi,

 I am Suharsha Fonseka.
 I am Currently  an undergraduate student of Informatics Institute of
 Technology(IIT).

 And i like to work in the project proposal - 07
 User-Managed Access (UMA) Profile for OAuth2
 and i want some guidence to work in the project

 Thanks,

 Suharsha Fonseka

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Importing users with attribute values into JDBC user store using Bulk Import Users feature in WSO2 identity server

[Ishara Karunarathna]

Hi Nuwan,

Using CVS file you cant set more user attributes other than user name.
But you can get this done via SCIM bulk import support [1] here you will
get more info on that.

Thanks,
Ishara

[1]
https://malalanayake.wordpress.com/2013/05/28/scim-bulk-endpoint-operations-in-wso2-identity-server/

On Thu, Jan 22, 2015 at 4:48 PM, Nuwan Wimalasekara nuw...@wso2.com wrote:

 Hi IS Team,

 I want to import users which are in csv file into JDBC user store in IS.
 However in sample csv file I found only has two fields(username, password).
 But users have more attributes value with themselves. So any one aware of
 the csv file format with user attribute values and it is possible to import
 users with attribute values by the feature Bulk Import Users.


 Thanks,
 Nuwanw

 --
 Nuwan Wimalasekara
 Senior Software Engineer - Test Automation
 WSO2, Inc.: http://wso2.com
 lean. enterprise. middleware

 phone: +94 71 668 4620






-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] WSO2 Committers += Sewwandhi Perera

[Ishara Karunarathna]

Congratz Sewwandi .

On Tue, Sep 16, 2014 at 11:26 PM, Ramith Jayasinghe ram...@wso2.com wrote:

 Hi Sewwandhi,

 Congratulations!

 It is with great pleasure that we welcome you as a WSO2 committer. Keep
 up the good work!
 thanks and best regards,

 --
 Ramith Jayasinghe
 Technical Lead
 WSO2 Inc., http://wso2.com
 lean.enterprise.middleware

 E: ram...@wso2.com
 P: +94 777542851


 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [SCIM User, Group filtering syntaxes are different than specification]

[Ishara Karunarathna]

Hi,

On Mon, Sep 15, 2014 at 10:16 AM, Gayan Gunawardana ga...@wso2.com wrote:

 Hi,

 According current SCIM implementation of WSO2 Identity Server (IS 5.0)
 user and group filtering commands will be [1]

 curl -v -k --user admin:admin https:
 //localhost:9443/wso2/scim/Users?filter=userNameEqadam

 curl -v -k --user admin:admin https:
 //localhost:9443/wso2/scim/Groups?filter=displayNameEqengineer


 But specification [2]  expect something like

 filter=userName Eq john

 +1
We only support filtering with equal, If have time better to implement
contains too.

Thanks,
Ishara


 Same Issue was reported here too [3]

 Shall we fixed that according to specification in future releases

 WDYT?



 [1]
 https://docs.wso2.com/display/IS500/WSO2+Identity+Server+as+a+SCIM+Service+Provider
 [2]
 http://www.simplecloud.info/specs/draft-scim-api-01.html#query-resources
 [3]
 http://stackoverflow.com/questions/19992960/wso2-identity-server-scim-filtering


 --
 Gayan Gunawardana
 Software Engineer; WSO2 Inc.; http://wso2.com/
 Email: ga...@wso2.com
 Mobile: +94 (71) 8020933




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Has to change the property name in Userstore configurations

[Ishara Karunarathna]

Hi,

passwordHashMethod  property name should be changed as PasswordHashMethod
p to P

And has to fix this in the default configuration file too [1]

Thanks,
Ishara

[1] https://wso2.org/jira/browse/IDENTITY-2281

-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] WSO2 Committers += Thanuja Jayasinghe

[Ishara Karunarathna]

 Udayakantha
 Software Engineer, WSO2
 Mobile: *0711241005 0711241005*

 *lakshm...@wso2.com lakshm...@wso2.com *


 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 *Gayan Kaushalya Yalpathwala*
  Software Engineer
 WSO2 Inc.; http://wso2.com
 lean.enterprise.middleware

 mobile: +94 71 8682704 http://asia14.wso2con.com/

  http://asia14.wso2con.com/

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Regards,

 Waruna Lakshitha Jayaweera
 Software Engineer
 WSO2 Inc; http://wso2.com
 phone: +94713255198

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev



 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 *Kavith Lokuhewage*
 Software Engineer
 WSO2 Inc. - http://wso2.com
 lean . enterprise . middleware
 Mobile - +9477-9-145-123 | +9471-455-6-401
 Linkedin
 http://www.linkedin.com/pub/kavith-lokuhewage/49/473/419
 Twitter https://twitter.com/KavithThiranga

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 *Gayashan Amarasinghe*
 Software Engineer | Platform TG
 WSO2, Inc. | http://wso2.com
 lean. enterprise. middleware

 Mobile : +94718314517
 Blog : gayashan-a.blogspot.com

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 *Dilini Muthumala*
 Software Engineer,
 WSO2 Inc.

