Re: [Dev] [VOTE] Release WSO2 Carbon Kernel 4.6.1 RC1

[Isura Karunaratne]

Hi Kanapriya,

-1 for the release due to a security issue found in StartTLS in LDAP.

The fix is available in [1]

[1] https://github.com/wso2/carbon-kernel/pull/2835

Cheers,
Isura.

On Fri, Nov 6, 2020 at 9:29 PM Kanapriya Kuleswararajan 
wrote:

> Hi Devs,
>
> *WSO2 Carbon Kernel 4.6.1 RC1 Release Vote*.
>
> Please download and test your products with kernel 4.6.1 RC1 and vote.
> The vote will be open for 72 hours or longer as needed.
>
> *Maven staging repository:*
> https://maven.wso2.org/nexus/content/repositories/orgwso2carbon-4914
>
> *The tag to be voted upon:*
> https://github.com/wso2/carbon-kernel/releases/tag/v4.6.1-RC1
>
> [- ] Broken - do not release (explain why)
> [+] Stable - go ahead and release
>
> Thanks
> Kanapriya Kuleswararajan
> Senior Software Engineer
> Mobile : - 0774894438
> Mail : - kanapr...@wso2.com
> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
> WSO2, Inc.
> lean . enterprise . middleware
>
>

-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Committers += Chamath Samarawickrama

[Isura Karunaratne]

Hi All,

It's my pleasure to announce Chamath Samarawickrama as a WSO2 Committer. He
has been a valuable contributor and enthusiast to the WSO2 Identity &
Access Management Team.

In recognition of his contribution, dedication, and commitment he has been
voted as a WSO2 committer.

Congratulations Chamath and keep up the good work...!!!

Cheers,
Isura.
-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SMS OTP integration throws null reference exception if Password reset enforcer is added as the second step

[Isura Karunaratne]

Hi Prayag,

This issue may be related to [1]. This is already fixed in the public
master branch in the PR [2].

[1] https://github.com/wso2/product-is/issues/9158
[2] https://github.com/wso2-extensions/identity-extension-utils/pull/31

Cheers,
Isura

On Tue, Aug 25, 2020 at 9:50 AM prayag pavithran <
prayagpavith...@hotmail.com> wrote:

> Hi,
>
> We recently migrated to wso2 is 5.10.0 . When the SMS OTP functionality is
> integrated as the third step , after basic authentication (1st step)
> and Pass reset enforcer (2nd step) a null reference error is thrown after
> basic authentication step.
>
> The same flows work fine if Email OTP is integrated in place of SMS OTP as
> the 3rd Step.
> Also if password reset enforcer is removed and SMS OTP is added as 2nd
> step , the authentication flows works fine .
>
> Could anyone please assist in solving the above mentioned issue.
>
> Thanks & Regards,
> Prayag Pavithran
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How to disable SCIM in IS 5.10.0

[Isura Karunaratne]

Hi Gayan,

We are in the process of supporting all the Identity Server operations
through REST APIs. SCIM APIs are used for user management and it will be
available for all the user stores by default.  As Ashen mentioned, we have
removed the capability of disabling the SCIM support per user stores.

Cheers,
Isura.

On Thu, May 28, 2020 at 9:55 PM Ashen Weerathunga  wrote:

> Hi Gayan,
>
> From IS 5.10.0 onwards we have enabled SCIM2 by default in the product
> with the new unique ID based userstore managers. We have removed the
> disabling option as we will be using the user ID concept moving forward in
> the product and new portals also using the SCIM API for user management.
>
> Thanks,
> Ashen
>
> On Thu, May 28, 2020 at 9:06 PM gayan gunawardana 
> wrote:
>
>> Hi Team,
>>
>> I was trying to disable SCIM for primary user store in IS 5.10.0. However
>> I couldn't find necessary property from documentation [1]. Is there a way
>> to disable SCIM in IS 5.10.0 ?
>>
>> [1]
>> https://is.docs.wso2.com/en/latest/setup/configuring-a-read-write-ldap-user-store/#configuring-a-read-write-ldap-user-store
>>
>>
>> Thanks,
>> Gayan
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
> Ashen Weerathunga | Senior Software Engineer | WSO2 Inc.
> (m) +94716042995 | (w) +94112145345 | Email: as...@wso2.com
> 
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Iam-dev] [VOTE] Release WSO2 Identity Server 5.10.0 RC2

[Isura Karunaratne]

Hi All,

Tested the following flows and no blocking issues found.

   - Account Locking
   - Self user registration.
   - Password Policy

[+] Stable - go ahead and release.

Cheers,
Isura.

On Wed, Mar 11, 2020 at 12:07 PM Maduranga Siriwardena 
wrote:

> Hi All,
>
> Tested following authentication flows.
>
>- Federated authentication with OIDC
>- Inbound authentication with OIDC
>- Passwordless authentication with FIDO 2 using the Macbook
>fingerprint sensor
>
> No Blockers found.
> [+] Stable - go ahead and release.
>
> Regards,
> Maduranga.
>
> On Wed, Mar 11, 2020 at 11:41 AM Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> Tested following flows in UMA 2.0
>>
>>  1. Registration Endpoint
>>  2. Permission Endpoint
>>  3. Introspection Endpoint
>>  4. Obtaining an RPT using UMA Grant Type
>>  5. Obtaining an access token using Password Grant Type
>>
>> No Blockers found.
>>
>> [+] Stable - go ahead and release.
>>
>> Thanks,
>> Hasanthi
>>
>>
>> On Sun, Mar 8, 2020 at 11:26 PM Janak Amarasena  wrote:
>>
>>> Hi all,
>>>
>>> We are pleased to announce the second release candidate of WSO2 Identity
>>> Server 5.10.0.
>>>
>>>
>>> *New Features:*
>>>
>>>1. Passwordless authentication support
>>>2. An improved User Portal
>>>3. New RESTful APIs for user self-services and server management
>>>4. Scope based authorization for internal REST APIs
>>>5. Unique User ID support
>>>6. Tenant wise email-sender configuration
>>>
>>>
>>>
>>> *Fixes:*
>>> This release includes the following issue fixes and improvements:
>>>
>>>- 5.10.0-M1
>>>
>>>- 5.10.0-M2
>>>
>>>- 5.10.0-M3
>>>
>>>- 5.10.0-M4
>>>
>>>- 5.10.0-M5
>>>
>>>- 5.10.0-M6
>>>
>>>- 5.10.0-M7
>>>
>>>- 5.10.0-M8
>>>
>>>- 5.10.0-M9
>>>
>>>- 5.10.0-Alpha
>>>
>>>- 5.10.0-Alpha2
>>>
>>>- 5.10.0-Alpha3
>>>
>>>- 5.10.0-Beta
>>>
>>>- 5.10.0-Beta2
>>>
>>>- 5.10.0-Beta3
>>>
>>>- 5.10.0-GA
>>>
>>>
>>>
>>> *Source and Distribution*
>>> The source and distribution
>>> 
>>>  are
>>> available at https://github.com/wso2/product-is/releases/tag/v5.10.0-rc2
>>>
>>>
>>> Please download the product, test it, and vote using the following
>>> convention.
>>> [+] Stable - go ahead and release
>>> [-] Broken - do not release (explain why)
>>>
>>>
>>> Thank you,
>>> WSO2 Identity and Access Management Team
>>>
>>> --
>>> *Janak Amarasena* | Senior Software Engineer | WSO2 Inc.
>>> (m) +9464144 | (w) +94112145345 | (e) ja...@wso2.com
>>>
>>>
>>> 
>>> ___
>>> Iam-dev mailing list
>>> iam-...@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/iam-dev
>>>
>>
>>
>> --
>>
>> Hasanthi Dissanayake | Associate Technical Lead | WSO2 Inc.
>> (m) +94718407133 | (w) +94112145345  | Email: hasan...@wso2.com  | Blog:
>> https://medium.com/@hasanthipurnimadissanayake
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
> *Maduranga Siriwardena* | Technical Lead | WSO2 Inc.
> (m) +94718990591 | madura...@wso2.com
>
> 
> ___
> Iam-dev mailing list
> iam-...@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/iam-dev
>


-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Getting Invalid Scope Error While requesting IDToken With OIDC Scopes When Role Based Scope Validator Enabled

[Isura Karunaratne]

Hi Darshana,

On Mon, Feb 17, 2020 at 4:44 PM Darshana Gunawardana 
wrote:

> Hi Isura\Sarubi,
>
> Why do we need to remove OIDC scopes from being validated?
>
> How can we do role base scope validation, for a OIDC scope, if we needed,
> in case?
>

The current behavior is, scope binding is only supported for OAuth scopes.
If we need role-based scope validation for OIDC scopes, we have to register
OIDC scopes are OAuth scopes as well.

Currently, we are not supporting to register OAuth and OIDC scopes with the
same name.

Cheers,
Isura.


> Thanks,
>
> On Mon, Feb 17, 2020 at 4:29 PM Isura Karunaratne  wrote:
>
>>
>>
>> On Mon, Feb 17, 2020 at 2:59 PM Sarubi Thillainathan 
>> wrote:
>>
>>> Hi All,
>>>
>>> When the role-based scope validator enabled we are granting the access
>>> token upon validated scope. In the OpenID flow, when we are reqesting for
>>> an ID token we can try the following for an example, where 'scope1' is bind
>>> with role 'login-sp'.
>>>
>>> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
>>> "grant_type=password=kim=12345&*scope=openid scope1*"
>>> -H "Content-Type:application/x-www-form-urlencoded"
>>> https://localhost:9443/oauth2/token
>>>
>>> This will respond with an ID token if the user Kim is a member of the
>>> role 'login-sp'.
>>>
>>> But when we try to obtain a custom claim value via ID token, we can pass
>>> the OIDC scopes which are mapped with the corresponding user claims. As
>>> example profile, email scopes.
>>>
>>> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
>>> "grant_type=password=kim=12345&*scope=openid scope1
>>> email*" -H "Content-Type:application/x-www-form-urlencoded"
>>> https://localhost:9443/oauth2/token -v
>>>
>>> When we are passing those OIDC scopes with the role-based scope
>>> validator enabled, we are getting an error message as,
>>>
>>> {"error_description":"Invalid Scope!","error":"invalid_scope"}
>>>
>>> for the OIDC scopes except the scope named 'openid'.
>>>
>>> The reason is we have only removed the 'openid' scope from the list [1].
>>> Then we try to validate, the scope is registered or not by only calling the
>>> OAuth2 scopes binding service. Since we can't view the OIDC scopes
>>> via OAuth2 scopes binding service we are resulting with an Invalid scope
>>> error.
>>>
>>> To resolve this issue, we may need to remove the OIDC scopes from the
>>> scope list before we validating the OAuth2 scopes.
>>>
>>> Appreciate your thoughts to tackle this issue with a better solution.
>>>
>> +1 to remove all the OIDC scopes since we can't register OAuth scopes
>> with the same name.
>>
>> Cheers,
>> Isura.
>>
>>>
>>> [1]
>>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/c4a33c5cb4914d5b803878c8962a6d4a6f35995d/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L206-L220
>>>
>>>
>>> Thanks,
>>> Sarubi.
>>> --
>>> *Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc.
>>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>>
>>> *[image: https://wso2.com/signature] <https://wso2.com/signature>*
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Technical Lead | WSO2 <http://wso2.com/>
>> *lean.enterprise.middleware*
>> Email: is...@wso2.com
>> Mob : +94 772 254 810
>> Blog : https://medium.com/@isurakarunaratne
>>
>>
>>
>>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com *
> *Mobile: +94718566859*Lean . Enterprise . Middleware
>


-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 <http://wso2.com/>
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Getting Invalid Scope Error While requesting IDToken With OIDC Scopes When Role Based Scope Validator Enabled

[Isura Karunaratne]

On Mon, Feb 17, 2020 at 2:59 PM Sarubi Thillainathan 
wrote:

> Hi All,
>
> When the role-based scope validator enabled we are granting the access
> token upon validated scope. In the OpenID flow, when we are reqesting for
> an ID token we can try the following for an example, where 'scope1' is bind
> with role 'login-sp'.
>
> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
> "grant_type=password=kim=12345&*scope=openid scope1*"
> -H "Content-Type:application/x-www-form-urlencoded"
> https://localhost:9443/oauth2/token
>
> This will respond with an ID token if the user Kim is a member of the role
> 'login-sp'.
>
> But when we try to obtain a custom claim value via ID token, we can pass
> the OIDC scopes which are mapped with the corresponding user claims. As
> example profile, email scopes.
>
> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
> "grant_type=password=kim=12345&*scope=openid scope1
> email*" -H "Content-Type:application/x-www-form-urlencoded"
> https://localhost:9443/oauth2/token -v
>
> When we are passing those OIDC scopes with the role-based scope validator
> enabled, we are getting an error message as,
>
> {"error_description":"Invalid Scope!","error":"invalid_scope"}
>
> for the OIDC scopes except the scope named 'openid'.
>
> The reason is we have only removed the 'openid' scope from the list [1].
> Then we try to validate, the scope is registered or not by only calling the
> OAuth2 scopes binding service. Since we can't view the OIDC scopes
> via OAuth2 scopes binding service we are resulting with an Invalid scope
> error.
>
> To resolve this issue, we may need to remove the OIDC scopes from the
> scope list before we validating the OAuth2 scopes.
>
> Appreciate your thoughts to tackle this issue with a better solution.
>
+1 to remove all the OIDC scopes since we can't register OAuth scopes with
the same name.

Cheers,
Isura.

>
> [1]
> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/c4a33c5cb4914d5b803878c8962a6d4a6f35995d/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L206-L220
>
>
> Thanks,
> Sarubi.
> --
> *Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc.
> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>
> *[image: https://wso2.com/signature] *
>


-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Calling JWKS endpoint in tenant fails after a restart

[Isura Karunaratne]

Hi Isuranga,

I think we have to initialize the registry as follows before using it.

IdentityTenantUtil.initializeRegistry(tenantId, tenantDomain);
Cheers,
Isura.


On Fri, Sep 20, 2019 at 3:41 PM Isuranga Perera  wrote:

> :All
>
> When calling the JWKS endpoint (
> https://localhost:9443/t/abc.com/oauth2/jwks) of a tenant, right after
> restart without loading the tenant, there is an error[1][2].
>
> We have observed that the reason for $subject is that the keystore for the
> relevant tenant is not loaded(from registry) when making the jwks call.
>
> Even Though this issue can be overcome by starting the tenantFlow before
> getting the keystore, it involves an addition overhead as it tries to load
> the tenant per request.
>
> Appreciate your feedback on $subject.
>
>
> [1] https://github.com/wso2/product-is/issues/6473
> [2] https://github.com/wso2/product-is/issues/6322
>
>
> Best regards
> Isuranga Perera
> --
> *Isuranga Perera* | Software Engineer | WSO2 Inc.
>  +94 71 735 7034 | isura...@wso2.com 
>
>

-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issues with Role Based Adaptive Authentication example

[Isura Karunaratne]

Yes. We can directly update deployment.toml file. Updated the PR
accordingly. Thanks for pointing that out.

Cheers,
Isura.

On Fri, Aug 2, 2019 at 11:30 AM Sherene Mahanama  wrote:

> Hi,
>
> Small question, doesn't this need to be a toml configuration property and
> not an xml one since 5.9.0 is on the new config model?
>
>
> On Fri, Aug 2, 2019 at 10:59 AM Sherene Mahanama  wrote:
>
>> Thanks Isura! Will review and merge.
>>
>> Thanks,
>> Sherene
>>
>> On Fri, Aug 2, 2019 at 10:25 AM Isura Karunaratne  wrote:
>>
>>> Please find the correct PR to the WSO2 repository. [1]
>>>
>>> [1] https://github.com/wso2/docs-is/pull/77
>>>
>>> Cheers,
>>> Isura.
>>>
>>> On Fri, Aug 2, 2019 at 9:59 AM Isura Karunaratne  wrote:
>>>
>>>> Hi Sherene/Darshana,
>>>>
>>>> I created a pull request with the changes. Please review and merge it.
>>>>
>>>> Cheers,
>>>> Isura
>>>>
>>>> [1] https://github.com/IsuraD/docs-is/pull/1
>>>>
>>>> On Thu, Aug 1, 2019 at 12:23 PM Darshana Gunawardana 
>>>> wrote:
>>>>
>>>>>
>>>>> On Thu, Aug 1, 2019 at 11:32 AM Sherene Mahanama 
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> As discussed offline, since there is no identity.xml.j2 file in
>>>>>> 5.8.0, I have not updated the 5.8.0 doc [1].
>>>>>>
>>>>>
>>>>> Yes.. Both of the issues reported by Gayashan, only affected to IS
>>>>> 5.9.0..
>>>>>
>>>>>
>>>>>> It would be good if it's possible to add this to the file by default
>>>>>> in 5.9.0.. else, please let me know and I will update the 5.9.0 doc [2].
>>>>>>
>>>>>
>>>>> IMO, in one angle, default configs should be production-ready ones, so
>>>>> we cannot have custom web apps to be allowed by default in the
>>>>> identity.xml... On the other hand, we should improve the user experience 
>>>>> of
>>>>> the person who tries the guide by having minimal changes.
>>>>>
>>>>> This is a place we can utilize "dev" or new profile like "poc" or
>>>>> "samples" with the new config model.
>>>>>
>>>>> For the moment, let's add this config to the 5.9.0 docs and then
>>>>> decide whether we can utilize a new config profile to simplify
>>>>> configurations of samples and use that.
>>>>>
>>>>> Thanks,
>>>>>
>>>>>>
>>>>>> [1]
>>>>>> https://docs.wso2.com/display/IS580/Configuring+a+Service+Provider+for+Adaptive+Authentication#ConfiguringaServiceProviderforAdaptiveAuthentication-Step01:SetUptheSamples
>>>>>> [2]
>>>>>> https://is.docs.wso2.com/en/5.9.0/tutorials/configuring-a-service-provider-for-adaptive-authentication
>>>>>>
>>>>>> Thanks,
>>>>>> Sherene
>>>>>>
>>>>>> On Wed, Jul 31, 2019 at 3:42 PM Isura Karunaratne 
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Sherene, Yvonne,
>>>>>>>
>>>>>>> In order to fix [1], we need to update the document [2].  It is
>>>>>>> required to add the following configuration in
>>>>>>> /repository/resources/conf/templates/repository/conf/identity.xml.j2
>>>>>>> as instructed in [1].
>>>>>>>
>>>>>>> *>>>>>> http-method="all"/>*
>>>>>>>
>>>>>>> Please update the [2] by adding a new step.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Isura.
>>>>>>>
>>>>>>> [1] https://github.com/wso2/product-is/issues/6023
>>>>>>> [2]
>>>>>>> https://docs.wso2.com/display/IS580/Configuring+a+Service+Provider+for+Adaptive+Authentication#ConfiguringaServiceProviderforAdaptiveAuthentication-Step01:SetUptheSamples
>>>>>>>
>>>>>>> On Tue, Jul 30, 2019 at 2:57 PM Darshana Gunawardana <
>>>>>>> darsh...@wso2.com> wrote:
>>>>>>>
>>>>>>>> [Looping Isura]
>>>>

Re: [Dev] Issues with Role Based Adaptive Authentication example

[Isura Karunaratne]

Please find the correct PR to the WSO2 repository. [1]

[1] https://github.com/wso2/docs-is/pull/77

Cheers,
Isura.