  *E-mail :* dil...@wso2.com
 *Mobile: *+94713 400 029

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev



 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Harsha Kumara
 Software Engineer, WSO2 Inc.
 Mobile: +94775505618
 Blog:harshcreationz.blogspot.com

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 *Susinda Perera*
 Software Engineer
 Mobile:(+94)716049075

 WSO2 Inc. http://wso2.com/
 Tel : 94 11 214 5345 Fax :94 11 2145300


 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Regards,
 Manula Chathurika Thantriwatte
 Software Engineer
 WSO2 Inc. : http://wso2.com
 lean . enterprise . middleware

 email : manu...@wso2.com / man...@apache.org
 phone : +94 772492511
 blog : http://manulachathurika.blogspot.com/




 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Tanya Madurapperuma

 Software Engineer,
 WSO2 Inc. : wso2.com
 Mobile : +94718184439
 Blog : http://tanyamadurapperuma.blogspot.com

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Regards,

 Dunith Dhanushka,
 Senior Software Engineer - BAM,
 WSO2 Inc,

 Mobile - +94 71 8615744
 Blog - dunithd.wordpress.com http://blog.dunith.com
 Twitter - @dunithd http://twitter.com/dunithd

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] WSO2 Committers += Prasad Tissera

[Ishara Karunarathna]

Congratz Prasad . .


On Wed, Jul 23, 2014 at 4:08 AM, Suresh Attanayaka sur...@wso2.com wrote:

 Congrats Prasad!


 On Wed, Jul 23, 2014 at 4:28 PM, Johann Nallathamby joh...@wso2.com
 wrote:

 Hi All,

 It's my pleasure to announce Prasad Tissera as a WSO2 Committer. Prasad has
 been a valuable contributor for WSO2 Identity Server product, and in
 recognition of his contributions to WSO2, he has been voted as a WSO2
 Committer.

 Prasad, Congratulations and Keep up the good work!

 Thanks  Regards,
 Johann.

 --
 Thanks  Regards,

 *Johann Dilantha Nallathamby*
 Associate Technical Lead  Product Lead of WSO2 Identity Server
 Integration Technologies Team
 WSO2, Inc.
 lean.enterprise.middleware

 Mobile - *+9476950*
 Blog - *http://nallaa.wordpress.com http://nallaa.wordpress.com*

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Suresh Attanayake
 Senior Software Engineer; WSO2 Inc. http://wso2.com/
 Blog : http://sureshatt.blogspot.com/
 Twitter : https://twitter.com/sureshatt
 LinkedIn : http://lk.linkedin.com/in/sureshatt
 Mobile : +94755012060

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] WSO2 Committers += Isura Karunaratne

[Ishara Karunarathna]

Congratz Isura . . .


On Wed, Jul 23, 2014 at 4:07 AM, Pulasthi Mahawithana pulast...@wso2.com
wrote:

 Congrats Isura ...


 On Wed, Jul 23, 2014 at 4:35 PM, Suresh Attanayaka sur...@wso2.com
 wrote:

 Congrats Isura.


 On Wed, Jul 23, 2014 at 4:30 PM, Johann Nallathamby joh...@wso2.com
 wrote:

 Hi All,

 It's my pleasure to announce Isura Karunaratne as a WSO2 Committer.
 Isura has been a valuable contributor for WSO2 Identity Server product,
 and in recognition of his contributions to WSO2, he has been voted as a WSO2
 Committer.

 Isura, Congratulations and Keep up the good work!

 Thanks  Regards,
 Johann.

 --
 Thanks  Regards,

 *Johann Dilantha Nallathamby*
 Associate Technical Lead  Product Lead of WSO2 Identity Server
 Integration Technologies Team
 WSO2, Inc.
 lean.enterprise.middleware

 Mobile - *+9476950*
 Blog - *http://nallaa.wordpress.com http://nallaa.wordpress.com*

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Suresh Attanayake
 Senior Software Engineer; WSO2 Inc. http://wso2.com/
 Blog : http://sureshatt.blogspot.com/
 Twitter : https://twitter.com/sureshatt
 LinkedIn : http://lk.linkedin.com/in/sureshatt
 Mobile : +94755012060

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 *Pulasthi Mahawithana*
 Software Engineer
 WSO2 Inc., http://wso2.com/
 Mobile: +94-71-5179022
 Blog: http://blog.pulasthi.org

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How to add a new User member to a Group in SCIM

[Ishara Karunarathna]

Hi Gayan,




On Wed, Jul 16, 2014 at 7:42 AM, Gayan Gunawardana ga...@wso2.com wrote:

 Yes Darshana.