On Fri, Aug 2, 2019 at 9:59 AM Isura Karunaratne  wrote:

> Hi Sherene/Darshana,
>
> I created a pull request with the changes. Please review and merge it.
>
> Cheers,
> Isura
>
> [1] https://github.com/IsuraD/docs-is/pull/1
>
> On Thu, Aug 1, 2019 at 12:23 PM Darshana Gunawardana 
> wrote:
>
>>
>> On Thu, Aug 1, 2019 at 11:32 AM Sherene Mahanama 
>> wrote:
>>
>>> Hi,
>>>
>>> As discussed offline, since there is no identity.xml.j2 file in 5.8.0, I
>>> have not updated the 5.8.0 doc [1].
>>>
>>
>> Yes.. Both of the issues reported by Gayashan, only affected to IS 5.9.0..
>>
>>
>>> It would be good if it's possible to add this to the file by default in
>>> 5.9.0.. else, please let me know and I will update the 5.9.0 doc [2].
>>>
>>
>> IMO, in one angle, default configs should be production-ready ones, so we
>> cannot have custom web apps to be allowed by default in the identity.xml...
>> On the other hand, we should improve the user experience of the person who
>> tries the guide by having minimal changes.
>>
>> This is a place we can utilize "dev" or new profile like "poc" or
>> "samples" with the new config model.
>>
>> For the moment, let's add this config to the 5.9.0 docs and then decide
>> whether we can utilize a new config profile to simplify configurations of
>> samples and use that.
>>
>> Thanks,
>>
>>>
>>> [1]
>>> https://docs.wso2.com/display/IS580/Configuring+a+Service+Provider+for+Adaptive+Authentication#ConfiguringaServiceProviderforAdaptiveAuthentication-Step01:SetUptheSamples
>>> [2]
>>> https://is.docs.wso2.com/en/5.9.0/tutorials/configuring-a-service-provider-for-adaptive-authentication
>>>
>>> Thanks,
>>> Sherene
>>>
>>> On Wed, Jul 31, 2019 at 3:42 PM Isura Karunaratne 
>>> wrote:
>>>
>>>> Hi Sherene, Yvonne,
>>>>
>>>> In order to fix [1], we need to update the document [2].  It is
>>>> required to add the following configuration in
>>>> /repository/resources/conf/templates/repository/conf/identity.xml.j2
>>>> as instructed in [1].
>>>>
>>>> *>>> http-method="all"/>*
>>>>
>>>> Please update the [2] by adding a new step.
>>>>
>>>> Cheers,
>>>> Isura.
>>>>
>>>> [1] https://github.com/wso2/product-is/issues/6023
>>>> [2]
>>>> https://docs.wso2.com/display/IS580/Configuring+a+Service+Provider+for+Adaptive+Authentication#ConfiguringaServiceProviderforAdaptiveAuthentication-Step01:SetUptheSamples
>>>>
>>>> On Tue, Jul 30, 2019 at 2:57 PM Darshana Gunawardana 
>>>> wrote:
>>>>
>>>>> [Looping Isura]
>>>>>
>>>>>
>>>>> On Tue, Jul 30, 2019 at 2:55 PM Darshana Gunawardana <
>>>>> darsh...@wso2.com> wrote:
>>>>>
>>>>>> Hi Gayashan,
>>>>>>
>>>>>> Please see my comments below.
>>>>>>
>>>>>> On Tue, Jul 30, 2019 at 2:23 PM Gayashan Bombuwala <
>>>>>> gayash...@wso2.com> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I came across the following issues when trying out the Role Based
>>>>>>> Adaptive Authentication example
>>>>>>> <https://docs.wso2.com/display/IS580/Configuring+Role-Based+Adaptive+Authentication>
>>>>>>> .
>>>>>>>
>>>>>>>
>>>>>>>1. #6022 <https://github.com/wso2/product-is/issues/6022> -
>>>>>>>UsernameJavaScriptRegEx property configuration in usr-mgt.xml has 
>>>>>>> been
>>>>>>>changed.
>>>>>>>
>>>>>>> We have to fix in the default config to avoid any configuration
>>>>>> changes during the guide.
>>>>>>
>>>>>>>
>>>>>>>1.
>>>>>>>2. #6023 <https://github.com/wso2/product-is/issues/6023> -
>>>>>>>Unauthorized error while following the "Role Based Adaptive 
>>>>>>> Authentication"
>>>>>>>example.
>&g

Re: [Dev] Issues with Role Based Adaptive Authentication example

[Isura Karunaratne]

Hi Sherene/Darshana,

I created a pull request with the changes. Please review and merge it.

Cheers,
Isura

[1] https://github.com/IsuraD/docs-is/pull/1

On Thu, Aug 1, 2019 at 12:23 PM Darshana Gunawardana 
wrote:

>
> On Thu, Aug 1, 2019 at 11:32 AM Sherene Mahanama  wrote:
>
>> Hi,
>>
>> As discussed offline, since there is no identity.xml.j2 file in 5.8.0, I
>> have not updated the 5.8.0 doc [1].
>>
>
> Yes.. Both of the issues reported by Gayashan, only affected to IS 5.9.0..
>
>
>> It would be good if it's possible to add this to the file by default in
>> 5.9.0.. else, please let me know and I will update the 5.9.0 doc [2].
>>
>
> IMO, in one angle, default configs should be production-ready ones, so we
> cannot have custom web apps to be allowed by default in the identity.xml...
> On the other hand, we should improve the user experience of the person who
> tries the guide by having minimal changes.
>
> This is a place we can utilize "dev" or new profile like "poc" or
> "samples" with the new config model.
>
> For the moment, let's add this config to the 5.9.0 docs and then decide
> whether we can utilize a new config profile to simplify configurations of
> samples and use that.
>
> Thanks,
>
>>
>> [1]
>> https://docs.wso2.com/display/IS580/Configuring+a+Service+Provider+for+Adaptive+Authentication#ConfiguringaServiceProviderforAdaptiveAuthentication-Step01:SetUptheSamples
>> [2]
>> https://is.docs.wso2.com/en/5.9.0/tutorials/configuring-a-service-provider-for-adaptive-authentication
>>
>> Thanks,
>> Sherene
>>
>> On Wed, Jul 31, 2019 at 3:42 PM Isura Karunaratne  wrote:
>>
>>> Hi Sherene, Yvonne,
>>>
>>> In order to fix [1], we need to update the document [2].  It is required
>>> to add the following configuration in
>>> /repository/resources/conf/templates/repository/conf/identity.xml.j2
>>> as instructed in [1].
>>>
>>> *>> http-method="all"/>*
>>>
>>> Please update the [2] by adding a new step.
>>>
>>> Cheers,
>>> Isura.
>>>
>>> [1] https://github.com/wso2/product-is/issues/6023
>>> [2]
>>> https://docs.wso2.com/display/IS580/Configuring+a+Service+Provider+for+Adaptive+Authentication#ConfiguringaServiceProviderforAdaptiveAuthentication-Step01:SetUptheSamples
>>>
>>> On Tue, Jul 30, 2019 at 2:57 PM Darshana Gunawardana 
>>> wrote:
>>>
>>>> [Looping Isura]
>>>>
>>>>
>>>> On Tue, Jul 30, 2019 at 2:55 PM Darshana Gunawardana 
>>>> wrote:
>>>>
>>>>> Hi Gayashan,
>>>>>
>>>>> Please see my comments below.
>>>>>
>>>>> On Tue, Jul 30, 2019 at 2:23 PM Gayashan Bombuwala 
>>>>> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I came across the following issues when trying out the Role Based
>>>>>> Adaptive Authentication example
>>>>>> <https://docs.wso2.com/display/IS580/Configuring+Role-Based+Adaptive+Authentication>
>>>>>> .
>>>>>>
>>>>>>
>>>>>>1. #6022 <https://github.com/wso2/product-is/issues/6022> -
>>>>>>UsernameJavaScriptRegEx property configuration in usr-mgt.xml has been
>>>>>>changed.
>>>>>>
>>>>>> We have to fix in the default config to avoid any configuration
>>>>> changes during the guide.
>>>>>
>>>>>>
>>>>>>1.
>>>>>>2. #6023 <https://github.com/wso2/product-is/issues/6023> -
>>>>>>Unauthorized error while following the "Role Based Adaptive 
>>>>>> Authentication"
>>>>>>example.
>>>>>>
>>>>>> This has to capture in docs.
>>>>>
>>>>> Thanks,
>>>>>
>>>>>>
>>>>>>1.
>>>>>>
>>>>>>
>>>>>> Best Regards
>>>>>>
>>>>>> --
>>>>>> *Gayashan Bombuwala*
>>>>>> Software Engineer | WSO2
>>>>>>
>>>>>> Email: gayash...@wso2.com
>>>>>> Phone: +94770548334
>>>>>>
>>>>>> [image: https://wso2.com/signature] <https://wso2.com/signature>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>>
>>>>>
>>>>> *Darshana Gunawardana*Technical Lead
>>>>> WSO2 Inc.; http://wso2.com
>>>>>
>>>>> *E-mail: darsh...@wso2.com *
>>>>> *Mobile: +94718566859*Lean . Enterprise . Middleware
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>>
>>>>
>>>> *Darshana Gunawardana*Technical Lead
>>>> WSO2 Inc.; http://wso2.com
>>>>
>>>> *E-mail: darsh...@wso2.com *
>>>> *Mobile: +94718566859*Lean . Enterprise . Middleware
>>>>
>>>
>>>
>>> --
>>>
>>> *Isura Dilhara Karunaratne*
>>> Technical Lead | WSO2 <http://wso2.com/>
>>> *lean.enterprise.middleware*
>>> Email: is...@wso2.com
>>> Mob : +94 772 254 810
>>> Blog : https://medium.com/@isurakarunaratne
>>>
>>>
>>>
>>>
>>
>> --
>> Sherene Mahanama
>> Senior Technical Writer
>>
>> WSO2 (pvt.) Ltd.
>> Colombo, Sri Lanka
>> Mobile: (+94) 777 <%28%2B94%29%20773131798>
>> *994805*
>>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com *
> *Mobile: +94718566859*Lean . Enterprise . Middleware
>


-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 <http://wso2.com/>
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issues with Role Based Adaptive Authentication example

[Isura Karunaratne]

Hi Sherene, Yvonne,

In order to fix [1], we need to update the document [2].  It is required to
add the following configuration in
/repository/resources/conf/templates/repository/conf/identity.xml.j2
as instructed in [1].

**

Please update the [2] by adding a new step.

Cheers,
Isura.

[1] https://github.com/wso2/product-is/issues/6023
[2]
https://docs.wso2.com/display/IS580/Configuring+a+Service+Provider+for+Adaptive+Authentication#ConfiguringaServiceProviderforAdaptiveAuthentication-Step01:SetUptheSamples

On Tue, Jul 30, 2019 at 2:57 PM Darshana Gunawardana 
wrote:

> [Looping Isura]
>
>
> On Tue, Jul 30, 2019 at 2:55 PM Darshana Gunawardana 
> wrote:
>
>> Hi Gayashan,
>>
>> Please see my comments below.
>>
>> On Tue, Jul 30, 2019 at 2:23 PM Gayashan Bombuwala 
>> wrote:
>>
>>> Hi All,
>>>
>>> I came across the following issues when trying out the Role Based
>>> Adaptive Authentication example
>>> 
>>> .
>>>
>>>
>>>1. #6022  -
>>>UsernameJavaScriptRegEx property configuration in usr-mgt.xml has been
>>>changed.
>>>
>>> We have to fix in the default config to avoid any configuration changes
>> during the guide.
>>
>>>
>>>1.
>>>2. #6023  -
>>>Unauthorized error while following the "Role Based Adaptive 
>>> Authentication"
>>>example.
>>>
>>> This has to capture in docs.
>>
>> Thanks,
>>
>>>
>>>1.
>>>
>>>
>>> Best Regards
>>>
>>> --
>>> *Gayashan Bombuwala*
>>> Software Engineer | WSO2
>>>
>>> Email: gayash...@wso2.com
>>> Phone: +94770548334
>>>
>>> [image: https://wso2.com/signature] 
>>>
>>
>>
>> --
>> Regards,
>>
>>
>> *Darshana Gunawardana*Technical Lead
>> WSO2 Inc.; http://wso2.com
>>
>> *E-mail: darsh...@wso2.com *
>> *Mobile: +94718566859*Lean . Enterprise . Middleware
>>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com *
> *Mobile: +94718566859*Lean . Enterprise . Middleware
>


-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Why "Analytics Engine" and "Consent Information Controller" configurations are under "Resident Identity Provider"?

[Isura Karunaratne]

Hi Johann,

On Wed, Jun 12, 2019 at 10:27 AM Johann Nallathamby  wrote:

> Hi Folks,
>
> I just noticed that IS analytics engine configuration is under resident
> IdP configurations. How do we consider an analytics engine configuration as
> an Identity Provider configuration?
>
> Resident IdP configurations are ideally any "configurations" that impact
> runtime interactions with service providers registered in IS, such as
> identity management services, authentication services, authorization
> services and attribute sharing services (not exhaustive).
>
> Analytics engine configuration is a server configuration which is similar
> to "Workflow Engine Profiles" configuration, which is under "Configure" tab
> already. Shouldn't analytics engine configuration also come under
> "Configure" tab?
>
> With respect to "Consent Information Controller" configurations, do the
> details that we configure have any relevance to the service providers? Are
> those values that we configure, exposed through an API for the service
> providers to consume? If that is not the case then I don't see any
> relevance to configure them under resident IdP configurations as well.
>

Identity Server supports consent management REST APIs. Applications can use
these APIs to manage user consents in the application side. Consents
receipts should contain the PII controller information.

Cheers,
Isura.

>
> Thanks & Regards,
> Johann.
>
> --
> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect |
> WSO2 Inc.
> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com
> [image: Signature.jpg]
>


-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture][IAM] Moving File Based Artifacts to Artifact Store

[Isura Karunaratne]

On Wed, Jun 5, 2019 at 9:34 AM Ruwan Abeykoon  wrote:

> Hi All,
> The "User Store" configuration can be considered as a deployment artifact
> if we look at the following aspects.
>
> a) "Secondary User Stores" are added, removed and updated per tenant
> basis. (Same as SP, and IdP configs)
> b) "User Store", "IdP" and "SP", XACML policies, etc behaves as a
> collection of business rules, defining the authentication and authorization
> flows per the tenant.
> c) A change in a particular "User Store" usually affect the
> "Authentication" decisions done via SP config. Hence they have tight
> coupling.
> d) All "User Store", "SP", "IdP", etc, need to be taken as one unit, when
> we consider environment to environment promotion of these configs.
> (Dev->QA->staging->Prod)
>
> Hence IMHO, treating "User Store" as the file-based artifact was a right
> decision, when our products have been designed for deployment on bear-metal
> or VM. However moving forward to container, and cloud nativeness, posses
> the challenge on sharing these artifacts.
>
> Also, considering the CI/CD pipelines, the governance aspect of changing
> the configurations, etc, these type of configs need to be considered as
> artifacts. We might need to version control these artifacts in future and
> may need to push and pull them from VCS systems.
>
> What we need to do is to have a delegation pattern implemented for all
> current file based (and registry based artifacts), where we can switch the
> repository from file based one to different system. DB based repository
> would be the first such(simple) implementation. We may need to implement
> Git based repository when we properly support cloud use cases for example.
> We can abstract the storage system, and retain all the parsing and
> generation logic unchanged for artifacts. it would be a minimal change and
> most versatile way to extend IMO.
>
> We would need to implement property or "environment variable" binding
> logic, to get proper support for environment to environment promotion of
> artifacts. yet, it can be done with a separate effort than this IMO.
>
> Hence +1 to treat
>
>- Persist data as a blob (marshalled to text form)
>- In a separate table structure.
>
> Cheers,
> Ruwan A
>
>
> On Tue, Jun 4, 2019 at 3:50 PM Johann Nallathamby  wrote:
>
>> +1 to get rid of the artifacts for user stores. I think this was a wrong
>> decision we made early on.
>>
>> On Tue, Jun 4, 2019 at 1:19 PM Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> *Problem *
>>> Currently, some artifacts like userstores , tenants' data, etc are
>>> stored in the file system (not in the database). So when using a clustered
>>> setup those artifacts should be shared among all the nodes by using one of
>>> the following file sharing mechanisms.
>>>
>>>- Dep Sync
>>>- rSync
>>>- Shared File System
>>>
>>>
>>> *Solution *
>>> In order to avoid a shared file system and to reduce the deployment and
>>> maintenance overhead, those artifacts ca be persisted in the database
>>> itself.
>>>
>>> *Approach*
>>> After discussing with @Ruwan Abeykoon   and @Isura
>>> Karunaratne  we have two options to persist above
>>> discussed artifact details.
>>>
>>>- In the configuration store which is already implemented as
>>>discussed in [1][2].
>>>- In a separate table structure.
>>>
>>> If we are to go with option 01, then we need to consider the artifacts
>>> as configurations and persist in the existing schema.
>>>
>> The advantage of using this is we can re-use the existing implementation
>>> including the database schema and existing rest APIs and functionalities
>>> (pagination, searching, etc) .
>>>
>>
>>
>
Hi all,


> The drawback is the conceptual difference between an artifact and
>>> configuration.
>>>
>>
>> I think this is not a problem. In fact I believe we made a wrong decision
>> of considering user stores as artifacts. I can't remember exactly as to why
>> we decided like that. User stores are not development artifacts; they are
>> one time configurations. They don't have metadata, versioning, lifecycles
>> or any other properties associated with other artifacts in WSO2.
>>
>>
>>> Further if we are to use the configuration store there is no way to
&g

Re: [Dev] -DworkerNode option while running WSO2 IS 5.3.0 failed to start

[Isura Karunaratne]

On Sat, Jun 1, 2019 at 2:17 PM Shiva Kumar 
wrote:

> I found here
> https://docs.wso2.com/display/ADMIN44x/Separating+the+Worker+and+Manager+Nodes.
> I thought It applies for all carbon products.
>
Thanks Shiva. We will put a note in the documentation saying, worker
manager separation is not required in the identity server product.

Cheers,
Isura.


> On 18/05/19 7:24 AM, Ruwan Abeykoon wrote:
>
> Hi Shiva Kumar,
> IAM does not currently support "worker" profile in contrast to WSO2 ESB.
> Hence there is no "worker" in IS 5.x.x series any more.
>
> Can you please let us know the information source where you got the idea
> of "worker node" in IS. We will do our best to update these information
> sources.
>
> Cheers,
> Ruwan A
>
>
> On Fri, May 17, 2019 at 6:55 PM Shiva Kumar 
> wrote:
>
>> Hi All,
>>
>> When I run the identity server as worker node I am getting below
>> exception. What is correct way to run Identity server as worker node.
>>
>>
>> [2019-05-17 17:22:01,236]  WARN
>> {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} -
>> Swap Memory size (MB): 1906 of the system is below the recommended
>> minimum size :2047
>> [2019-05-17 17:22:01,236]  WARN
>> {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} -
>> Carbon is configured to use the default keystore (wso2carbon.jks). To
>> maximize security when deploying to a production environment, configure
>> a new keystore with a unique password in the production server profile.
>> [2019-05-17 17:22:01,278]  INFO
>> {org.wso2.carbon.event.output.adapter.kafka.internal.ds.KafkaEventAdapterServiceDS}
>>
>> -  Successfully deployed the Kafka output event adaptor service
>> [2019-05-17 17:22:01,328]  INFO
>> {org.wso2.carbon.event.processor.manager.core.internal.util.ManagementModeConfigurationLoader}
>>
>> -  CEP started in Single node mode
>> [2019-05-17 17:22:01,706]  INFO
>> {org.wso2.carbon.ldap.server.configuration.LDAPConfigurationBuilder} -
>> KDC server is disabled.
>> [2019-05-17 17:22:08,248]  INFO
>> {org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager} - LDAP
>> connection created successfully in read-write mode
>> [2019-05-17 17:22:08,762]  INFO
>> {org.wso2.carbon.registry.core.jdbc.EmbeddedRegistryService} -
>> Configured Registry in 147ms
>> [2019-05-17 17:22:09,073]  INFO
>> {org.wso2.carbon.registry.core.internal.RegistryCoreServiceComponent} -
>> Registry Mode: READ-WRITE
>> [2019-05-17 17:22:09,214]  INFO
>> {org.wso2.carbon.metrics.impl.util.JmxReporterBuilder} -  Creating JMX
>> reporter for Metrics with domain 'org.wso2.carbon.metrics'
>> [2019-05-17 17:22:09,218]  INFO
>> {org.wso2.carbon.metrics.impl.util.JDBCReporterBuilder} -  Creating JDBC
>> reporter for Metrics with source 'shiva-ThinkPad-E470', data source
>> 'jdbc/WSO2MetricsDB' and 60 seconds polling period
>> [2019-05-17 17:22:09,235]  INFO
>> {org.wso2.carbon.metrics.impl.reporter.AbstractReporter} -  Started JDBC
>> reporter for Metrics
>> [2019-05-17 17:22:09,237]  INFO
>> {org.wso2.carbon.metrics.impl.reporter.AbstractReporter} -  Started JMX
>> reporter for Metrics
>> [2019-05-17 17:22:11,580]  INFO
>> {org.wso2.carbon.registry.indexing.solr.SolrClient} -  Default Embedded
>> Solr Server Initialized
>> [2019-05-17 17:22:12,049]  INFO
>> {org.wso2.carbon.user.core.internal.UserStoreMgtDSComponent} - Carbon
>> UserStoreMgtDSComponent activated successfully.
>> [2019-05-17 17:22:15,368]  INFO
>> {org.apache.catalina.startup.TaglibUriRule} -  TLD skipped. URI:
>> http://tiles.apache.org/tags-tiles is already defined
>> [2019-05-17 17:22:15,466] ERROR
>> {org.apache.catalina.core.StandardContext} -  Exception starting filter
>> CaptchaFilter
>> java.lang.ClassNotFoundException:
>> org.wso2.carbon.identity.captcha.filter.CaptchaFilter
>>  at
>>
>> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1892)
>>  at
>>
>> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1735)
>>  at
>>
>> org.apache.catalina.core.DefaultInstanceManager.loadClass(DefaultInstanceManager.java:504)
>>  at
>>
>> org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:486)
>>  at
>>
>> org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:113)
>>  at
>>
>> org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:258)
>>  at
>>
>> org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:105)
>>  at
>>
>> org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4958)
>>  at
>>
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5652)
>>  at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
>>  at
>>
>> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1571)
>>  at
>>
>> 

Re: [Dev] [Architecture] [VOTE] Release WSO2 Identity Server 5.8.0 RC3

[Isura Karunaratne]

Hi all,

Tested following features and no issues found.

   - Self User Registration
   - Password Policy
   - Password History
   - Password Recovery
   - Account Locking

[+] Stable - go ahead and release.

Cheers,
Isura.

On Wed, May 22, 2019 at 8:07 PM Farasath Ahamed  wrote:

> Hi All,
>
> Test the below scenarios in IS 5.8.0 RC3 pack.
>
>- Token revocation with authorization code reuse
>- OIDC UserInfo with token sent in the request body and as bearer
>header
>- OAuth Application Owner update
>- Verified no username enumeration attacks possible during password
>recovery flows.
>
>
> [+] Stable - go ahead and release.
>
>
> Regards,
> Farasath
>
> On Wed, May 22, 2019 at 5:41 PM Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> I have tested following features.
>>
>>1. OIDC backchannel logout
>>2. SAML front channel logout.
>>
>> No blocking issues found.
>>
>> [+] Stable - go ahead and release.
>>
>> Thanks,
>> Hasanthi
>>
>>
>>
>> On Wed, May 22, 2019 at 8:03 AM Isuranga Perera 
>> wrote:
>>
>>> All:
>>> I have tested Federated Authentication
>>> [+] Stable - go ahead and release.
>>>
>>> Best Regards
>>> Isuranga Perera
>>>
>>> On Sun, May 19, 2019 at 7:30 PM Shanika Wickramasinghe <
>>> shani...@wso2.com> wrote:
>>>
 Hi All,

 I have tested the SAML SSO with POST binding and Redirect binding flows
 and no issues found.

 +1 Go Ahead and Release


 Thanks,

 Shanika

 On Thu, May 16, 2019 at 12:33 PM Hasanthi Purnima Dissanayake <
 hasan...@wso2.com> wrote:

> Hi All,
>
> The reason of breaking the RC2 vote is because it is reported an
> unused commented configuration description in carbon.xml [1]. From RC3
> release that commented line in the configuration file is removed and no
> other code level changes done.
>
> Further in the Analytics-IS pack, the versions are updated according
> to the latest released SP pack versions [2].
>
> [1] [Dev][VOTE] Release WSO2 Identity Server 5.8.0 RC2
> [2] [VOTE] Release of WSO2 Stream Processor 4.4.0 RC6
>
> Thanks,
> Hasanthi
>
> On Thu, May 16, 2019 at 12:30 PM Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi all,
>>
>> We are pleased to announce the third release candidate of WSO2
>> Identity Server 5.8.0.
>>
>> This release fixes the following issues,
>>
>>- 5.8.0-RC3 fixes
>>
>>- 5.8.0-RC2 fixes
>>
>>- 5.8.0-RC1 fixes
>>
>>- 5.8.0-Beta5 fixes
>>
>>- 5.8.0-Beta4 fixes
>>
>>- 5.8.0-Beta3 fixes
>>
>>- 5.8.0-Beta fixes
>>
>>- 5.8.0-Alpha5 fixes
>>
>>- 5.8.0-Alpha4 fixes
>>
>>- 5.8.0-Alpha3 fixes
>>
>>- 5.8.0-Alpha2 fixes
>>
>>- 5.8.0-Alpha fixes
>>
>>- 5.8.0-M26 fixes
>>
>>- 5.8.0-M25 fixes
>>
>>- 5.8.0-M24 fixes
>>
>>- 5.8.0-M6 fixes
>>
>>- 5.8.0-M5 fixes
>>
>>- 5.8.0-M4 fixes
>>
>>- 5.8.0-M3 fixes
>>
>>- 5.8.0-M2 fixes
>>
>>- 5.8.0-M1 fixes
>>
>>
>>
>> Source and distribution
>>
>> Runtime - https://github.com/wso2/product-is/releases/tag/v
>> 
>> 5.8.0-rc3
>> 
>> Analytics -
>> https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc3
>> 

[Dev] WSO2 Committers += Abilashini Thiyagarajah

[Isura Karunaratne]

Hi All,

It's my pleasure to announce Abilashini Thiyagarajah as a WSO2 committer.
She has been a valuable contributor to WSO2.

Congratulations Abilashini and keep up the good work ...!

Cheers,
Isura.

-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] UserIdentityManagementAdmin service does not return correct set of challenge questions

[Isura Karunaratne]

@Sajith Ekanayaka  ,

What is the service you used? is that
ChallengeQuestionManagementAdminService?
ChallengeQuestionManagementAdminService should be used with the new
Identity management implementation.

Cheers,
Isura.

On Mon, Mar 11, 2019 at 12:11 AM Sajith Ekanayaka  wrote:

> Hi all,
>
> I observed the same in WUM updated 5.3.0 and 5.7.0 packs as well. Is this
> an expected behavior?
>
> Thanks,
> Sajith
>
> On Tue, Jul 17, 2018 at 12:05 AM Rajith Roshan  wrote:
>
>> Hi Devs,
>>
>> When I add a challenge question to existing challenge set ot create new
>> challenge question set from IS 5.3.0 carbon console, and when I invoke the
>> "getAllChallengeQuestions" operation in
>> UserIdentityManagementAdminService, it  returns the only old set of
>> challenge question. The newly added ones are not visible.
>>
>> And also , when I add a new question using the "setChallengeQuestions" in
>> admin service, its get added, and I could not see this newly added question
>> in carbon console as well. And also If I invoke the "
>> getAllChallengeQuestions" method after adding a challenge question, it
>> only shows me the newly added one only.
>>
>> Your inputs regarding this is highly appreciated.
>>
>> Thanks!
>> Rajith
>>
>> --
>> Rajith Roshan
>> Senior Software Engineer, WSO2 Inc.
>> Mobile: +94-717-064-214
>>
>
>
> --
> *Sajith Ekanayaka*
> Software Engineer | WSO2
>
> Mobile: +94 714003025
> Web: http://wso2.com
>
> 
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue when enabling Resend OTP link

[Isura Karunaratne]

+ @Buddhima Udaranga 

On Wed, Feb 13, 2019 at 6:20 PM prayag pavithran <
prayagpavith...@hotmail.com> wrote:

> Hi ,
>
> Currently we've integrated WSO2 identity server with 2 factor
> authentication (*Email OTP*) configured .
>
> In *emailotp.jsp *page "Resend Code" hyper link is enabled only if user
> enters wrong OTP. This functionality works fine.
>
> We would like to enable "*Resend Code"* link when ever user  lands in
> Email OTP screen.
>
> Once we removed the condition check for enabling Resend OTP link , the
> link gets displayed when user lands in the email OTP screen.
>
> This time when user clicks the link the user is navigated to /commonauth
>  blank screen.
>
> Kindly request you to help me solving the issue .
>
>
> Thanks & Regards,
> Prayag Pavithran
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How to set email OTP expiration time?

[Isura Karunaratne]

+ @Buddhima Udaranga 

On Thu, Feb 14, 2019 at 7:37 PM prayag pavithran <
prayagpavith...@hotmail.com> wrote:

> Hi ,
>
> We've followed the link
> https://docs.wso2.com/display/IS570/Configuring+Email+OTP#ConfiguringEmailOTP-ConfigureWSO2ISastheemailOTPprovider
>  and
> configured WSO2 IS as the Email OTP
> Provider.
>
> But we are unable to find the configuration for setting the expiry for the
> OTP received in email.
>
> Kindly request you to help us in solving the issue.
> Configuring Email OTP - Identity Server 5.7.0 - docs.wso2.com
> 
> This section provides the instructions to configure multi-factor
> authentication (MFA) using Email One Time Password (Email OTP) in WSO2
> Identity Server (WSO2 IS). The Email OTP enables a one-time password (OTP)
> to be used at the second step of MFA. Follow the instructions in the
> sections below to configure MFA using Email OTP:
> docs.wso2.com
>
>
> Thanks & Regards,
> Prayag Pavithran
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.8.0-M4 Released!

[Isura Karunaratne]

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.8.0 M4!
Download

You can download WSO2 Identity Server 5.8.0 M4 from here

.

You can download WSO2 Identity Server Analytics 5.8.0 M4 from here

.
How to run

   1.

   Extract the downloaded zip file.
   2.

   Go to the bin directory in the extracted folder.
   3.

   Run the wso2server.sh file if you are on a Linux/Mac OS or run the
   wso2server.bat file if you are on a Windows OS.
   4.

   Optionally, if you need to start the OSGi console with the server, use
   the -DosgiConsole property when starting the server.

What's new in WSO2 Identity Server 5.8.0 M4

A list of all the new features and bug fixes shipped with this release can
be found here 

Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

   -

   IS Runtime 
   -

   IS Analytics 

Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   -

   Developer List: dev@wso2.org
   -

   Architecture List: architect...@wso2.org
   -

   User Forum: StackOverflow
   

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues .

For more information about WSO2 Identity Server, please see https://wso2
.com/identity-and-access-management or visit the WSO2 Oxygen Tank
 developer portal for additional resources.

~ The WSO2 Identity and Access Management Team ~



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IAM] - Getting User Consents using Browserless Clients

[Isura Karunaratne]

On Fri, Sep 28, 2018 at 12:16 PM Winma Heenatigala  wrote:

> Hi all,
>
> I am working on my project to implement SAML ECP(Enhanced Client or proxy)
> profile for WSO2 Identity Server.
>
> In contrast to the SAML Web based SSO, SAML ECP profile is related to
> browserless clients. The following diagram shows how the message flow
> happens.
>
>
>
>
> For testing purposes I needed an ECP enabled Service Provider and a
> client. For that, I used Shibboleth SP and a Simple Bash client[1] provided
> by Shibboleth.
>
> I created a new Servlet called SAMLECPProviderServlet to capture the SOAP
> bound SAML authentication request sent by the Enhanced Client. The basic
> auth credentials (username and password) were sent by the client to the IDP
> in the HTTP request authorization header. Using a request wrapper, basic
> auth credentials were set to the sectoken parameter, the saml request was
> extracted from the soap envelope and forwarded the new request to the
> SAMLSSOProviderServlet. Then the request could process in the way that the
> Request Path Authenticator works. Inside the SAMLSSOServlet, for the
> requests from the ECP clients, a separate response was created where the
> saml response was enclosed in a soap envelope.
>
> Since the client is browserless there is an issue in providing user
> consents. I am looking for a way that our identity server can use to get
> consents from the users without using the browser. (using the bash
> client).Your valued suggestions are highly appreciated.
>

IMO, We have to do the consent management from the application side. Since
the ECP client is not browser based, there is no way to handle the consents
from the Identity Server at the moment.

Thanks
Isura.


> Thank you!
>
> --
>
> *Winma Heenatigala*
> *Trainee Software Engineer | WSO2*
>
> *Mobile : +94719132444*
>
>
>
>

-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [VOTE] Release WSO2 Identity Server 5.7.0 RC3

[Isura Karunaratne]

Hi all,

Tested
- Password recovery with email notification
- Password recovery with security questions.
- Password history validation.
- Password Pattern validations.

No blocking issues were found.

*[+] Stable - Go ahead and release.*

Thanks
Isura.

On Fri, Sep 14, 2018 at 6:28 AM Rushmin Fernando  wrote:

> I tested following scenarios with MySQL 5.7
>
> *Configurations*
> Email username was enabled.
> OAuth token encryption was enabled.
> Internal keystore was configured.
>
> *Scenarios*
>
>
> SCIM API
> -
>
> Create a user in primary user store and a JDBC secondary user store
> Get user
> Create group
> Assign a user to a group
> Remove a user from a group
> Delete user
> Delete group
>
> DCR API
> 
>
> Create application
> Delete application
>
> Application Management - SOAP API
> --
>
> Update SP with a certificate and a new owner
> Delete SP
>
> SCOPE API
> 
>
> Create scope
> Get scope
> Delete scope
>
> Identity Provider Management - SOAP API
> -
>
> Create IDP
> Update IDP with a certificate
> Delete IDP
>
> OAuth Token API
> 
> Token with client credentials and password grant types
> Token introspection
>
> [+] Stable - Go ahead and release
>
> On Fri, Sep 14, 2018 at 2:00 AM Ashen De Silva  wrote:
>
>> Hi All,
>>
>> I have tested the following scenarios with the H2 default database.
>>
>>- Configuring a service provider for OAuth/OpenID Connect and
>>authenticating with the playground2 app.
>>- Configuring a service provider for SAML SSO.
>>- Add user, roles, and update permissions.
>>
>> *[+] Stable - Go ahead and release*
>>
>> Regards,
>> Ashen
>>
>>
>> On Thu, Sep 13, 2018 at 11:31 PM, Tharindu Edirisinghe <
>> tharin...@wso2.com> wrote:
>>
>>> Evaluated the static code analysis and dynamic security analysis reports.
>>>
>>> All the flagged issues are found to be false positives.
>>>
>>> [+] Stable in terms of security - Go ahead and release
>>>
>>> Thanks,
>>> Tharindu Edirisinghe
>>>
>>> On Thu, Sep 13, 2018 at 10:48 PM Pamoda Wimalasiri 
>>> wrote:
>>>
 Hi all,

 I tested below scenarios with DB2 database.

- Self-registration and account confirmation
- Self-registration consent purposes
- Just-In-Time Provisioning Consent Purposes
- SAML2 Artifact binding and authenticate

 No blocking issues found.

 [+] Stable - Go ahead and release

 Thanks,
 Pamoda

 On Thu, Sep 13, 2018 at 10:39 PM Vihanga Liyanage 
 wrote:

> Hi all,
>
> Tested below scenarios on IS 5.7.0-RC2 pack using the default H2
> database and Postgres SQL database.
>
>- Started with *-Dsetup* property in Postgres and DB scripts
>executed without any issues.
>- Add service provider, configured SAML SSO, authenticate with *the
>dispatch *sample web app.
>- Enable SAML2 Artifact binding and authenticate.
>- Add SP certificate, enable signature validation in SAML2
>artifact resolve request and authenticate.
>- Add new SP with Open ID OAuth/OpenID Connect Configuration and
>authenticate with *the playground *sample web app. Tested all
>OAuth grand types.
>- Add SP certificate, enable ID token encryption, authenticate and
>decrypt the encrypted ID token by providing the private key of the SP.
>
> No blocking issues found.
>
> [+] Stable - Go ahead and release
>
> Best regards,
> Vihanga.
>
> On Thu, Sep 13, 2018 at 10:14 PM Janak Amarasena 
> wrote:
>
>> Hi all,
>>
>> Tested below scenarios with MySQL 5.7,
>>
>>- Self-Registration and Account Confirmation.
>>- Configure Just-In-Time Provisioning Consent Purposes.
>>- Add user, add roles, add permissions
>>- UMA 2.0 flow
>>- Obtain access token using password grant.
>>- Create, delete, update, list resources and read resource
>>description of a resource by invoking UMA resource registration 
>> endpoint.
>>- Entitlement policy creation using write policy in xml and
>>publishing.
>>- Obtain permission ticket by invoking UMA permission endpoint.
>>- Configure a service provider with OpenID Connect and obtain
>>access token using UMA grant.
>>- Invoke the OAuth Introspection Endpoint.
>>- Enable SAML2 Artifact binding and authenticate
>>
>> No blocking issues found.
>>
>> [+] Stable - Go ahead and release
>>
>> Best Regards,
>> Janak
>>
>>
>> On Thu, Sep 13, 2018 at 10:10 PM, Tharindu Bandara <
>> tharin...@wso2.com> wrote:
>>
>>> Hi all,
>>>
>>> I have tested the following scenarios on IS 5.7.0 RC3 pack using
>>> MySQL 5.7 database and did not encounter any 

Re: [Dev] Query Regarding the user last Login Timestamp in wso2 identity server.

[Isura Karunaratne]

Hi Monika,

In IS 5.3.0 and IS 5.4.0 that claim will be updated with the "account
suspension" feature. [1]. So, you can use one of the following ways to
populate the password claim.


   - Enable account suspension feature.
   - Disable new idenetityMgtEventListener and enable old listener in
   *identity.xml *as follows




  

Thanks
Isura.

[1] https://docs.wso2.com/display/IS530/User+Account+Suspension

On Wed, Jul 4, 2018 at 2:54 PM Monika Sharma 
wrote:

> Dear Sir,
>
>
>
> This is regarding the WSO2 IS bug at
> https://wso2.org/jira/browse/IDENTITY-3284
>
> I have a query regarding the user  last Login Timestamp.
>
> According to this bug, last Login Timestamp feature is implemented in WSO2
> 5.2.0 MA version. I have checked this featured  in 5.3.0 and 5.4.0  but the
> last Login Timestamp is not displayed in the Available Claims list for
> http://wso2.org/claims  at WSO2  IS UI. So Please confirm if this feature
> is implemented or not? And there is no information available in WSO2
> documentation regarding the last Login Timestamp. Please share the link of
> its documentation, if any.
>
>
>
> Currently, last login and Last logon claims is displayed in the Available
> Claims list for http://wso2.org/claims  at WSO2  IS UI.
>
> So, please let me know the functionality description of last Login
> Timestamp in WSO2 IS.
>
>
>
> Thanks & Regards
>
> Monika Sharma
>
>
>
>
>
>
>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [VOTE] Release of WSO2 Identity Server 5.6.0 RC3

[Isura Karunaratne]

Hi,

Tested followed scenarios in super tenant, primary user store.


   - Account Locking
   - Self Registration with email confirmation.
   - Self-care portal operations.
   - Password reset through a notification.
   - Password reset through challenge questions.
   - Account Recovery.
   - Password History validation.
   - Password Pattern validation.

No blocking issues found.

[+] Stable - Go ahead and release

Thanks
Isura.

On Tue, Jun 19, 2018 at 2:46 PM Dewni Weeraman  wrote:

> Hi,
>
> Tested below scenarios on IS 5.6.0-RC3 pack,
>
>- Invoke the OAuth Introspection Endpoint.
>- OAuth token revocation.
>- Entitlement policy creation using write policy in xml and publishing.
>- Using REST APIs via XACML to manage entitlement.
>- Create, update, get, delete an OAuth app using Dynamic Client
>Registration endpoint.
>
>
> No blocking issues found.
>
> [+] Stable - Go ahead and release
>
> Thanks,
> Dewni
>
> On Tue, Jun 19, 2018 at 1:43 PM, Sathya Bandara  wrote:
>
>> Hi all,
>>
>> I've tested following scenarios on the IS 5.6.0-RC3 pack.
>>
>> User management (add/update/remove users).
>> User management in secondary userstores (Read-Write LDAP).
>> Consent Management in SAML SSO.
>> SAML to SAML federation.
>> Creating workflows definitions for primary userstore users.
>> Engaging/Disabling workflows on user-store operations.
>> Enable role based authorization using XACML for service providers.
>> Tenant creation/update/disabling.
>>
>> No blocking issues are found.
>>
>> [+] Stable - go ahead and release.
>>
>> Thanks,
>> Sathya
>>
>>
>> On Tue, Jun 19, 2018 at 12:26 PM, Vihanga Liyanage 
>> wrote:
>>
>>> Hi all,
>>>
>>> I've tested following scenarios on the IS 5.6.0-RC3 pack with default
>>> database setup.
>>>
>>>- Enable user self-registration and self-register a new user.
>>>- Add multiple consent purposes with multiple PII categories.
>>>- Login to dashboard and see whether we can see the default consent
>>>and above added PII categories.
>>>- Confirm claims are getting filtered based on consents.
>>>- Configure a service provider with OpenID Connect and acquire
>>>access tokens via Authorization Code, Implicit, Client Credential and
>>>Password grant types.
>>>- Enable ID token encryption for the service provider and test the
>>>flow with decryption for all grant types.
>>>- Delete the self-signed up user, create another user with the exact
>>>same username, log in to the dashboard and see what are the consents
>>>shown.
>>>- Revoke consents of the user via the dashboard and try accessing
>>>the SP to verify the consents are asked again.
>>>- Delete the SP, login to the dashboard and see whether the consents
>>>are deleted for that SP.
>>>
>>> No blocking issues are found.
>>>
>>> [+] Stable - go ahead and release.
>>>
>>> Thanks,
>>> Vihanga.
>>>
>>> On Fri, Jun 15, 2018 at 6:29 PM Madawa Soysa  wrote:
>>>
 Hi all,

 We are pleased to announce the third release candidate of WSO2 Identity
 Server 5.6.0.

 This release fixes the following issues

- 5.6.0-RC Fixes

- 5.6.0-Beta Fixes

- 5.6.0-Alpha2 Fixes

- 5.6.0-Alpha Fixes

- 5.6.0-M7 Fixes

- 5.6.0-M6 Fixes

- 5.6.0-M5 Fixes

- 5.6.0-M4 Fixes

- 5.6.0-M3 Fixes

- 5.6.0-M2 Fixes

- 5.6.0-M1 Fixes


 Source and distribution,
 Runtime -
 https://github.com/wso2/product-is/releases/tag/v5.6.0-rc3
 Analytics -
 https://github.com/wso2/analytics-is/releases/v5.6.0-rc3

 Please download, test the product and vote.

 [+] Stable - go ahead and release
 [-] Broken - do not release (explain why)

 Thanks,
 WSO2 Identity and Access Management Team
 --

 Madawa Soysa / Senior Software Engineer
 mada...@wso2.com / +94714616050

 *WSO2 Inc.*
 lean.enterprise.middleware

   




>>>
>>> --
>>>
>>> Vihanga Liyanage
>>>
>>> Software Engineer | WS*O₂* Inc.
>>>
>>> M : +*94710124103* | http://wso2.com
>>>
>>> [image: http://wso2.com/signature] 
>>>
>>> 

Re: [Dev] Introduce custom attributes to Identity Server embedded LDAP schema.

[Isura Karunaratne]

Hi Sathya,


On Tue, Apr 3, 2018 at 2:15 AM, Sathya Bandara <sat...@wso2.com> wrote:

> Hi Isura,
>
> Did you generate the new is-default-schema.zip by customizing the ldif
> files manually?
>

Yes. It was done manually.

Thanks
Isura.

>
> Thanks,
> Sathya
>
> On Mon, Dec 4, 2017 at 1:50 PM, Isura Karunaratne <is...@wso2.com> wrote:
>
>> Hi Asela,
>>
>> On Mon, Dec 4, 2017 at 1:31 PM, Asela Pathberiya <as...@wso2.com> wrote:
>>
>>>
>>>
>>> On Mon, Dec 4, 2017 at 12:48 PM, Isura Karunaratne <is...@wso2.com>
>>> wrote:
>>>
>>>> This is done with following PRs
>>>>
>>>> https://github.com/wso2-extensions/identity-userstore-ldap/pull/15/
>>>>
>>>
>>>> https://github.com/wso2/carbon-identity-framework/pull/1224
>>>>
>>>> Thanks
>>>> Isura.
>>>>
>>>> On Wed, Nov 29, 2017 at 10:42 AM, Isura Karunaratne <is...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Wed, Nov 29, 2017 at 10:16 AM, Isura Karunaratne <is...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> We need to update the LDIF to support following attributes by default
>>>>>> in the embedded LDAP.
>>>>>>
>>>>>>- verifyEmail
>>>>>>- askPassword
>>>>>>- forcePasswordReset
>>>>>>- failedRecoveryAttempts
>>>>>>- primaryChallengeQuestion
>>>>>>- emailVerified
>>>>>>- challengeQuestionUris
>>>>>>- failedLockoutCount
>>>>>>- lastLoginTime
>>>>>>- lastPasswordUpdate
>>>>>>- phoneVerified
>>>>>>- accountDisabled
>>>>>>
>>>>>> It looks like updating identityPerson.ldif [1] file is not enough to
>>>>>> cater to requirement and need to generate the is-default-schema.zip file 
>>>>>> as
>>>>>> well.
>>>>>>
>>>>>
>>>
>>> In PR, it seems to be that you are updated the ldif file.  Is there any
>>> other thing which you did ?
>>>
>>
>> Yes. Updated is-default-schema.zip file as well. It is also the in the PR
>> :)
>>
>> [1] features/org.wso2.carbon.ldap.server.server.feature/reso
>> urces/conf/is-default-schema.zip
>> <https://github.com/wso2-extensions/identity-userstore-ldap/pull/15/files#diff-89eb521e87befb126adc90084ea56441>
>>
>>
>> Thanks
>> Isura.
>>
>>>
>>> Thanks,
>>> Asela.
>>>
>>>
>>>>
>>>>>> What would be the best way to generate the is-default-schema.zip?
>>>>>>
>>>>>>
>>>>>> [1] https://github.com/wso2-extensions/identity-userstore-ldap/b
>>>>>> lob/master/features/org.wso2.carbon.ldap.server.server.featu
>>>>>> re/resources/conf/identityPerson.ldif
>>>>>>
>>>>>> [2] https://github.com/wso2-extensions/identity-userstore-ld
>>>>>> ap/blob/master/features/org.wso2.carbon.ldap.server.server.f
>>>>>> eature/resources/conf/is-default-schema.zip
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Isura Dilhara Karunaratne*
>>>>>> Associate Technical Lead | WSO2
>>>>>> Email: is...@wso2.com
>>>>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>>>>> Blog : http://isurad.blogspot.com/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Isura Dilhara Karunaratne*
>>>>> Associate Technical Lead | WSO2
>>>>> Email: is...@wso2.com
>>>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>>>> Blog : http://isurad.blogspot.com/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Isura Dilhara Karunaratne*
>>>> Associate Technical Lead | WSO2
>>>> Email: is...@wso2.com
>>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>>> Blog : http://isurad.blogspot.com/
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>> Asela
>>>
>>> ATL
>>> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>>>  +358 449 228 979
>>>
>>> http://soasecurity.org/
>>> http://xacmlinfo.org/
>>>
>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Sathya Bandara
> Software Engineer
> WSO2 Inc. http://wso2.com
> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>
> <+94%2071%20411%205032>
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810 <+94%2077%20225%204810>
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [IAM] Consent Management with Requested Claims in Authentication Request

[Isura Karunaratne]

Hi Indunil,

On Sun, Mar 25, 2018 at 9:50 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> Please find the following information on current implementation of consent
> management in IS 5.5.0.
>
>- Claims to populate in the consent page, will be retrieved from the
>claim mapping configuration in SP (i.e. claims which is configured as
>requested).
>- If the claims configured in SP are mentioned as mandatory (i.e.
>without those claims application cannot work), consent MUST be given by
>user, to proceed.
>- When user have provided the consent first time, consent receipt will
>be generated for that application and for that user. Then after consent
>page will be shown, if there are any more mandatory claims which user has
>not provided the consent to share with the application.
>- If there are no SP configurations, consider that as a federated
>scenario and populate all the authenticated user attributes as mandatory
>claims in the consent.
>
>
> Following is the suggested approach for handling consent management when
> the requested claims are send dynamically from the authentication request.
>
>- *Requested/Mandatory claims are only configured in SP*
>
>
>- Populate all the claims configured in SP, in the consent page.
>
>
>- *Requested/Mandatory claims are not configured in SP and requested
>in authentication request*
>
>
>- From framework, set all the requested attributes to the
>   authenticated user (i.e. values as null for the attributes which are not
>   available for the user) and set the required property of the claims to
>   true/false.
>
>
>- In the consent service, validate the required property and populate
>   the consent page. Since mandatory is a property which we have 
> introduced in
>   IS, that won't be affected for the requested claims in authentication
>   request.
>
>
>- All the requested claims in authentication request will be populated
>   in the consent page whether user have a attribute value or not.
>
>
>- We assume that all the user attributes for which the user consent is
>   needed, will be send in the first authentication request. For later
>   requests, consent page will not be shown. This is because, consent page
>   will be populated only for mandatory claims, if a consent receipt is
>   available for the user.
>
>
What is the expected bahavour if an addional claim is requiested in later
requests. (Not in the first request). In that case,I think we can popup
consent for that claim only.

Thanks
Isura.

>
>-
>
>
>- Filter out and remove the null user attribute values from framework
>   and send to the inbound component or can be handled null values in 
> inbound
>   component.
>
>
>- Federated claims will also be treated same way as above.
>
>
>- *Requested/Mandatory claims are configured in SP and requested in
>authentication request*
>
>
>- Populate all the claims configured in SP, in the consent page.
>
>
>- Here we will be not considering about the requested claims in the
>   request when showing the consent page.
>
>
> Appreciate your suggestions and comments on this.
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Identity server installation

[Isura Karunaratne]

Hi Asanka,


   - Go to the
   https://wso2.com/identity-and-access-management/previous-releases
   - Select IS 5.0.0
   - Click on the Service Pack to download the  IS 5.0.0 SP1

Thanks
Isura.

On Tue, Mar 6, 2018 at 8:12 PM, Asanka Anthony 
wrote:

> Where we can download the WSO2 Identity Server 5.0.0 SP1 pack?please advice
>
> Thanks
> Anthony
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Engage tomcat filters when original request is dispatched towards a different context.

[Isura Karunaratne]

On Sun, Feb 25, 2018 at 11:32 PM Hasintha Indrajee 
wrote:

> We have the tenant context rewrite valve which dispatches original request
> to a the context after removing tenant context (/t/tenantDomain). Hence
> servlet filters are not getting engaged for these dispatched requests. We
> need to add an extra  element to our servlet filters in order
> to execute them for dispatched requests as well. Below are two examples
> without and with extra dispatcher element.
>
> Shall we add this for all our filters ?
>
+1

Also, check whether the filters are getting executed for non web app
requests. (Ex. Identity servlet).



/api/identity/user/v1.0/
/api/identity/consent-mgt/v1.0/
/api/identity/recovery/v0.9/
/oauth2/
/scim2/
/api/identity/entitlement/
/api/identity/oauth2/dcr/v1.0/


/identity/(.*)





Thanks
Isura.

>
>
> Without FORWARD dispatcher
>
> 
>
> CaptchaFilter
>
> /*
>
> REQUEST
>
> 
>
>
> With FORWARD dispatcher (additionally we can have INCLUDE dispatcher as
> well if we are including without forwarding)
>
> 
>
> CaptchaFilter
>
> /*
>
> REQUEST
>
> FORWARD
>
> INCLUDE
>
> 
>
>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <077%20189%202453>
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] NotificationSendingImpl class in identity management endpoint

[Isura Karunaratne]

On Fri, Feb 23, 2018 at 9:00 AM, Pulasthi Mahawithana 
wrote:

> Hi,
>
> Seems like this class [1] is not needed and it contains some test code.
> Shall we remove this?
>
+1.

Removed from 5.11.x branch with [1].

Please review and merge the PR for the maser [2]

>
> [1] https://github.com/wso2/carbon-identity-framework/blob/
> master/components/identity-mgt/org.wso2.carbon.identity.
> mgt.endpoint/src/main/java/org/wso2/carbon/identity/mgt/
> endpoint/client/implementation/NotificationSendingImpl.java
>


[1] https://github.com/wso2/carbon-identity-framework/pull/1386
[2] https://github.com/wso2/carbon-identity-framework/pull/1385

Thanks
Isura.

>
> --
> *Pulasthi Mahawithana*
> Associate Technical Lead
> WSO2 Inc., http://wso2.com/
> Mobile: +94-71-5179022 <+94%2071%20517%209022>
> Blog: https://medium.com/@pulasthi7/
>
> 
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Set captcha on by default for tenants

[Isura Karunaratne]

According to the code [1], we should call the method
setSSOLoginConnectorConfigs from
CaptchaUtil.buildReCaptchaFilterProperties method
to get the default values from captcha-config.properties file. So,
currently, we cannot set default values from a config file.

@Thanuja,
Please confirm?


[1]
https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.captcha/src/main/java/org/wso2/carbon/identity/captcha/util/CaptchaUtil.java#L365


Thanks
Isura.

On Fri, Feb 23, 2018 at 6:29 AM, Pulasthi Mahawithana 
wrote:

> Hi,
>
> What is the configuration we need to add for $subject? Need to get this
> enabled as below by default for the (newly created) tenants. I searched the
> documentation and code, but can't find where it is being set by default.
>
> [image: Inline image 1]
>
> --
> *Pulasthi Mahawithana*
> Associate Technical Lead
> WSO2 Inc., http://wso2.com/
> Mobile: +94-71-5179022 <+94%2071%20517%209022>
> Blog: https://medium.com/@pulasthi7/
>
> 
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Clarification on user account unlock - self signup users

[Isura Karunaratne]

Hi Isuru,



On Thu, Feb 22, 2018 at 2:26 PM, Isuru Uyanage  wrote:

> Hi All,
>
> I tried the steps included in doc [1]. As it describes, after 5 invalid
> login attempts, the particular user account gets locked. After 5 minutes,
> as per the config, once user tries to log in with correct credentials, he
> is able to log in and the account gets unlocked.
>
> As per doc[2] step 6, it says if Authentication.Policy.Account.Lock.Time is
> not equal to zero only above process happens. If it is 0, then the admin
> user needs to unlock the user account through Management Console or through
> Admin Services. [3]
>
> When a user gets self signed up, the role which that user gets assigned is
>  *Internal/selfsignup* and permission given is login only. But even if
> above value is 0, selfsignup user can get his account unlocked after the
> specified time. Admin user does not need to do it through the Management
> Console.
>
> Therefore, what is the actual purpose of 
> Authentication.Policy.Account.Lock.Time
> property  in /repository/conf/identity/identity-mgt.properties
> file?
>

This doc needs to be corrected.  It should be account.lock.handler.Time in
identity.xml. But, file based configuratoins applied for super tenant at
the first server startup only.

Ideally, the self signup users should be unlocked based on unlock time
configurations.

Regads,
Isura.

That need

>
> Is above information in the doc[2] and doc[3] not valid for
> self-signup users?
>
> [1] - https://docs.wso2.com/display/IS550/Self+Sign+Up+
> and+Account+Confirmation#SelfSignUpandAccountConfirmation-Tryoutselfsignup
> [2] - https://docs.wso2.com/display/IS550/Account+Locking+
> by+Failed+Login+Attempts
> [3] - https://docs.wso2.com/display/IS550/Locking+a+Specific+User+Account
>
>
> Any thoughts are appreciated.
>
>
> *Thanks and Best Regards,*
>
> *Isuru Uyanage*
> *Software Engineer - QA | WSO2*
> *Mobile : **+94 77 <+94%2077%20767%201807> 55 30752*
> *LinkedIn: **https://www.linkedin.com/in/isuru-uyanage/
> *
>
>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Error occurs on server startup IS 5.5.0 (built from Product-IS 5.5.X branch) with Postgres DB.

[Isura Karunaratne]

Hi all,

The following error can be seen at server startup. There was another issue
related to consent tables and it was fixed with [1]


org.wso2.carbon.identity.base.IdentityRuntimeException:
org.postgresql.util.PSQLException:
ERROR: relation "idn_oidc_req_object_reference" does not exist
at org.wso2.carbon.identity.base.IdentityRuntimeException.error(
IdentityRuntimeException.java:71)
at org.wso2.carbon.identity.core.persistence.IdentityDBInitializer.
executeSQL(IdentityDBInitializer.java:351)
at org.wso2.carbon.identity.core.persistence.IdentityDBInitializer.
executeSQLScript(IdentityDBInitializer.java:264)
at org.wso2.carbon.identity.core.persistence.IdentityDBInitializer.
createIdentityDatabase(IdentityDBInitializer.java:141)
at org.wso2.carbon.identity.core.persistence.JDBCPersistenceManager.
initializeDatabase(JDBCPersistenceManager.java:112)
at org.wso2.carbon.identity.core.internal.IdentityCoreServiceComponent.
activate(IdentityCoreServiceComponent.java:133)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.
activate(ServiceComponent.java:235)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.
activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.
build(ServiceComponentProp.java:345)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(
InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(
InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(
SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.
serviceChanged(FilteredServiceListener.java:107)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(
BundleContextImpl.java:861)
at org.eclipse.osgi.framework.eventmgr.EventManager.
dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.
dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.
publishServiceEventPrivileged(ServiceRegistry.java:819)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.
publishServiceEvent(ServiceRegistry.java:771)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.
register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.
registerService(ServiceRegistry.java:214)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.
registerService(BundleContextImpl.java:433)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.
registerService(BundleContextImpl.java:451)
at org.wso2.carbon.core.init.CarbonServerManager.initializeCarbon(
CarbonServerManager.java:515)
at org.wso2.carbon.core.init.CarbonServerManager.removePendingItem(
CarbonServerManager.java:291)
at org.wso2.carbon.core.init.PreAxis2ConfigItemListener.bundleChanged(
PreAxis2ConfigItemListener.java:118)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(
BundleContextImpl.java:847)
at org.eclipse.osgi.framework.eventmgr.EventManager.
dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.EventManager$
EventThread.run(EventManager.java:340)
Caused by: org.postgresql.util.PSQLException: ERROR: relation
"idn_oidc_req_object_reference" does not exist
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(
QueryExecutorImpl.java:2161)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(
QueryExecutorImpl.java:1890)
at org.postgresql.core.v3.QueryExecutorImpl.execute(
QueryExecutorImpl.java:255)
at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(
AbstractJdbc2Statement.java:559)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(
AbstractJdbc2Statement.java:403)
at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(
AbstractJdbc2Statement.java:395)
at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.tomcat.jdbc.pool.StatementFacade$StatementProxy.invoke(
StatementFacade.java:114)
at com.sun.proxy.$Proxy18.execute(Unknown Source)
at org.wso2.carbon.identity.core.persistence.IdentityDBInitializer.
executeSQL(IdentityDBInitializer.java:318)
... 31 more

[1] https://github.com/wso2/carbon-consent-management/pull/47


Thanks
Isura.
-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: 

Re: [Dev] Generalizing Post Authentictaion Handling in Authentictaion Framework.

[Isura Karunaratne]

On Fri, Feb 2, 2018 at 10:07 AM, Hasintha Indrajee <hasin...@wso2.com>
wrote:

>
> On Fri, Feb 2, 2018 at 8:00 AM, Isura Karunaratne <is...@wso2.com> wrote:
>
>>
>>
>> On Thu, Feb 1, 2018 at 1:41 PM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>> Eventing is more asynchronous. We may need synchronous processing for
>>> this. Also we need to control the flow of these handlers depending on the
>>> state of the handler. ex - we may need to do few redirections within a
>>> handler in order to proceed (eg - missing mandatory claim handler.). Hence
>>> I think it's better to go with a specific interface than our handler
>>> architecture.
>>>
>>
>> Eventing can be synchronous as well. Since we need to handle
>> redirections +1 to go with a specfic interface design.
>>
> Our current eventing framework does not have synchronous support AFAIK
>
It can be sync or assync depending on the handler implemenation. [1]

[1]
https://github.com/wso2/carbon-identity-framework/blob/master/components/identity-event/org.wso2.carbon.identity.event/src/main/java/org/wso2/carbon/identity/event/services/IdentityEventServiceImpl.java#L56

Thanks
Isura.

>
>> Thanks
>> Isura.
>>
>>>
>>> On Thu, Feb 1, 2018 at 1:36 PM, Malithi Edirisinghe <malit...@wso2.com>
>>> wrote:
>>>
>>>> Hi Hasintha,
>>>>
>>>> Does this mean that you will be introducing another OSGi service
>>>> interface for post authentication handlers.
>>>> What about using the already available eventing service [1].
>>>>
>>>> [1] https://github.com/wso2/carbon-identity-framework/blob/m
>>>> aster/components/identity-event/org.wso2.carbon.identity.eve
>>>> nt/src/main/java/org/wso2/carbon/identity/event/services/
>>>> IdentityEventService.java
>>>>
>>>> Thanks,
>>>> Malithi.
>>>>
>>>> On Thu, Feb 1, 2018 at 6:20 AM, Hasintha Indrajee <hasin...@wso2.com>
>>>> wrote:
>>>>
>>>>> At the present we have post authentication criteria which are
>>>>> evaluated upon authentication in an authentication flow. Examples are
>>>>> "Handling missing mandatory claims" and "Authorization handling". 
>>>>> According
>>>>> to the current implementation these logics are bind towards our framework
>>>>> implementation so that if we need to add a new post authentication
>>>>> evaluation criteria, we do not have an alternative other than changing
>>>>> framework source.
>>>>>
>>>>> With emerging requirements we may need to add more post authentication
>>>>> criteria in the future. For an example, we may need to intercept post
>>>>> authentication and request for consent on requested claims. Likewise there
>>>>> may be other requirements to intercept post authentication flow.
>>>>>
>>>>> Foreseeing these requirements we are planing to generalize post
>>>>> authentication handling so that post authentication handling will no 
>>>>> longer
>>>>> be a static part of framework. We should be able to add post 
>>>>> authentication
>>>>> handlers as OSGI services. Upon this change, missing mandatory claim
>>>>> handler and authorization handler will be two OSGI post authentication
>>>>> handlers.
>>>>>
>>>>> --
>>>>> Hasintha Indrajee
>>>>> WSO2, Inc.
>>>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Malithi Edirisinghe*
>>>> Associate Technical Lead
>>>> WSO2 Inc.
>>>>
>>>> Mobile : +94 (0) 718176807
>>>> malit...@wso2.com
>>>>
>>>
>>>
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Generalizing Post Authentictaion Handling in Authentictaion Framework.

[Isura Karunaratne]

On Thu, Feb 1, 2018 at 1:41 PM, Hasintha Indrajee  wrote:

> Eventing is more asynchronous. We may need synchronous processing for
> this. Also we need to control the flow of these handlers depending on the
> state of the handler. ex - we may need to do few redirections within a
> handler in order to proceed (eg - missing mandatory claim handler.). Hence
> I think it's better to go with a specific interface than our handler
> architecture.
>

Eventing can be synchronous as well. Since we need to handle redirections
+1 to go with a specfic interface design.

Thanks
Isura.

>
> On Thu, Feb 1, 2018 at 1:36 PM, Malithi Edirisinghe 
> wrote:
>
>> Hi Hasintha,
>>
>> Does this mean that you will be introducing another OSGi service
>> interface for post authentication handlers.
>> What about using the already available eventing service [1].
>>
>> [1] https://github.com/wso2/carbon-identity-framework/blob/
>> master/components/identity-event/org.wso2.carbon.
>> identity.event/src/main/java/org/wso2/carbon/identity/
>> event/services/IdentityEventService.java
>>
>> Thanks,
>> Malithi.
>>
>> On Thu, Feb 1, 2018 at 6:20 AM, Hasintha Indrajee 
>> wrote:
>>
>>> At the present we have post authentication criteria which are evaluated
>>> upon authentication in an authentication flow. Examples are "Handling
>>> missing mandatory claims" and "Authorization handling". According to the
>>> current implementation these logics are bind towards our framework
>>> implementation so that if we need to add a new post authentication
>>> evaluation criteria, we do not have an alternative other than changing
>>> framework source.
>>>
>>> With emerging requirements we may need to add more post authentication
>>> criteria in the future. For an example, we may need to intercept post
>>> authentication and request for consent on requested claims. Likewise there
>>> may be other requirements to intercept post authentication flow.
>>>
>>> Foreseeing these requirements we are planing to generalize post
>>> authentication handling so that post authentication handling will no longer
>>> be a static part of framework. We should be able to add post authentication
>>> handlers as OSGI services. Upon this change, missing mandatory claim
>>> handler and authorization handler will be two OSGI post authentication
>>> handlers.
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>
>>>
>>
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] Consent Management APIs for IS 5.5.0

[Isura Karunaratne]

On Thu, Feb 1, 2018 at 7:21 PM, Ayesha Dissanayaka <aye...@wso2.com> wrote:

>
> Hi,
>
> We have started evaluating effort on providing a UI in Identity Server
> dashboard for consent management and came acrossr followings.
>
> *GET /consents*
>
>- Need to return user friendly "Service Name" and "Service Description"
>- *purpose* object need *purposeId*.
>- *piiCategory* object should contain *piiCategoryId* and
>*piiCategoryName*. remove duplicated *piiCategory.*
>   - Sample response is suggested as below.
>
>
Will incorporate these changes.

>
>-
>
>
>   ...
>   "purposes": [
>   {
> "purpose": "string",  *"purposeId": "string",*
> "purposeCategory": [
>   "string"
> ],
> "consentType": "string",
> "piiCategory": [
>   {
> "piiCategoryName": "string",  
> "piiCategoryId": "string",
> "validity": "string"
>   }
> ],
>   ...
>
>   -
>
> Also I have observed that *piiCategory* is refered as *piiCategory* and
> *piiCategories* in different API responses. Is it the intended naming?
>

Since it is a list, it should be reffered as piiCategeries, but we
used *piiCategory in
consent receipt *to comply with the spec.

Thanks
Isura.

>
> Thanks!
> -Ayesha
>
>
> On Thu, Feb 1, 2018 at 6:27 PM, Darshana Gunawardana <darsh...@wso2.com>
> wrote:
>
>> On Thu, Feb 1, 2018 at 6:18 PM, Omindu Rathnaweera <omi...@wso2.com>
>> wrote:
>>
>>> Hi Darshana,
>>>
>>> On Thu, Feb 1, 2018 at 5:42 PM, Darshana Gunawardana <darsh...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> On Thu, Feb 1, 2018 at 5:13 PM, Isura Karunaratne <is...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Darshana,
>>>>>
>>>>> On Thu, Feb 1, 2018 at 3:39 PM, Darshana Gunawardana <
>>>>> darsh...@wso2.com> wrote:
>>>>>
>>>>>> Hi Isura,
>>>>>>
>>>>>> How these concents are handled with state changes of related entities?
>>>>>>
>>>>>> For example,
>>>>>> > user delete
>>>>>> > sp delete
>>>>>>
>>>>>> This should be handled through a user operation event listener or
>>>>> event handler.
>>>>>
>>>>
>>>> Yes. So are we going to have relavent implementations with this feature?
>>>>
>>>
>>> As the API is not specific to a product these scenarios should be
>>> handled as a part of integrating the feature to the product.  We will
>>> handle these cases during the integration effort for product IS.
>>>
>>
>> That makes sense.. +1 for the approach.
>>
>>>
>>>
>>>>
>>>> Can there be any other cases similar to above?
>>>>
>>>
>>> Apart from the above scenarios, user store removal and tenant
>>> deactivation are 2 such cases. However, revoking consents for tenant
>>> deactivation is something we have to think a bit more as we can reactivate
>>> the tenants and once that it done, the consents will no longer be active.
>>>
>>>>
>>>> Thanks,
>>>>
>>>>> Isura.
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> On Wed, Jan 10, 2018 at 1:58 PM, Isura Karunaratne <is...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> On Wed, Jan 10, 2018 at 12:44 PM, Godwin Shrimal <god...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Isuru,
>>>>>>>>
>>>>>>>> Please see below few suggestions.
>>>>>>>>
>>>>>>>> 1. API name of the Purpose Category (/pcategories) is not readable.
>>>>>>>> Why don't we use it as */**purpose-categories* ?
>>>>>>>> 2. What is /*category*/{purposeCategoryId}  API ? It shows API
>>>>>>>> name as /*category. *I think it should be renamed as below
>>>>>>>> (Ac

Re: [Dev] [Architecture] Personal information export API

[Isura Karunaratne]

On Wed, Jan 24, 2018 at 2:20 PM, Maduranga Siriwardena 
wrote:

> If the user is in secondary userstore, fully qualified username contains
> "/" character. But seems to be we can't send url encoded "/" characters
> (%2F) in path parameters. We are evaluating possible solutions for this. If
> this is not an option, we are planing to base 64 encode the username and
> then url encode it.
>
> We already has a web application with name api#identity#user [1]. So we
> are planing to use the same repository for this code also.
>

Yes. We can use the same application.

>
> [1] https://github.com/wso2-extensions/identity-governance/
> tree/v1.0.38/components/org.wso2.carbon.identity.user.endpoint
>
> Thanks,
>
> On Tue, Jan 23, 2018 at 10:40 AM, Maduranga Siriwardena <
> madura...@wso2.com> wrote:
>
>>
>>
>> On Tue, Jan 23, 2018 at 10:35 AM, Omindu Rathnaweera 
>> wrote:
>>
>>>
>>> Hi Maduranga,
>>>
>>> On Tue, Jan 23, 2018 at 10:23 AM, Maduranga Siriwardena <
>>> madura...@wso2.com> wrote:
>>>
 Hi all,

 Web app name we have come up for this endpoint
 is api#identity#user#v1.0 and the path for the endpoint is
 /pi/users/{userId}. So the whole endpoint would be

- for super tenant,

 /api/identity/user/v1.0/pi/users/{userId}


- for tenant,

 /t/{tenant-domain}/api/identity/user/v1.0/pi/users/{userId}


IMO  we can use following format,

/ t/{tenant-domain}/api/identity/user/v1.0/pi-info/{id}


Thanks
Isura.

>
 Our initial plan was to use the ID used in Pseudonyms for username
 feature [1]. But as the ID used by Pseudonyms for username feature is not
 available to outside, we cannot use it here. Next option available to us is
 the ID used in SCIM. But as it is not mandatory to have SCIM ID in system
 (when SCIM is disabled), we cannot use this option also.

 Because of above reasons, we are planing to use base 64 encoded fully
 qualified username as the userId in the above request.

>>>
>>> Would like to know the rationale behind base64 encoding the username.
>>> Also if it has to be b64 encoded for some reason then it should be base64
>>> URL encoded I believe.
>>>
>>
>> Yes this should be url encoding.
>>
>>>
>>>

 Do you have any suggestions?

 [1] [Architecture] GDPR - Pseudonyms For Username

 Thanks,

 On Mon, Jan 22, 2018 at 5:52 PM, Hasintha Indrajee 
 wrote:

> In a federated user scenario, we neither have user information nor
> email address of the user in a case if the user is not JIT. Hence we won't
> be able to share consents with user in an offline method. But still for
> federated users we need to maintain consents which we give out to SPs. We
> can process this offline and store somewhere (consent info ready for
> download). The way we share will depend. eg - For the users who have 
> emails
> we can send them through an email (as a download link). If not we can 
> share
> those information through another medium (eg - user profile at a later
> login)
>
> On Mon, Jan 22, 2018 at 5:40 PM, Ruwan Abeykoon 
> wrote:
>
>> Hi Hasintha,
>> We do not need to export anything we do not keep in our databases.
>> Could you please explain further if we need to do anything extra for
>> Federated case.
>>
>> Cheers,
>> Ruwan
>>
>> On Mon, Jan 22, 2018 at 5:33 PM, Hasintha Indrajee > > wrote:
>>
>>> Just a quick question. How are we going to cater consents for
>>> federated user ? Having consent from 3rd party IDP to IS will not be 
>>> enough
>>> AFAIU. If we are sharing those information through an SP we need to
>>> maintain those consents as well. WDYT ?
>>>
>>> In that case how can federated users download their consents ?
>>>
>>> On Mon, Jan 22, 2018 at 5:25 PM, Omindu Rathnaweera >> > wrote:
>>>
 Hi Maduranga,

 In the consent API we do not have the option to get multiple
 receipts, the API only returns a list of receipt IDs for a given search
 criteria. If you need to include receipt data of all the consent 
 entries,
 you will have to iterate through all the consent IDs and fetch the
 individual receipts. Keep in mind that this will likely to generate a
 payload of a considerable size.

 Regards,
 Omindu.


 On Mon, Jan 22, 2018 at 5:12 PM, Maduranga Siriwardena <
 madura...@wso2.com> wrote:

> Hi all,
>
> We are creating a REST API to export user information for IS 5.5.0.
>
> Swagger at [1] is the initial design of the API.
>
> In the initial phase we are allowing the data to be exported only
> by the owner of 

Re: [Dev] [IAM]Implementing Eventing Mechanism in token/code insertion/deletion or revocation

[Isura Karunaratne]

On Tue, Jan 23, 2018 at 10:54 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi All,
>
> Requirement :
> We have a requirement to insert/update or delete a row from a db table
> once access token or authorization code is generated, revoked, code or
> token status changed or a refresh token is issued. Without directly
> invoking the db, we thought of implementing events to trigger when one of
> the above scenario happens. So the existing architecture is kind of service
> layer is responsible of issuing/revoking/deleting tokens or codes and this
> layer is directly invoking the DAO layer for db calls. So we have two
> places to implement events in the service layer or the DAO layer.
>
> Problem :
> If we are implementing the events in the service layer, then we have to
> trigger multiple events in multiple places as we are doing above operations
> in multiple places in the service layer. Also some of the service layer
> classes are extensible so we cannot guarantee that a third party extension
> developer will implement the events in the extended code.
>
> If we are implementing the events in the DAO layer, then the DAO layer
> isolation will be violated.
>
> Ideally there should be a middle layer in between the service layer and
> the DAO layer for such kind of situations. As we don't have such a middle
> layer, ATM we have implemented the events in the DAO layer.
>
> Highly appreciate any feedback on above.
>
Yes. It  is better to have a middle layer to publish the events rather than
publishing from the DAO layer.

Thanks
Isura.


>
> Thanks,
>
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Clarification regarding Requested Claims

[Isura Karunaratne]

On Tue, Jan 23, 2018 at 5:07 PM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

> Is this JIT specific issue or this can be seen with simple SSO scenario
> when SP request custom claims?
>

This shouldn't be a JIT specific issue.
Mandatory claim was successfully updated to the provisioned user. So, there
should be an issue with mandatory claims popup featrue when custom claims
are configured.

Thanks
ISura.

>
> Thanks,
>
> On Tue, Jan 23, 2018 at 4:58 PM, Chankami Maddumage <chank...@wso2.com>
> wrote:
>
>> Hi Omudu and Isura,
>>
>> Thanks you so much for looking into this issue.I have created a git
>> ticket [1]
>>
>> [1]https://github.com/wso2/product-is/issues/2162
>>
>> On Tue, Jan 23, 2018 at 3:55 PM, Omindu Rathnaweera <omi...@wso2.com>
>> wrote:
>>
>>> Isura and Myself tested the this in the QA setup. Seems to be this is
>>> happening when custom claim mappings are added in the SP's claim configs.
>>>
>>> @Chankami, Looks like this is a bug. Can you create a git issue with the
>>> steps to reproduce. I guess you can test the solution without having the
>>> custom claim mappings for the moment.
>>>
>>> Regards,
>>> Omindu.
>>>
>>> On Tue, Jan 23, 2018 at 2:13 PM, Darshana Gunawardana <darsh...@wso2.com
>>> > wrote:
>>>
>>>> Hi Chankami,
>>>>
>>>> You might trying with same user who already JIT provisioned.. In that
>>>> case, AFAIR association will not be created automatically. If you want to
>>>> create association for an already existing user in the IS, you have to
>>>> follow steps that Omindu mentioned.
>>>>
>>>> Thanks,
>>>>
>>>> On Tue, Jan 23, 2018 at 2:10 PM, Omindu Rathnaweera <omi...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Chankami,
>>>>>
>>>>> I tried a federate JIT scenario for a secondary userstore with FB,
>>>>> enabling 'Assert identity using mapped local subject identifier' as Isura
>>>>> mentioned and the missing claim was only prompted once as expected. When
>>>>> JIT provisioning IS automatically associates the provisioned user and the
>>>>> federated user hence it will not prompt for mandatory claims once the user
>>>>> submits it in the first time.
>>>>>
>>>>> Can you login to the provisioned user's dashboard and check the
>>>>> 'Associated Accounts' to see an association is created for that user. You
>>>>> will need to give login permission for the user in order to login to the
>>>>> dashboard.
>>>>>
>>>>> Regards,
>>>>> Omindu.
>>>>>
>>>>> On Tue, Jan 23, 2018 at 1:07 PM, Chankami Maddumage <chank...@wso2.com
>>>>> > wrote:
>>>>>
>>>>>> Thank you Ayehsha for the explanation.
>>>>>>
>>>>>> @Isura I enabled the above mentioned  property but the behavior is
>>>>>> the same. Is there any other property ?
>>>>>>
>>>>>> On Tue, Jan 23, 2018 at 12:32 PM, Isura Karunaratne <is...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Chankami,
>>>>>>>
>>>>>>> Hope you are testing IS 5.4.0.
>>>>>>>
>>>>>>> Can you try the scenario while enabling "Assert identity using
>>>>>>> mapped local subject identifier" in SP "Local & Outbound
>>>>>>> Authentication Configuration" section?
>>>>>>>
>>>>>>> Thanks
>>>>>>> Isura.
>>>>>>>
>>>>>>> On Tue, Jan 23, 2018 at 12:13 PM, Ayesha Dissanayaka <
>>>>>>> aye...@wso2.com> wrote:
>>>>>>>
>>>>>>>> Hi Chankami,
>>>>>>>>
>>>>>>>> On Tue, Jan 23, 2018 at 11:33 AM, Chankami Maddumage <
>>>>>>>> chank...@wso2.com> wrote:
>>>>>>>>
>>>>>>>>> Hi IAM Team
>>>>>>>>>
>>>>>>>>> I have scenario to enforce users to provide missing required
>>>>>>>>> attributes while getting JIT provisioned to the local system.
>>>>>>>>>
>>>>>>>>> In order to achieve thi

Re: [Dev] [IAM] Defining Two Regex Patterns in User Store Configuration and Claim Configuration is Wrong

[Isura Karunaratne]

Hi Johann,



On Tue, Jan 23, 2018 at 8:07 AM, Johann Nallathamby  wrote:

> Hi IAM Team,
>
> We have two regex patterns for user names and role names.
>
> 1. In the userstore configuration as "UsernameJavaRegex" and
> "RolenameJavaRegex".
>
> 2. Similarly we have Regex property defined for claims and username -
> http://wso2.org/claim/username and role name - http://wso2.org/claims/role
> are claims as well.
>

> Can we not have two places to define regex for these two claims? How come
> we don't need to define regex for other user attributes in the user store
> configuration? Why is username (and role name) special?
>
>
Also we have separate Javascript Regex properties for username and role
> name. Why don't we have the same for other attributes? If so can't we
> introduce that as another claim property to be consistent and easy to
> understand for users?
>

RolenameJavaRegex is different from the regrex defined in
http://wso2.org/claims/role claim, bacause that claim is used to store all
the roles the perticular user is assigned. RolenameJavaRegex will be
applied to a single role.

Ex. role calim value.  --> Internal/everyone,admin,Application/
travelocity.com

Thanks
Isura.


>
> Regards,
> Johann.
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile: *+94 77 7776950*
> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
> *
> Medium: *https://medium.com/@johann_nallathamby
> *
> Twitter: *@dj_nallaa*
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Personal information export API

[Isura Karunaratne]

On Mon, Jan 22, 2018 at 5:25 PM, Omindu Rathnaweera  wrote:

> Hi Maduranga,
>
> In the consent API we do not have the option to get multiple receipts, the
> API only returns a list of receipt IDs for a given search criteria. If you
> need to include receipt data of all the consent entries, you will have to
> iterate through all the consent IDs and fetch the individual receipts. Keep
> in mind that this will likely to generate a payload of a considerable size.
>

Yes. The payload will be high, if we are sending the whole receipts.

Is it mandatory to send the response synchronously? Shall we have an option
to send the response offline via email too?

Thanks
Isura

>
> Regards,
> Omindu.
>
>
> On Mon, Jan 22, 2018 at 5:12 PM, Maduranga Siriwardena  > wrote:
>
>> Hi all,
>>
>> We are creating a REST API to export user information for IS 5.5.0.
>>
>> Swagger at [1] is the initial design of the API.
>>
>> In the initial phase we are allowing the data to be exported only by the
>> owner of the profile.
>>
>> At the moment we are planing to export basic user profile information and
>> the consents user has given. Response JSON has 2 parts in it.
>>
>>- basic: this part will have the users profile information (claims)
>>in wso2 dialect
>>- consents: this part will have an array of consents user has
>>provided to the Identity Server. Though in the swagger it is represented
>>with the ID of the consent receipt, the actual response will consist of 
>> the
>>whole consent receipt. (Refer mail thread [2] @ architect...@wso2.org
>>for more information)
>>
>> Below is a sample JSON response.
>>
>> {
>>   "basic": {
>> "http://wso2.org/claims/userid": "92d6513e-f4ca-4438-b403-98380
>> 695ed08",
>> "http://wso2.org/claims/username": "maduranga",
>> "http://wso2.org/claims/givenname": "Maduranga",
>> "http://wso2.org/claims/lastname": "Siriwardena",
>> "http://wso2.org/claims/emailaddress": "madura...@wso2.com",
>> "http://wso2.org/claims/telephone": "+947
>> <+94%2071%20111%20>"
>>   },
>>   "consents": [
>> {
>>   "id": "bc53e7bd-013d-4020-b522-1915ada1f305"
>> }
>>   ]
>> }
>>
>> Do you have any suggestions for additional types of information to be
>> included in the response?
>>
>> [1] https://app.swaggerhub.com/apis/Maduranga/PersonalInform
>> ationExport/1.0.0
>> [2] Consent Management APIs for IS 5.5.0
>>
>> Thanks,
>>
>> --
>> Maduranga Siriwardena
>> Senior Software Engineer
>> WSO2 Inc; http://wso2.com/
>>
>> Email: madura...@wso2.com
>> Mobile: +94718990591 <+94%2071%20899%200591>
>> Blog: *https://madurangasiriwardena.wordpress.com/
>> *
>> 
>>
>
>
>
> --
> Omindu Rathnaweera
> Senior Software Engineer, WSO2 Inc.
> Mobile: +94 771 197 211 <+94%2077%20119%207211>
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Confidential Applications in OAuth2 Flow

[Isura Karunaratne]

Hi Hasintha,

On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee  wrote:

> A confidential application in OAuth2 flow is an application which requires
> client authentication before retrieving an access token.
>
> According to current implementation we can define confidential
> applications just per grant type. ie we can define all applications which
> use authorization code grant should be confidential. We do not have the
> flexibility to decide whether a specific application should be confidential
> or not.
>
> As a solution we can bring this config to UI and have a per application
> configuration in UI. If we bring this option to UI level / per application,
> we can define confidentiality of an application, but in contrast we will
> miss the ability to define whether a specific type of grant should be
> confidential or not for a specific application.
>
> In order to cater both application and grant type level confidentiality we
> may need to have configurations per grant type. WDYT ?
>

IMO, It is enough to have the configuration in SP level.

We can cater the grant type wise confidentiality by creating Service
Providers per grant type.

Thanks
Isura.


>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Register Google as Idp and SP

[Isura Karunaratne]

On Fri, Dec 8, 2017 at 6:00 PM, Isuru Uyanage  wrote:

> Hi All,
>
> I have a Travelocity app configured as a Service Provider and the external
> Idp is Google. When I'm trying to login to Travelocity with any usual Gmail
> credentials it works successfully.
>
> Further, I have configured Google as a Service Provider(in the same IS)
> for a specific domain(xyz.com). And for that SP, the Idp is configured as
> Facebook.
>
> Now, If I try to login to Travelocity from an email address which belongs
> to the specific domain(testu...@xyz.com), it redirects to the Facebook
> for authentication. With correct Facebook credentials, it
> successfully logins to the Travelocity app.
>

WDYM by login to the Travelocity from an email address which belongs to the
specific domain? Are you using multi step authentication?

Better if you can attach the images of the configurations?

Thanks
Isura.

>
> I want to clarify if this behavior is correct. Any feedback would be
> appreciated.
>
>
> *Thanks and Best Regards,*
>
> *Isuru Uyanage*
> *Software Engineer - QA | WSO2*
> *Mobile : **+94 77 <+94%2077%20767%201807> 55 30752*
> *LinkedIn: **https://www.linkedin.com/in/isuru-uyanage/
> *
>
>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Introduce custom attributes to Identity Server embedded LDAP schema.

[Isura Karunaratne]

Hi Asela,

On Mon, Dec 4, 2017 at 1:31 PM, Asela Pathberiya <as...@wso2.com> wrote:

>
>
> On Mon, Dec 4, 2017 at 12:48 PM, Isura Karunaratne <is...@wso2.com> wrote:
>
>> This is done with following PRs
>>
>> https://github.com/wso2-extensions/identity-userstore-ldap/pull/15/
>>
>
>> https://github.com/wso2/carbon-identity-framework/pull/1224
>>
>> Thanks
>> Isura.
>>
>> On Wed, Nov 29, 2017 at 10:42 AM, Isura Karunaratne <is...@wso2.com>
>> wrote:
>>
>>>
>>>
>>> On Wed, Nov 29, 2017 at 10:16 AM, Isura Karunaratne <is...@wso2.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> We need to update the LDIF to support following attributes by default
>>>> in the embedded LDAP.
>>>>
>>>>- verifyEmail
>>>>- askPassword
>>>>- forcePasswordReset
>>>>- failedRecoveryAttempts
>>>>- primaryChallengeQuestion
>>>>- emailVerified
>>>>- challengeQuestionUris
>>>>- failedLockoutCount
>>>>- lastLoginTime
>>>>- lastPasswordUpdate
>>>>- phoneVerified
>>>>- accountDisabled
>>>>
>>>> It looks like updating identityPerson.ldif [1] file is not enough to
>>>> cater to requirement and need to generate the is-default-schema.zip file as
>>>> well.
>>>>
>>>
>
> In PR, it seems to be that you are updated the ldif file.  Is there any
> other thing which you did ?
>

Yes. Updated is-default-schema.zip file as well. It is also the in the PR :)

[1]
features/org.wso2.carbon.ldap.server.server.feature/resources/conf/is-default-schema.zip
<https://github.com/wso2-extensions/identity-userstore-ldap/pull/15/files#diff-89eb521e87befb126adc90084ea56441>


Thanks
Isura.

>
> Thanks,
> Asela.
>
>
>>
>>>> What would be the best way to generate the is-default-schema.zip?
>>>>
>>>>
>>>> [1] https://github.com/wso2-extensions/identity-userstore-ldap/b
>>>> lob/master/features/org.wso2.carbon.ldap.server.server.featu
>>>> re/resources/conf/identityPerson.ldif
>>>>
>>>> [2] https://github.com/wso2-extensions/identity-userstore-ld
>>>> ap/blob/master/features/org.wso2.carbon.ldap.server.server.f
>>>> eature/resources/conf/is-default-schema.zip
>>>>
>>>> --
>>>>
>>>> *Isura Dilhara Karunaratne*
>>>> Associate Technical Lead | WSO2
>>>> Email: is...@wso2.com
>>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>>> Blog : http://isurad.blogspot.com/
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> *Isura Dilhara Karunaratne*
>>> Associate Technical Lead | WSO2
>>> Email: is...@wso2.com
>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>> Blog : http://isurad.blogspot.com/
>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
> Thanks & Regards,
> Asela
>
> ATL
> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>  +358 449 228 979
>
> http://soasecurity.org/
> http://xacmlinfo.org/
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Introduce custom attributes to Identity Server embedded LDAP schema.

[Isura Karunaratne]

This is done with following PRs

https://github.com/wso2-extensions/identity-userstore-ldap/pull/15/
https://github.com/wso2/carbon-identity-framework/pull/1224

Thanks
Isura.

On Wed, Nov 29, 2017 at 10:42 AM, Isura Karunaratne <is...@wso2.com> wrote:

>
>
> On Wed, Nov 29, 2017 at 10:16 AM, Isura Karunaratne <is...@wso2.com>
> wrote:
>
>> Hi all,
>>
>> We need to update the LDIF to support following attributes by default in
>> the embedded LDAP.
>>
>>- verifyEmail
>>- askPassword
>>- forcePasswordReset
>>- failedRecoveryAttempts
>>- primaryChallengeQuestion
>>- emailVerified
>>- challengeQuestionUris
>>- failedLockoutCount
>>- lastLoginTime
>>- lastPasswordUpdate
>>- phoneVerified
>>- accountDisabled
>>
>> It looks like updating identityPerson.ldif [1] file is not enough to
>> cater to requirement and need to generate the is-default-schema.zip file as
>> well.
>>
>> What would be the best way to generate the is-default-schema.zip?
>>
>>
>> [1] https://github.com/wso2-extensions/identity-userstore-ldap/
>> blob/master/features/org.wso2.carbon.ldap.server.server.
>> feature/resources/conf/identityPerson.ldif
>>
>> [2] https://github.com/wso2-extensions/identity-userstore-ld
>> ap/blob/master/features/org.wso2.carbon.ldap.server.server.
>> feature/resources/conf/is-default-schema.zip
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Introduce custom attributes to Identity Server embedded LDAP schema.

[Isura Karunaratne]

On Wed, Nov 29, 2017 at 10:16 AM, Isura Karunaratne <is...@wso2.com> wrote:

> Hi all,
>
> We need to update the LDIF to support following attributes by default in
> the embedded LDAP.
>
>- verifyEmail
>- askPassword
>- forcePasswordReset
>- failedRecoveryAttempts
>- primaryChallengeQuestion
>- emailVerified
>- challengeQuestionUris
>- failedLockoutCount
>- lastLoginTime
>- lastPasswordUpdate
>- phoneVerified
>- accountDisabled
>
> It looks like updating identityPerson.ldif [1] file is not enough to
> cater to requirement and need to generate the is-default-schema.zip file as
> well.
>
> What would be the best way to generate the is-default-schema.zip?
>
>
> [1] https://github.com/wso2-extensions/identity-userstore-
> ldap/blob/master/features/org.wso2.carbon.ldap.server.
> server.feature/resources/conf/identityPerson.ldif
>
> [2] https://github.com/wso2-extensions/identity-userstore-
> ldap/blob/master/features/org.wso2.carbon.ldap.server.
> server.feature/resources/conf/is-default-schema.zip
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Introduce custom attributes to Identity Server embedded LDAP schema.

[Isura Karunaratne]

Hi all,

We need to update the LDIF to support following attributes by default in
the embedded LDAP.

   - verifyEmail
   - askPassword
   - forcePasswordReset
   - failedRecoveryAttempts
   - primaryChallengeQuestion
   - emailVerified
   - challengeQuestionUris
   - failedLockoutCount
   - lastLoginTime
   - lastPasswordUpdate
   - phoneVerified
   - accountDisabled

It looks like updating identityPerson.ldif [1] file is not enough to cater
to requirement and need to generate the is-default-schema.zip file as well.

What would be the best way to generate the is-default-schema.zip?


[1]
https://github.com/wso2-extensions/identity-userstore-ldap/blob/master/features/org.wso2.carbon.ldap.server.server.feature/resources/conf/identityPerson.ldif

[2]
https://github.com/wso2-extensions/identity-userstore-ldap/blob/master/features/org.wso2.carbon.ldap.server.server.feature/resources/conf/is-default-schema.zip

-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] What is the use of IDN_IDENTITY_META_DATA?

[Isura Karunaratne]

Hi Dulanja,

This is used to store user metadata like confirmation codes when
*JDBCUserRecoveryDataStore* is used. BTW we recommend to use
RegistryRecoveryDataStore as the RecoveryDataStore in identity management
features.

So, the metadata (like confirmation codes) are stored in the registry
instead of this table.

Thanks
Isura.

On Wed, Nov 29, 2017 at 12:55 AM, Dulanja Liyanage  wrote:

> Hi All,
>
> $subject.
>
> I'm trying to understand the affect of a username change and came across
> this table.
>
> Thanks,
> Dulanja
>
> --
> Thanks & Regards,
> Dulanja Liyanage
> Lead, Platform Security Team
> WSO2 Inc.
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Remove provisioning-config.xml

[Isura Karunaratne]

Created a Jira [1] to track this.

[1] https://wso2.org/jira/browse/IDENTITY-6950

Thanks
Isura.

On Fri, Nov 10, 2017 at 9:13 PM, Gayan Gunawardana  wrote:

>
>
> On Fri, Nov 10, 2017 at 3:19 PM, Ruwan Abeykoon  wrote:
>
>> Hi Gayan,
>> Thanks for bringing this up.
>> We have not planned to do so.
>> +1 for removing unusable config elements.
>> Do you know the breakdown of usable and unusable elements. Can you create
>> an Improvement JIRA if you know them?
>> Lets keep the file for now, as not we are closing Beta9, and lets update
>> Doc about deprecation.
>>
> AFAIK we do not use anything other than
> true
>
>>
>> Cheers,
>> Ruwan
>>
>> On Fri, Nov 10, 2017 at 5:46 PM, Gayan Gunawardana 
>> wrote:
>>
>>> Hi All,
>>>
>>> Do we have any plan to deprecate  *provisioning-config.xml *form IS
>>> 5.4.0 ? Most of configurations it has are unusable right now.
>>>  Still we use fewer configurations like [1]. IMO it is better to remove
>>> this configuration file.
>>> true
>>>
>>> [1] https://docs.wso2.com/display/IS530/Extensible+SCIM+User+Sch
>>> emas+With+WSO2+Identity+Server
>>>
>>> Thanks,
>>> Gayan
>>> --
>>> Gayan Gunawardana
>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: ga...@wso2.com
>>> Mobile: +94 (71) 8020933
>>>
>>
>>
>>
>> --
>>
>> *Ruwan Abeykoon*
>> *Associate Director/Architect**,*
>> *WSO2, Inc. http://wso2.com  *
>> *lean.enterprise.middleware.*
>>
>>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Self Contained Access Tokens in IS 5.4.0

[Isura Karunaratne]

On Fri, Nov 17, 2017 at 1:35 PM, Isura Karunaratne <is...@wso2.com> wrote:

> Hi all,
>
> Currently, ACCESS_TOKEN column length is defined as 512 [1] which is not
> enough to store self-contained access token [2].
>
> Shall we increase the column size by default?
>
> Thanks
> Isura.
>
>
> [1]
> CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN (
> TOKEN_ID VARCHAR (255),
> ACCESS_TOKEN VARCHAR(512),
> REFRESH_TOKEN VARCHAR(512),
> CONSUMER_KEY_ID INTEGER,
> AUTHZ_USER VARCHAR (100),
> TENANT_ID INTEGER,
> USER_DOMAIN VARCHAR(50),
> USER_TYPE VARCHAR (25),
> GRANT_TYPE VARCHAR (50),
> TIME_CREATED TIMESTAMP DEFAULT 0,
> REFRESH_TOKEN_TIME_CREATED TIMESTAMP DEFAULT 0,
> VALIDITY_PERIOD BIGINT,
> REFRESH_TOKEN_VALIDITY_PERIOD BIGINT,
> TOKEN_SCOPE_HASH VARCHAR(32),
> TOKEN_STATE VARCHAR(25) DEFAULT 'ACTIVE',
> TOKEN_STATE_ID VARCHAR (128) DEFAULT 'NONE',
> SUBJECT_IDENTIFIER VARCHAR(255),
> PRIMARY KEY (TOKEN_ID),
> FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES
> IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE,
> CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,
> TENANT_ID,USER_DOMAIN,USER_TYPE,TOKEN_SCOPE_HASH,
>TOKEN_STATE,TOKEN_STATE_ID)
>
>
> [2] https://wso2.org/jira/browse/IDENTITY-6917
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Shouldn't we have an admin service method to delete set of users at once?

[Isura Karunaratne]

Hi Ushani,



On Thu, Nov 9, 2017 at 9:10 AM, Ushani Balasooriya  wrote:

> Hi IAM Team,
>
> During the implementation of a third party web app to manage users, I
> wanted to have a feature where I can select few users and delete them at
> once.
>
> Then I noticed in our admin services we have only below methods to delete
> users in our *UserAdmin* service.
>
> - *addRemoveUsersOfRole* - Delete users only in a particular role
> - *deleteUser* - Delete one selected user
>
> In *deleteUser* method allow only one user to delete.
>
> Can you please advice whether this is designed and implemented due to any
> particular reason or is it a lacking feature in our system? Or is there any
> other mechanism for me to delete set of users at once?
>

C4 user core APIs does not support delete multiple users at once. You can
loop the deleteUser API to delete set of users.

Thanks
Isura.

>
> Appreciate your quick response.
>
> Thanks,
> --
> *Ushani Balasooriya*
> Associate Technical Lead - EE;
> WSO2 Inc; http://www.wso2.com/.
> Mobile; +94772636796
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810 <+94%2077%20225%204810>
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Shouldn't we have an admin service method to delete set of users at once?

[Isura Karunaratne]

On Thu, Nov 9, 2017 at 9:56 AM, Ushani Balasooriya <ush...@wso2.com> wrote:

> Thanks Isura and Irham,
>
> I think still I need to create a group in SCIM call more like a role. Then
> I can even use *addRemoveUsersOfRole *in admin services*. *My requirement
> was to delete selected users belong to different roles.
>
> I think what Isura has mentioned is an option to proceed. But doesnt it
> make multiple service calls?
>

Yes. It does multiple service calls. We can create a custom SOAP/REST
service and delete users though a single service call.

You can also try SCIM2 bulk endpoint. [1].

[1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+SCIM+
2.0+Provisioning+Connector#ConfiguringSCIM2.0ProvisioningConnector-/
BulkEndpoint


Thanks
Isura.

>
> On Thu, Nov 9, 2017 at 9:53 AM, Isura Karunaratne <is...@wso2.com> wrote:
>
>> Hi Ushani,
>>
>>
>>
>> On Thu, Nov 9, 2017 at 9:10 AM, Ushani Balasooriya <ush...@wso2.com>
>> wrote:
>>
>>> Hi IAM Team,
>>>
>>> During the implementation of a third party web app to manage users, I
>>> wanted to have a feature where I can select few users and delete them at
>>> once.
>>>
>>> Then I noticed in our admin services we have only below methods to
>>> delete users in our *UserAdmin* service.
>>>
>>> - *addRemoveUsersOfRole* - Delete users only in a particular role
>>> - *deleteUser* - Delete one selected user
>>>
>>> In *deleteUser* method allow only one user to delete.
>>>
>>> Can you please advice whether this is designed and implemented due to
>>> any particular reason or is it a lacking feature in our system? Or is there
>>> any other mechanism for me to delete set of users at once?
>>>
>>
>> C4 user core APIs does not support delete multiple users at once. You can
>> loop the deleteUser API to delete set of users.
>>
>> Thanks
>> Isura.
>>
>>>
>>> Appreciate your quick response.
>>>
>>> Thanks,
>>> --
>>> *Ushani Balasooriya*
>>> Associate Technical Lead - EE;
>>> WSO2 Inc; http://www.wso2.com/.
>>> Mobile; +94772636796
>>>
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
> *Ushani Balasooriya*
> Associate Technical Lead - EE;
> WSO2 Inc; http://www.wso2.com/.
> Mobile; +94772636796
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810 <+94%2077%20225%204810>
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Usage of "tocommonauth" property in OAuth2 Authorize Endpoint

[Isura Karunaratne]

Hi Aparna,

Do we have the stack trace of the error you observed?

Thanks
Isura.

On Wed, Nov 1, 2017 at 2:41 PM, Aparna Karunarathna <apa...@wso2.com> wrote:

> Hi Isura, Ishara,
>
> During the perf test cycles, we have observed some test failures in OAuth2
> flows with tocommonauth=true parameter and AFAIR Johan explained there
> was mail to revert it back use the commonauth endpoint.
>
> Regards,
> Aparna.
>
> On Sat, Oct 28, 2017 at 10:45 AM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>> Hi Isura,
>>
>>
>>
>> On Fri, Oct 27, 2017 at 7:43 PM, Isura Karunaratne <is...@wso2.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> If the "tocommonauth" property value is true, the
>>> authentication response from the login page will forward to the commonauth
>>> endpoint through OAuth2 Authorize Endpoint.
>>>
>>>
>>>- IIRC, this was done to reduce the number of redirection in OAuth
>>>flow, but I think it is better to handle all the login response from the
>>>commonauth endpoint.
>>>
>>> This is used in SAML flow as well to reduce the redirections.
>>
>>>
>>>- Do we need to continue supporting this or shall we remove this?
>>>
>>>
>>> At the moment In IS components we are not setting this parameter, but
>> there are some other components Eg App manager using this (may be customers
>> might have implemented authenticators with this parameter).
>> Do you see any issues supporting this ?
>> If not I think its better to keep this.
>>
>> -Ishara
>>
>>> String isToCommonOauth = 
>>> request.getParameter(FrameworkConstants.RequestParams.TO_COMMONAUTH);
>>>
>>> if ("true".equals(isToCommonOauth) && flowStatus == null) {
>>> try {
>>> return sendRequestToFramework(request, response);
>>> } catch (ServletException | IOException e) {
>>> log.error("Error occurred while sending request to authentication 
>>> framework.");
>>> return 
>>> Response.status(HttpServletResponse.SC_INTERNAL_SERVER_ERROR).build();
>>> }
>>> }
>>>
>>>
>>>
>>> Thanks
>>> Isura.
>>>
>>> --
>>>
>>> *Isura Dilhara Karunaratne*
>>> Associate Technical Lead | WSO2
>>> Email: is...@wso2.com
>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>> Blog : http://isurad.blogspot.com/
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791 <071%20799%206791>
>>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Regards,*
>
> *Aparna Karunarathna.*
>
>
> *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533*
>
> * <http://wso2.com/signature>*
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Ask password cannot be configured from management console when using identity REST API

[Isura Karunaratne]

Hi Sashika,



On Thu, Nov 2, 2017 at 3:38 PM, Sashika Wijesinghe <sash...@wso2.com> wrote:

> Hi All,
>
> I faced the same issue "*PasswordInvalidAsk Password Feature
> is disabled*" when accessing the RemoteUserStoreManagerService,
> addUser() method to add a user with asking password option when user's
> credentials are not defined in the payload.
>
> When an admin user performs this operation from the management console, it
> is not required to provide a password. Is there any reason for requesting
> to define a password to perform ask password when creating a user with SOAP
> admin service?
>

Yes. In management console scenario, it internally generates a random
password before creating the user. Password is mandatory in C4 user core
APIs.

Thanks
Isura.

>
> Thanks
> Sashika
>
>
>
>
> On Thu, Jun 15, 2017 at 11:59 AM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> AFAIK, to differ adding a user with a default password using User On
>> boarding feature and adding a user in normal way, we can consider "http://
>> wso2.org/claims/identity/askPassword" claim value. And I think in both
>> of the above scenarios, when adding a user, credentials shouldn't be null.
>> UI validation to be included I guess?
>>
>> Thanks and Regards
>>
>> On Wed, Jun 7, 2017 at 9:38 AM, Danushka Fernando <danush...@wso2.com>
>> wrote:
>>
>>> Hi Isura
>>> What I meant here is, when ASK Password is enabled through
>>> identity-mgt.properties, when admin user adds users, we give him two
>>> options. Which are enter a default password or send email. So if its new
>>> User On boarding feature, we can still let him enter a default password.
>>> But problem is with no password case. Are you suggesting to generate a
>>> password in this case?
>>>
>>> Thanks & Regards
>>> Danushka Fernando
>>> Associate Tech Lead
>>> WSO2 inc. http://wso2.com/
>>> Mobile : +94716332729 <+94%2071%20633%202729>
>>>
>>> On Tue, Jun 6, 2017 at 10:02 PM, Isura Karunaratne <is...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Jun 6, 2017 at 9:12 PM Danushka Fernando <danush...@wso2.com>
>>>> wrote:
>>>>
>>>>> So Johan/ Isura
>>>>> How should we approach here? If its not new feature we ask user to add
>>>>> default password? In that case we dont need this to fixed I guess.
>>>>>
>>>>
>>>> We shouldn't use a default password, instead we have to generate a
>>>> random password.
>>>>
>>>> Thanks
>>>> Isura
>>>>
>>>>>
>>>>> Thanks & Regards
>>>>> Danushka Fernando
>>>>> Associate Tech Lead
>>>>> WSO2 inc. http://wso2.com/
>>>>> Mobile : +94716332729 <+94%2071%20633%202729>
>>>>>
>>>>> On Tue, Jun 6, 2017 at 9:02 PM, Johann Nallathamby <joh...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Jun 6, 2017 at 8:52 PM, Isura Karunaratne <is...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Danushka,
>>>>>>>
>>>>>>> You have to set a none empty password while adding a user.
>>>>>>>
>>>>>>
>>>>>> Sorry, I saw your reply only after I sent my reply :)
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>> Isura
>>>>>>>
>>>>>>> On Tue, Jun 6, 2017 at 8:46 PM Danushka Fernando <danush...@wso2.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi All
>>>>>>>>
>>>>>>>> I am working on jira [1]. I could enable User Onboarding / ASK
>>>>>>>> Password New version and then get the UI displayed according to that. 
>>>>>>>> But
>>>>>>>> we cannot create user without password here. Reason is following code 
>>>>>>>> is
>>>>>>>> throwing the exception saying ASK Password is disabled. How should we
>>>>>>>> proceed?
>>>>>>>>
>>>>>>>>
>>>>>>>> package org.wso2.carbon.identity.mgt;
>&g

Re: [Dev] [IS][OAuth] Token Response request validation

[Isura Karunaratne]

On Thu, Nov 2, 2017 at 9:37 PM Danushka Fernando <danush...@wso2.com> wrote:

> @Isura
> Thanks for pointing out. But still there is a dead code there which will
> never get triggered right? Shall we refactor that code?
>
+1

@Nuwandi,
Can you work on this refactoring?

Thanks
Isura.

>
> Thanks & Regards
> Danushka Fernando
> Associate Tech Lead
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729
>
> On Thu, Nov 2, 2017 at 9:08 PM, Isura Karunaratne <is...@wso2.com> wrote:
>
>> Hi Danushka,
>>
>> Other than the responseType validation *validateAccessDelegation *method does
>> the OAuth callback handles invocation. OAuth callback handler is an
>> extension point that can be used to validate the access based on
>>
>>- AuthenticatedUser
>>- Consumer Key
>>- Scopes
>>- ResponseType
>>
>>
>> We can register new CallBackHandlers based on the requirements and
>> configure it in identity.xml file
>>
>>   
>> > Class="org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler"/>
>> 
>>
>> Thanks
>> Isura.
>>
>> On Thu, Nov 2, 2017 at 2:54 PM, Danushka Fernando <danush...@wso2.com>
>> wrote:
>>
>>> Hi All
>>> When access token, id token, auth code or open id token is requested, it
>>> will go through AuthorizationHandlerManager[1] class to authorize the
>>> client. There are three authorization steps [2].
>>>
>>>1. First check is isAuthorized check. Here it checks whether its
>>>requesting a token or a code and according to that it will check implicit
>>>or code grant types are allowed for the application and returns true of
>>>false.[3]
>>>2. Second check is validateAccessDelegation check. Here also it
>>>checks the request type and will check allowance of implicit or code 
>>> grant
>>>types and returns true or false.[4]
>>>3. Third is scope validation
>>>
>>> So according to this analysis both check #1 and #2 are doing the same
>>> thing and I don't see a way of check #1 getting passed and check #2 getting
>>> failed. Please correct me if I am wrong.
>>>
>>> If this is correct shall we do the necessary adjustment to reduce the
>>> complexity of the code?
>>>
>>>
>>> [1]
>>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java
>>> [2]
>>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java#L100-L123
>>> [3]
>>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/handlers/AbstractResponseTypeHandler.java#L128-L165
>>> [4]
>>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/handlers/AbstractResponseTypeHandler.java#L66-L104
>>>
>>>
>>> Thanks & Regards
>>> Danushka Fernando
>>> Associate Tech Lead
>>> WSO2 inc. http://wso2.com/
>>> Mobile : +94716332729 <+94%2071%20633%202729>
>>>
>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
> --

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS][OAuth] Token Response request validation

[Isura Karunaratne]

Hi Danushka,

Other than the responseType validation *validateAccessDelegation *method does
the OAuth callback handles invocation. OAuth callback handler is an
extension point that can be used to validate the access based on

   - AuthenticatedUser
   - Consumer Key
   - Scopes
   - ResponseType


We can register new CallBackHandlers based on the requirements and
configure it in identity.xml file

  



Thanks
Isura.

On Thu, Nov 2, 2017 at 2:54 PM, Danushka Fernando 
wrote:

> Hi All
> When access token, id token, auth code or open id token is requested, it
> will go through AuthorizationHandlerManager[1] class to authorize the
> client. There are three authorization steps [2].
>
>1. First check is isAuthorized check. Here it checks whether its
>requesting a token or a code and according to that it will check implicit
>or code grant types are allowed for the application and returns true of
>false.[3]
>2. Second check is validateAccessDelegation check. Here also it checks
>the request type and will check allowance of implicit or code grant types
>and returns true or false.[4]
>3. Third is scope validation
>
> So according to this analysis both check #1 and #2 are doing the same
> thing and I don't see a way of check #1 getting passed and check #2 getting
> failed. Please correct me if I am wrong.
>
> If this is correct shall we do the necessary adjustment to reduce the
> complexity of the code?
>
>
> [1] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/
> AuthorizationHandlerManager.java
> [2] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/
> AuthorizationHandlerManager.java#L100-L123
> [3] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/
> oauth2/authz/handlers/AbstractResponseTypeHandler.java#L128-L165
> [4] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/
> oauth2/authz/handlers/AbstractResponseTypeHandler.java#L66-L104
>
> Thanks & Regards
> Danushka Fernando
> Associate Tech Lead
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729 <+94%2071%20633%202729>
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Correct way to Add users and Roles via an API

[Isura Karunaratne]

On Wed, Nov 1, 2017 at 8:01 PM Farasath Ahamed  wrote:

> On Wed, Nov 1, 2017 at 7:38 PM, Ushani Balasooriya 
> wrote:
>
>> Hi IAM team,
>>
>> I am trying to implement a thirdparty web app to manage users and roles
>> functionalities as explained in this blog post [1] Solution 26.
>>
>> According to the solution, it says,
>>
>> *"The WSO2 Identity Server exposes a set of REST endpoints as well as
>> SOAP-based services for user management, the web app just need to talk to
>> these endpoints, without having to deal directly with underlying user
>> stores (LDAP, AD, JDBC)."*
>>
>> This [2] is the only document I can find as the available API for user
>> role management.
>>
>> Please verify whether my below understandings are correct to proceed with
>> this solution.
>>
>> 1. Since WSO2IS does not provide any REST API for user/role management,
>> there will not be a particular API where I can use as endpoint in my third
>> party application.
>> Therefore my web app should use a class as explained in this [2]
>> document.
>>
>> 2. We should not consider SCIM as REST endpoint to manage users since it
>> is used to provision users to external system. Therefore I cannot treat
>> SCIM as a REST endpoint which can use to add users and roles.
>>
>
No. As Farasath explains, we do support both inbound and outbound SCIM
provisioning.

You can treat SCIM endpoint as a well defined standard way to manage users
from a third party application.

IS 5.3.0 onwards identity server supports both SCIM 1.1 and SCIM2.0 (as a
connector)

Thanks
Isura.



> IMO this is not entirely correct.
> SCIM inbound connector is used to provision users *in to* Identity Server
> and the SCIM outbound connector can be used provision user to external
> systems as you explained.
>
> SCIM inbound connector exposes a REST endpoint through which you can do
> CRUD operation on users/groups. This can be considered as a REST endpoint
> to manage users. Both SCIM and our SOAP APIs talk to the same underlying
> user-core impelementation to achieve CRUD on users (user stores).
>
> Moreover SCIM simply provides a RESTful layer over our usercore
> funcionality. So I don't see why we should not consider SCIM as a REST API
> to manage users.
> Infact we have customers using SCIM to achieve user registration, user
> profile update etc.
>
>>
>>
>> [1]
>> https://medium.facilelogin.com/thirty-solution-patterns-with-the-wso2-identity-server-16f9fd0c0389
>>
>> [2]
>> https://docs.wso2.com/display/IS530/Managing+Users+and+Roles+with+APIs#ManagingUsersandRoleswithAPIs-addRole()
>>
>> Thanks,
>> --
>> *Ushani Balasooriya*
>> Associate Technical Lead - EE;
>> WSO2 Inc; http://www.wso2.com/.
>>
>>
>> --

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Usage of "tocommonauth" property in OAuth2 Authorize Endpoint

[Isura Karunaratne]

Hi all,

If the "tocommonauth" property value is true, the authentication response
from the login page will forward to the commonauth endpoint through OAuth2
Authorize Endpoint.


   - IIRC, this was done to reduce the number of redirection in OAuth flow,
   but I think it is better to handle all the login response from the
   commonauth endpoint.
   - Do we need to continue supporting this or shall we remove this?


String isToCommonOauth =
request.getParameter(FrameworkConstants.RequestParams.TO_COMMONAUTH);

if ("true".equals(isToCommonOauth) && flowStatus == null) {
try {
return sendRequestToFramework(request, response);
} catch (ServletException | IOException e) {
log.error("Error occurred while sending request to
authentication framework.");
return 
Response.status(HttpServletResponse.SC_INTERNAL_SERVER_ERROR).build();
}
}



Thanks
Isura.

-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Getting the roles of tenant users through UserAdmin admin service by using super-tenant admin's credentials

[Isura Karunaratne]

Hi Megala,

This cannot be done using the existing Admin services. You can do this by
using *SCIM2* APIs with cross-tenancy feature.  Add following cross-tenant="
true" in identity.xml file. Note that only SCIM2 supports cross tenancy
feature.





Thanks
Isura.

On Fri, Oct 27, 2017 at 5:48 PM, Megala Uthayakumar  wrote:

> Hi All,
>
> I am working on implementing a new store REST API, to get all the scopes
> relevant to particular application and to filter the scopes based on the
> roles of the user. Since this is a store API, I am calling the key
> manager's UserAdmin admin service to get the roles of a particular user.
> Basic Authentication is used for this purpose and the keyManager's
> super-tenant user name and password are extracted from api-manager.xml.
>
> While doing the testing, I found that, that UserAdmin admin service will
> only return the roles of the users from the tenant which the particular
> request is authenticated for. @Farasath confirmed the same through offline.
> I tried with the RemoteUserStoreManagerService admin service as well. The
> results seems to be same. Is there any way to achieve this through the
> admin services(i.e. to get the roles of a user from different tenant by
> using the super-tenant's credentials)?
>
> Thanks.
>
> Regards,
> Megala
> --
> Megala Uthayakumar
>
> Software Engineer
> Mobile : 0779967122
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810 <+94%2077%20225%204810>
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Warning log in server startup regarding the secondary userstore

[Isura Karunaratne]

Hi Denuwanthi,

I tried to reproduce the issue [1], but I couldn't. Please upload the
user-store config file used to create the secondary user store for further
analysis?


[1] https://wso2.org/jira/browse/IDENTITY-6449

-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Carbon-jira] [jira] (IDENTITY-6330) [IS]When configured secondary jdbc userstore canot login with the secondary userstore user

[Isura Karunaratne]

Hi Johann,



On Sun, Sep 24, 2017 at 5:29 PM, Johann Nallathamby  wrote:

> 1. Can someone explain the reason for the issue and relevance of the fix
> to the issue reported here?
>
> I can understand the issue here. I also assume I understand the reason for
> the issue. But better someone explains. What I don't seem to understand is
> the relevance of the fix here. It seems to me that the
> "AuthenticationPolicy.CheckAccountExist" property was not used at all in
> the new implementation. Now it's been put to use. I certainly don't think
> not using this property is the reason for the issue. So I don't get the fix
> done here.
>

Yes. We need to improve the fix. Need to use isAuthPolicyAccountExistCheck()
 only for sending user does exists messge to outside.

>
> 2. Why do we have a private method *"isUserExistsInDomain"*? It doesn't
> seem to do anything useful.
>
Yes. Need to remove that.

>
> 3. Seems we have introduced a new property to identity.xml
> *"AuthenticationPolicy.CheckAccountExist".* Are we not thinking of adding
> this to Resident IdP UI to control at a tenant level?
>
> *Authentication.Policy.Check.Ac
> count.Exist* in the old
> identity-mgt.properties file was there to control the level of details that
> needs to be revealed to the users regarding authentication failure. I.e. we
> gave a configuration to control whether the user should see a generic
> authentication failure message, or s/he should see failure with reason such
> as invalid username or invalid password.
>
We can manage  *AuthenticationPolicy.CheckAccountExist in *tenant wise. Do
we really need to limit the error messages based on tenant. If so, we will
put that to Resident IDP.

Seems this property has been missed in the new implementation and now being
> added.
>
> 4. Why is the new element uncommented by default which is inconsistent
> with all other identity-mgt elements in identity.xml? Can we have a default
> value and comment it out?
>
Yes. That needs to be commented.

>
> 5. Is this code consistent with other handlers such as
> *AccountLockHandler* and *AccountDisableHandler*?
>

Will revisit all the handers based on todays discussion.


Thanks
Isura.

>
> Regards,
> Johann.
>
> -- Forwarded message --
> From: Denuwanthi De Silva (JIRA) 
> Date: Thu, Aug 31, 2017 at 10:09 AM
> Subject: [Carbon-jira] [jira] (IDENTITY-6330) [IS]When configured
> secondary jdbc userstore canot login with the secondary userstore user
> To: carbon-j...@wso2.org
>
>
> Denuwanthi De Silva
> 
> *created* an issue
>
> WSO2 Identity Server  / [image:
> Bug]  IDENTITY-6330
> 
> [IS]When configured secondary jdbc userstore canot login with the
> secondary userstore user 
> Issue Type: [image: Bug] Bug
> Assignee: Darshana Gunawardana
> 
> Created: 31/Aug/17 10:08 AM
> Priority: [image: Normal] Normal
> Reporter: Denuwanthi De Silva
> 
>
> 1.create a user in SECONDARY oracle jdbc userstore.
> 2.try to login with that user
> login fails.
> ERROR
> {org.wso2.carbon.core.services.authentication.AuthenticationAdmin}
>
> - System error while Authenticating/Authorizing User : Error when handling
> event : PRE_AUTHENTICATION
> 3.If login with domain ex(SECONDARY/user1) log in without issue.
> [image: Add Comment]
>  Add Comment
> 
>
> This message was sent by Atlassian JIRA (v7.2.2#72004-sha1:9d51328)
> [image: Atlassian logo]
>
> ___
> Carbon-jira mailing list
> carbon-j...@wso2.org
> https://wso2.org/cgi-bin/mailman/listinfo/carbon-jira
>
>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810 <+94%2077%20225%204810>
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Some concerns on IDENTITY-6324

[Isura Karunaratne]

Hi Johann,

On Mon, Sep 4, 2017 at 8:18 PM Johann Nallathamby  wrote:

> Hi Hasanthi/Nuwandi/IAM Team,
>
> 1. Can we please add a description in the JIRA as to what this JIRA is for?
>
> 2. The fix has made a public enum change:
> "MAX_ATTEMTS_EXCEEDED" -> "MAX_ATTEMTS_EXCEEDED".
> Is this intentional? In any case the spelling is still wrong.
>
> 3. We have introduced a new protected method
> "setUserClaimsValuesInUserStore". Again is this intentional? And we have a
> threadlocal solution to prevent listenered being triggered twice. In that
> case do we need this new method?
>

Here we are going to support account locking failure reason. In that case,
we need a way to identify following account lock reasons separately.

- Admin Lock User Account
- Account not confirmed
- Account locked due to exceeding max failure attempts

We have to check account lock claim in setUserClaimValues method to check
whether admin user is going to lock a user. Since the recursion in
UserStoreBasedIdentityDaaStore, we can't put that logic inside
setUserClaimValues method, because we use setUserClaimValues method to
store the reason for other scenarios as well.


Thanks
Isura.


> [1] https://wso2.org/jira/browse/IDENTITY-6324
>
> Thanks & Regards,
> Johann.
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
>
-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Shall we remove InfoRecoverySample from product-is?

[Isura Karunaratne]

On Mon, Sep 4, 2017 at 9:00 PM Pulasthi Mahawithana 
wrote:

> Hi Johann,
>
> Since we are still keeping the deprecated SOAP APIs we'll keep the sample
> also till the next major version.
>
Yes. +1 to keep the sample since we support SOAP apis too.

Thanks
Isura

>
> On Mon, Sep 4, 2017 at 8:42 PM, Johann Nallathamby 
> wrote:
>
>> If we are going to keep it in product-is we need to maintain
>> compatibility with latest APIs. But I think we have even resolved some
>> public JIRAs mentioning the fact that we now support this in identity-mgt
>> webapp. So we don't need a separate sample for this.
>>
>> So, I think we can do $subject.
>>
>> Regards,
>> Johann.
>>
>> --
>> Thanks & Regards,
>>
>> *Johann Dilantha Nallathamby*
>> Senior Lead Solutions Engineer
>> WSO2, Inc.
>> lean.enterprise.middleware
>>
>> Mobile - *+9476950*
>> Blog - *http://nallaa.wordpress.com *
>>
>
>
>
> --
> *Pulasthi Mahawithana*
> Senior Software Engineer
> WSO2 Inc., http://wso2.com/
> Mobile: +94-71-5179022
> Blog: https://medium.com/@pulasthi7/
>
> 
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Is this fix correct? Can someone explain?

[Isura Karunaratne]

On Thu, Aug 24, 2017 at 1:27 AM Johann Nallathamby  wrote:

>
> https://github.com/wso2/carbon-identity-framework/commit/1f2df5faf2a46258791bdaf1d4c94741626e34a1
>
> How is *resourceType* attribute mapped to *userType*? And why is
> AttributeID still *mail*?
>

This is scim2 dialect. when we add a user, its resorceTyoe is user. Then
the email address of that user becomes as user. That was the issue.

I think scim1 dialect uses userType claim local claim for this. remote
dialect's attributeId is not required in new claim management module,
instead it uses local mapped claim.

Thanks
Isura

>
> Regards,
> Johann.
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
>
-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Display the roles of a custom user store for Identity Server

[Isura Karunaratne]

Hi Thomas,

It is wrong to set tenantId as follows for carbon.super tenant. Super
tenant's tenantID is -1234. Can you attach full exception stacktrace.

carbonContext.setTenantId(64302);


Thanks
Isura.

On Fri, Aug 18, 2017 at 6:50 PM, Thomas LEGRAND <
thomas.legr...@versusmind.eu> wrote:

> Hello there,
>
> I found the problem concerning the roles. The Identity Server calls the
> primary user store because the usernames in the list aren't prefixed with
> the domain of the secondary store (which is my custom user store).
> So I modified it and I enter into the method.
>
> Now, I have this weird exception I never encountered before:
>
> [2017-08-18 15:16:04,866] ERROR 
> {org.wso2.carbon.user.core.common.AbstractUserStoreManager}
> -  Error occurred while accessing Java Security Manager Privilege Block
> [2017-08-18 15:16:04,867] ERROR {org.wso2.carbon.user.mgt.UserRealmProxy}
> -  org.wso2.carbon.user.core.UserStoreException: Error occurred while
> accessing Java Security Manager Privilege Block
> [2017-08-18 15:16:04,881] ERROR {org.wso2.carbon.user.mgt.ui.UserAdminClient}
> -  Error occurred while accessing Java Security Manager Privilege Block
>
> Regards,
>
> Thomas
>
> 2017-08-18 14:35 GMT+02:00 Thomas LEGRAND <thomas.legr...@versusmind.eu>:
>
>> Hello Isura!
>>
>> I did override the methods except the doGetInternalRoleListOfUser because
>> the AbstractUserStoreManager already implements it.
>>
>> Here is my custom store manager in [1] and my "internal" class in [2]. In
>> [3], you will have the user store properties managed by my user store.
>>
>> The goal of the test is to retrieve the roles of a user from the
>> secondary user store implemented by this code by using the interface of the
>> identity server. So you will have a "getRoleListOfUser()" which appears in
>> the logs.
>>
>> [1] CustomUserStoreManager.java
>> [2] CustomUserStoreManagerDSComponent.java
>> [3] CustomUserStoreProperties.java
>>
>> 2017-08-18 12:10 GMT+02:00 Isura Karunaratne <is...@wso2.com>:
>>
>>> Hi Thomas,
>>>
>>> Did you override doCheckExistingUser method in your custom user store
>>> manager? In order to view the roles list of the user, following methods
>>> should be overridden.
>>>
>>>
>>>-
>>>
>>>doCheckExistingUser
>>>
>>>-
>>>
>>>doGetExternalRoleListOfUser
>>>
>>>-
>>>
>>>doGetInternalRoleListOfUser
>>>
>>>
>>>
>>> If the issue still occurs after overriding the doCheckExistingUser
>>> method, please attach your sample code. So we can help you faster.
>>>
>>> Thanks
>>> Isura.
>>>
>>> On Fri, Aug 18, 2017 at 3:09 PM, Thomas LEGRAND <
>>> thomas.legr...@versusmind.eu> wrote:
>>>
>>>> Hello again!
>>>>
>>>> During my tests, I "reinstalled" a new Identity Server v5.3.0 where I
>>>> let the default configuration for the primary user store.
>>>> I configured my custom secondary user store which retrieves data from a
>>>> database. This custom user store is implemented by extending te
>>>> AbstractUserStoreManager class and I generated a OSGi bundle which I
>>>> dropped in the repository/components/dropins directory.
>>>>
>>>> So I can see my list of users coming from this user store when I
>>>> display it from the identity server. But, when I want to display the roles
>>>> of a suer, I noticed that the primary user store is called (in my case,
>>>> that was the default 
>>>> org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager
>>>> configured in the user-mgt.xml configuration file) to check if the user
>>>> existed and to retrieve its roles.
>>>>
>>>> Did I miss something in my implementation of the user store to have the
>>>> effect of the primary user store taking the lead to retrieve the roles
>>>> physically located on the secondary user store?
>>>>
>>>> Regards,
>>>>
>>>> Thomas
>>>>
>>>> 2017-08-17 11:22 GMT+02:00 Thomas LEGRAND <thomas.legr...@versusmind.eu
>>>> >:
>>>>
>>>>> Hello,
>>>>>
>>>>> I really don't understand why my "external" roles don't appear in the
>>>>> list and why no role methods are called in my connector because, when I
>>>>> configure a LDAP

Re: [Dev] Avoid Invoking REST endpoints from SSO login page

[Isura Karunaratne]

On Fri, Aug 18, 2017 at 4:33 PM Malithi Edirisinghe <malit...@wso2.com>
wrote:

> On Fri, Aug 18, 2017 at 4:02 PM, Isura Karunaratne <is...@wso2.com> wrote:
>
>> Hi Malithi,
>>
>> On Fri, Aug 18, 2017 at 3:41 PM, Malithi Edirisinghe <malit...@wso2.com>
>> wrote:
>>
>>>
>>>
>>> On Fri, Aug 18, 2017 at 12:31 PM, Nuwandi Wickramasinghe <
>>> nuwan...@wso2.com> wrote:
>>>
>>>> Looks like http calls are done to validate the endpoint url. Do we need
>>>> this validation before showing the link?
>>>>
>>>> Shall we remove these calls and directly show the hyper link?
>>>>
>>>
>>> So here the validation is done as we are invoking another webapp. So
>>> that this check make sure a broken link is never to be shown in this login
>>> page. Moreover, this is just a HEAD call so I don't think invoking that
>>> impacts the login page performance, because the actual page is not getting
>>> rendered here.
>>> The other thing is these webapps are coming from two features, so IMO,
>>> we cannot directly couple them together.
>>>
>>
>> Is that working correctly?. I think HEAD operation returns 200 OK for any
>> endpoint starting with https://localhost:9443.
>>
>
> How can that happen ?
>
Because carbon redirects invalid urls to main page.


We call head on the URL right. Anyway, if it's not working we should fix.
>
>>
>> Thanks
>> Isura.
>>
>>
>>>> On Fri, Aug 18, 2017 at 11:54 AM, Farasath Ahamed <farasa...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>> There is another complication here. We are not honouring the hostname
>>>>> verification settings set by Kernel when doing the backend call.
>>>>> Ideally, we should be using the common-http client if we are doing any
>>>>> backend https calls.
>>>>>
>>>>>
>>>>> Farasath Ahamed
>>>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>>>> Mobile: +94777603866
>>>>> Blog: blog.farazath.com
>>>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>>>> <http://wso2.com/signature>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Aug 18, 2017 at 11:45 AM, Gayan Gunawardana <ga...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> In IS 5.4.0-m2 SSO login page we can see couple of hyper links for
>>>>>> Forgot Password, Forgot Username, Register Now as below.
>>>>>>
>>>>>>
>>>>>> ​
>>>>>> Actually how it renders is
>>>>>>
>>>>>>  <%
>>>>>> url = new URL(identityMgtEndpointContext +
>>>>>> "/recoverpassword.do?callback=" + Encode.forHtmlAttribute
>>>>>> (urlEncodedURL));
>>>>>> httpURLConnection = (HttpURLConnection)
>>>>>> url.openConnection();
>>>>>> httpURLConnection.setRequestMethod("HEAD");
>>>>>> httpURLConnection.connect();
>>>>>> if (httpURLConnection.getResponseCode() ==
>>>>>> HttpURLConnection.HTTP_OK) {
>>>>>> %>
>>>>>> Forgot Password
>>>>>> 
>>>>>> 
>>>>>> <%
>>>>>> }
>>>>>>
>>>>>> So every time when user goes to SSO login page need to send 3 http
>>>>>> requests to render 3 hyper links. Also if any of API raises back-end
>>>>>> exception, bad stack trace will be printed as below.
>>>>>>
>>>>>> WARN {org.apache.cxf.phase.PhaseInterceptorChain} -  Application {
>>>>>> http://endpoint.recovery.identity.carbon.wso2.org/}ClaimsApi has
>>>>>> thrown exception, unwinding now
>>>>>> org.apache.cxf.interceptor.Fault
>>>>>>
>>>>>>  Is there a better way to handle this situation ?
>>>>>>
>>>>>> Thanks,
>>>>>> Gayan
>>>>>>
>>>>>> --
>>>>>> Gayan Gunawardana
>>>>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>>>>> Email: ga...@wso2.com
>>>>>> Mobile: +94 (71) 8020933
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Best Regards,
>>>>
>>>> Nuwandi Wickramasinghe
>>>>
>>>> Software Engineer
>>>>
>>>> WSO2 Inc.
>>>>
>>>> Web : http://wso2.com
>>>>
>>>> Mobile : 0719214873
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Malithi Edirisinghe*
>>> Associate Technical Lead
>>> WSO2 Inc.
>>>
>>> Mobile : +94 (0) 718176807
>>> malit...@wso2.com
>>>
>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>
-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Need to get the consent page back in SSO flow

[Isura Karunaratne]

Hi Nipuni,

You can use updateApproveAlwaysForAppConsentByResourceOwner method in
oauthAdminSevice to revoke the approve always consent.

Thanks
Isura

On Fri, Aug 18, 2017 at 3:24 PM Farasath Ahamed  wrote:

> + Indunil
>
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
> On Fri, Aug 18, 2017 at 3:12 PM, Naduni Pamudika  wrote:
>
>> Hi All,
>>
>> In the SSO flow, first the login page appears and then the consent page where
>> the scopes are being approved by the user. I have put "Approve Always" for
>> the scopes showing in the consent page and then the consent page does
>> not appear in the login flow.
>>
>> I want to get the normal flow back, i.e. I want to go through the consent
>> page and see the scopes.
>>
>> I tried deleting the application from the IS side and it did not work.
>> Even after deleting and creating a new application, "Approve Always" is
>> still enabled.
>>
>> How can I get it disabled?
>>
>> Thank you,
>> Naduni
>>
>> --
>> *Naduni Pamudika*
>> Software Engineer | WSO2
>> Mobile: +94 719 143658 <+94%2071%20914%203658>
>> [image: http://wso2.com/signature] 
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Avoid Invoking REST endpoints from SSO login page

[Isura Karunaratne]

Hi Malithi,

On Fri, Aug 18, 2017 at 3:41 PM, Malithi Edirisinghe 
wrote:

>
>
> On Fri, Aug 18, 2017 at 12:31 PM, Nuwandi Wickramasinghe <
> nuwan...@wso2.com> wrote:
>
>> Looks like http calls are done to validate the endpoint url. Do we need
>> this validation before showing the link?
>>
>> Shall we remove these calls and directly show the hyper link?
>>
>
> So here the validation is done as we are invoking another webapp. So that
> this check make sure a broken link is never to be shown in this login page.
> Moreover, this is just a HEAD call so I don't think invoking that impacts
> the login page performance, because the actual page is not getting rendered
> here.
> The other thing is these webapps are coming from two features, so IMO, we
> cannot directly couple them together.
>

Is that working correctly?. I think HEAD operation returns 200 OK for any
endpoint starting with https://localhost:9443.

Thanks
Isura.


>> On Fri, Aug 18, 2017 at 11:54 AM, Farasath Ahamed 
>> wrote:
>>
>>>
>>> There is another complication here. We are not honouring the hostname
>>> verification settings set by Kernel when doing the backend call.
>>> Ideally, we should be using the common-http client if we are doing any
>>> backend https calls.
>>>
>>>
>>> Farasath Ahamed
>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>> Mobile: +94777603866
>>> Blog: blog.farazath.com
>>> Twitter: @farazath619 
>>> 
>>>
>>>
>>>
>>> On Fri, Aug 18, 2017 at 11:45 AM, Gayan Gunawardana 
>>> wrote:
>>>
 In IS 5.4.0-m2 SSO login page we can see couple of hyper links for
 Forgot Password, Forgot Username, Register Now as below.


 ​
 Actually how it renders is

  <%
 url = new URL(identityMgtEndpointContext +
 "/recoverpassword.do?callback=" + Encode.forHtmlAttribute
 (urlEncodedURL));
 httpURLConnection = (HttpURLConnection)
 url.openConnection();
 httpURLConnection.setRequestMethod("HEAD");
 httpURLConnection.connect();
 if (httpURLConnection.getResponseCode() ==
 HttpURLConnection.HTTP_OK) {
 %>
 Forgot Password 
 
 <%
 }

 So every time when user goes to SSO login page need to send 3 http
 requests to render 3 hyper links. Also if any of API raises back-end
 exception, bad stack trace will be printed as below.

 WARN {org.apache.cxf.phase.PhaseInterceptorChain} -  Application {
 http://endpoint.recovery.identity.carbon.wso2.org/}ClaimsApi has
 thrown exception, unwinding now
 org.apache.cxf.interceptor.Fault

  Is there a better way to handle this situation ?

 Thanks,
 Gayan

 --
 Gayan Gunawardana
 Senior Software Engineer; WSO2 Inc.; http://wso2.com/
 Email: ga...@wso2.com
 Mobile: +94 (71) 8020933

>>>
>>>
>>
>>
>> --
>>
>> Best Regards,
>>
>> Nuwandi Wickramasinghe
>>
>> Software Engineer
>>
>> WSO2 Inc.
>>
>> Web : http://wso2.com
>>
>> Mobile : 0719214873
>>
>
>
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Display the roles of a custom user store for Identity Server

[Isura Karunaratne]

Hi Thomas,

Did you override doCheckExistingUser method in your custom user store
manager? In order to view the roles list of the user, following methods
should be overridden.


   -

   doCheckExistingUser

   -

   doGetExternalRoleListOfUser

   -

   doGetInternalRoleListOfUser



If the issue still occurs after overriding the doCheckExistingUser method,
please attach your sample code. So we can help you faster.

Thanks
Isura.

On Fri, Aug 18, 2017 at 3:09 PM, Thomas LEGRAND <
thomas.legr...@versusmind.eu> wrote:

> Hello again!
>
> During my tests, I "reinstalled" a new Identity Server v5.3.0 where I let
> the default configuration for the primary user store.
> I configured my custom secondary user store which retrieves data from a
> database. This custom user store is implemented by extending te
> AbstractUserStoreManager class and I generated a OSGi bundle which I
> dropped in the repository/components/dropins directory.
>
> So I can see my list of users coming from this user store when I display
> it from the identity server. But, when I want to display the roles of a
> suer, I noticed that the primary user store is called (in my case, that was
> the default org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager
> configured in the user-mgt.xml configuration file) to check if the user
> existed and to retrieve its roles.
>
> Did I miss something in my implementation of the user store to have the
> effect of the primary user store taking the lead to retrieve the roles
> physically located on the secondary user store?
>
> Regards,
>
> Thomas
>
> 2017-08-17 11:22 GMT+02:00 Thomas LEGRAND :
>
>> Hello,
>>
>> I really don't understand why my "external" roles don't appear in the
>> list and why no role methods are called in my connector because, when I
>> configure a LDAP one, I can see the roles retrieved from the LDAP are
>> listed with the internal ones.
>>
>> I set the log level to DEBUG to see that the LDAP user store is calling
>> the internal role retrieval method before checking if the user exists:
>>
>> [2017-08-17 11:18:00,647] DEBUG 
>> {org.wso2.carbon.user.core.common.AbstractUserStoreManager}
>> -  Retrieving internal roles for user name :  a.bresson and search filter *
>> [2017-08-17 11:18:00,648] DEBUG {org.wso2.carbon.user.core.lda
>> p.ReadOnlyLDAPUserStoreManager} -  Searching for user a.bresson
>>
>> But in my case, the user check method isn't even called!
>>
>> If I continue with the logs, I can see that:
>>
>> [2017-08-17 11:18:00,653] DEBUG {org.wso2.carbon.user.core.lda
>> p.ReadOnlyLDAPUserStoreManager} -  Reading roles with the
>> memberOfProperty Property: memberOf
>>
>> Following this source code [1], it seems that it executes the method to
>> retrieve the external roles. On my side, in my own connector, that does not
>> even go there because it doesn't even check if the user exists.
>>
>> What am I missing?
>>
>> Regards,
>>
>> Thomas
>>
>> [1] https://github.com/biliroy/carbon4-kernel/blob/master/
>> core/org.wso2.carbon.user.core/src/main/java/org/wso2/
>> carbon/user/core/ldap/ReadOnlyLDAPUserStoreManager.java#L1724
>>
>> 2017-08-16 9:56 GMT+02:00 Thomas LEGRAND :
>>
>>> Hello everybody,
>>>
>>> I am writing a custom user store for the Identity Server and I
>>> successfully retrieved my list of users from my database. But when I try to
>>> display the roles of a user by clicking on the "View Roles" button [1],
>>> only the internal roles are displayed.
>>> I implemented the methods doGetExternalRoleListOfUser(),
>>>  doGetDisplayNamesForInternalRole(), doGetSharedRoleListOfUser() to log
>>> something on the INFO level but nothing happens.
>>>
>>> Can someone tell me which method to implement?
>>>
>>> Regards,
>>>
>>> Thomas
>>>
>>> [1] [image: Images intégrées 1]
>>>
>>
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Avoid Invoking REST endpoints from SSO login page

[Isura Karunaratne]

On Fri, Aug 18, 2017 at 12:31 PM Nuwandi Wickramasinghe 
wrote:

> Looks like http calls are done to validate the endpoint url. Do we need
> this validation before showing the link?
>
> Shall we remove these calls and directly show the hyper link?
>
+1

Thanks
Isura

>
> On Fri, Aug 18, 2017 at 11:54 AM, Farasath Ahamed 
> wrote:
>
>>
>> There is another complication here. We are not honouring the hostname
>> verification settings set by Kernel when doing the backend call.
>> Ideally, we should be using the common-http client if we are doing any
>> backend https calls.
>>
>>
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>> 
>>
>>
>>
>> On Fri, Aug 18, 2017 at 11:45 AM, Gayan Gunawardana 
>> wrote:
>>
>>> In IS 5.4.0-m2 SSO login page we can see couple of hyper links for
>>> Forgot Password, Forgot Username, Register Now as below.
>>>
>>>
>>> ​
>>> Actually how it renders is
>>>
>>>  <%
>>> url = new URL(identityMgtEndpointContext +
>>> "/recoverpassword.do?callback=" + Encode.forHtmlAttribute
>>> (urlEncodedURL));
>>> httpURLConnection = (HttpURLConnection) url.openConnection();
>>> httpURLConnection.setRequestMethod("HEAD");
>>> httpURLConnection.connect();
>>> if (httpURLConnection.getResponseCode() ==
>>> HttpURLConnection.HTTP_OK) {
>>> %>
>>> Forgot Password 
>>> 
>>> <%
>>> }
>>>
>>> So every time when user goes to SSO login page need to send 3 http
>>> requests to render 3 hyper links. Also if any of API raises back-end
>>> exception, bad stack trace will be printed as below.
>>>
>>> WARN {org.apache.cxf.phase.PhaseInterceptorChain} -  Application {
>>> http://endpoint.recovery.identity.carbon.wso2.org/}ClaimsApi has thrown
>>> exception, unwinding now
>>> org.apache.cxf.interceptor.Fault
>>>
>>>  Is there a better way to handle this situation ?
>>>
>>> Thanks,
>>> Gayan
>>>
>>> --
>>> Gayan Gunawardana
>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: ga...@wso2.com
>>> Mobile: +94 (71) 8020933
>>>
>>
>>
>
>
> --
>
> Best Regards,
>
> Nuwandi Wickramasinghe
>
> Software Engineer
>
> WSO2 Inc.
>
> Web : http://wso2.com
>
> Mobile : 0719214873
>
-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] JDBCUserstore Config "IsEmailUserName"

[Isura Karunaratne]

On Tue, Aug 1, 2017 at 2:49 AM Johann Nallathamby  wrote:

> I have also seen this and feel it's redundant. If there is no real purpose
> for this can we  deprecate it and remove any usage of this property? If it
> allows control per user store, then EnableEmailUserName is redundant in
> carbon.xml.
>
> Thoughts?
>

Yes. Currently, there is no usage of that property. We can deprecate it and
remove. There are a lot of usages of EnableEmailUserName property. So, in
c4 based products we have to rely EnableEmailUserName property.

Thanks
Isura

> On Tue, Aug 1, 2017 at 12:33 AM, Hasintha Indrajee 
> wrote:
>
>> Is there any usage of subject ?. If so any idea where we honor this
>> config element ? Docs do have this [1]
>>
>> [1] https://docs.wso2.com/display/IS530/Configuring+a+JDBC+User+Store
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IDENTITY-6155] Invoking the user info endpoint without properly setting the 'Bearer' header causes server errors

[Isura Karunaratne]

Hi Hasini,

Merged the PR with [1]

Thanks
Isura.


[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/commit/6adda2141e27cbe2df1a985e8f857816f37f2a66

On Fri, Jul 28, 2017 at 5:01 PM, Hasini Witharana  wrote:

> Hi,
>
> I am working on the jira IDENTITY-6155
> . When Invoking the user info
> endpoint without adding the access token to the 'Bearer' header causes the
> server to return an ArrayIndexOutOfBoundsException with the full stacktrace
> to the client.
>
> As per the OIDC/oauth2.0 specifications[1][2], this sort of a request can
> be treated as an invalid request.
> Please refer the PR[3] which fixes this issue.
>
> [1]- http://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
> [2]- https://tools.ietf.org/html/rfc6750#section-6.2
> [3]- https://github.com/wso2-extensions/identity-inbound-auth-
> oauth/pull/420
>
> Thank you.
>
> --
>
> *Hasini Witharana*
> Software Engineering Intern | WSO2
>
>
> *Email : hasi...@wso2.com *
>
> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
> http://wso2.com/signature] *
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] IS User Portal is validating audience against Carbon SAML2 SSO authenticator defined in authenticator.xml

[Isura Karunaratne]

Adding Rushmin

On Tue, Jul 18