 Limitation was you have to send entire list with existing members.


Isn't this the problem that you are going to address through patch
operation.


 On Wed, Jul 16, 2014 at 8:07 PM, Darshana Gunawardana darsh...@wso2.com
 wrote:


 So does that means we can update user list of a group from
 externally(calling scim group endpoint) as well?


 On Wed, Jul 16, 2014 at 9:27 AM, Gayan Gunawardana ga...@wso2.com
 wrote:

 Hi Darshana,

 I have found a way.

 setUserMember(String id, String displayName) works fine.

 setUserMember(String id) also do the job but it fails during json
 decoding.

 Anyway thanks for looking into this.

 Thanks,
 Gayan




 On Wed, Jul 16, 2014 at 1:28 AM, Darshana Gunawardana darsh...@wso2.com
  wrote:

 Hi Gayan,

 Have you found the way to do $subject?

 AFAIK, this functionality does not supported. If you have to add user
 to some group using scim,
 * Either you have to include that user while creating the group
 * Or you have to update role list of user.

 Thanks,
 Darshana



 On Mon, Jul 14, 2014 at 11:45 AM, Gayan Gunawardana ga...@wso2.com
 wrote:

 Hi Ishara,

 While writing integration test for patch operation I wanted to modify
 user list of a group. I have tried following method

 setMember(String id)

 setUserMember(String id)

 setGroupMember(String id)

 but it gives

 org.apache.wink.client.ClientRuntimeException:
 org.wso2.charon.core.exceptions.AbstractCharonException
 at
 org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:240)
 at
 org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:189)
 at
 org.apache.wink.client.internal.ResourceImpl.put(ResourceImpl.java:326)
 at
 org.wso2.carbon.identity.tests.scim.SCIMServiceProviderGroupTestCase.updateGroup(SCIMServiceProviderGroupTestCase.java:208)
 Caused by: org.wso2.charon.core.exceptions.AbstractCharonException
 at
 org.wso2.charon.core.encoder.json.JSONDecoder.decodeException(JSONDecoder.java:153)
 at
 org.wso2.charon.core.client.SCIMClient.decodeSCIMException(SCIMClient.java:219)
 at
 org.wso2.carbon.identity.tests.scim.utils.SCIMResponseHandler.handle(SCIMResponseHandler.java:51)
 at
 org.apache.wink.client.internal.handlers.HandlerContextImpl.doChain(HandlerContextImpl.java:52)
 at
 org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:227)
 ... 36 more

 seems like after modifying user list of a group, json decoder fails
 some where. This does not happen for updating group name only.

 Can you point the correct method to add new user member to a group
 from id ?  (org.wso2.charon.core.objects.Group).



 --
 Gayan Gunawardana
 Software Engineer; WSO2 Inc.; http://wso2.com/
 Email: ga...@wso2.com
 Mobile: +94 (71) 8020933

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Regards,


 * Darshana Gunawardana *Software Engineer
 WSO2 Inc.; http://wso2.com

 * E-mail: darsh...@wso2.com darsh...@wso2.com*
 *Mobile: +94718566859 %2B94718566859 *Lean . Enterprise . Middleware




 --
 Gayan Gunawardana
 Software Engineer; WSO2 Inc.; http://wso2.com/
 Email: ga...@wso2.com
 Mobile: +94 (71) 8020933




 --
 Regards,


 * Darshana Gunawardana*Software Engineer
 WSO2 Inc.; http://wso2.com

 * E-mail: darsh...@wso2.com darsh...@wso2.com*
 *Mobile: +94718566859 %2B94718566859 *Lean . Enterprise . Middleware




 --
 Gayan Gunawardana
 Software Engineer; WSO2 Inc.; http://wso2.com/
 Email: ga...@wso2.com
 Mobile: +94 (71) 8020933




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Custom federated authenticator (For Linked In)

[Ishara Karunarathna]

Hi,


On Sun, Jul 13, 2014 at 9:50 PM, Dulanja Liyanage dula...@wso2.com wrote:

 Shall we add this to Chunk-13? WDYT?


I asked to add this an example how to add a custom federated authenticator.

+1
for adding an federated authenticator to the server by efault.

Thanks,
-Ishara



 On Fri, Jul 11, 2014 at 9:41 PM, Ishara Karunarathna isha...@wso2.com
 wrote:

 Hi all,

 [1] Here I have written a blog on adding custom federated authenticator.
 So I think we can add this to our docs.

 Thanks,
 Ishara
 [1]
 http://isharaaruna.blogspot.com/2014/07/login-with-linkedin-to-wso2-identity.html
 --
 Ishara Karunarathna
 Senior Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
 718211678




 --
 Dulanja Liyanage
 WSO2 Inc.
 M: +94776764717




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Custom federated authenticator (For Linked In)

[Ishara Karunarathna]

Hi all,

[1] Here I have written a blog on adding custom federated authenticator.
So I think we can add this to our docs.

Thanks,
Ishara
[1]
http://isharaaruna.blogspot.com/2014/07/login-with-linkedin-to-wso2-identity.html
-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Patch method support for SCIM end points]

[Ishara Karunarathna]

Hi Gayan,


On Mon, Jul 7, 2014 at 11:46 AM, Gayan Gunawardana ga...@wso2.com wrote:

 Hi All,

 The requirement based on [1]. Since wso2 identity server can act as a SCIM
 provider, it exposes  REST end points with standard http methods (GET,
 POST, PUT, DELETE). How ever according to [2] http PATCH method also
 require to do patch operation. The idea of patch operation is, suppose we
 need to add new user to existing group, with update operation we can update
 entire list of users in a particular group so we have to send complete set
 of users. Patch operation supports merging of existing users with new
 users.

 The bottleneck to implement patch operation is currently [3] does not
 support http PATCH method directly. But according to [4] it allows custom
 annotation such as @Update or @Patch.

 WDYT?


+1,
You will have to do the custom implementation to get PATCH support.



 [1] https://wso2.org/jira/browse/IDENTITY-1891

 [2] http://tools.ietf.org/html/draft-ietf-scim-api-02#section-3.3.1

 [3] http://cxf.apache.org/docs/jax-rs.html

 [4] http://cxf.apache.org/docs/jax-rs-basics.html#JAX-RSBasics-HTTPMethod

 Thanks,
 Gayan


 --
 Gayan Gunawardana
 Software Engineer; WSO2 Inc.; http://wso2.com/
 Email: ga...@wso2.com
 Mobile: +94 (71) 8020933




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] SCIM Interop at Cloud Identity Summit 2014

[Ishara Karunarathna]

Hi all,

[1] This will be held on 19th June, And we can remotely connect to the
event.
Shall we take part on this.

Thanks,
Ishara

[1]
http://www.cloudidentitysummit.com/events/cloud-identity-summit-2014/event-summary-e09252dca9f144cbbd77691980893949.aspx

-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] WSO2 Committers += Shazni Nazir

[Ishara Karunarathna]

Congratz . . .


On Wed, Jun 4, 2014 at 10:20 AM, Manula Chathurika Thantriwatte 
manu...@wso2.com wrote:

 Congratulations Shazni !!!


 On Wed, Jun 4, 2014 at 10:18 AM, Manoj Kumara ma...@wso2.com wrote:

 Congratulations Shazni !!!


 *Manoj Kumara*
 Software Engineer
 WSO2 Inc. http://wso2.com/
 *lean.enterprise.middleware*
 Mobile: +94713448188


 On Tue, Jun 3, 2014 at 7:49 PM, Subash Chaturanga sub...@wso2.com
 wrote:

  Hi all,
 It's my pleasure to announce Shazni as a WSO2 Committer. Shazni has done
 great contributions to G-Reg product and showed very good enthusiasm in his
 work. And in recognition of his contribution he has been voted as a wso2
 commiter.

 Shazni, welcome aboard and keep up the good work!.

 --
 Thanks
 /subash

 *Subash Chaturanga*
 Senior Software Engineer :Platform TG; WSO2 Inc. http://wso2.com

 email: sub...@wso2.com
 blog:  http://subashsdm.blogspot.com/
 twitter: @subash89
 phone: +9477 2225922
 Lean . Enterprise . Middleware

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev



 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Regards,
 Manula Chathurika Thantriwatte
 Software Engineer
 WSO2 Inc. : http://wso2.com
 lean . enterprise . middleware

 email : manu...@wso2.com / man...@apache.org
 phone : +94 772492511
 blog : http://manulachathurika.blogspot.com/




 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile: +94
718211678
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev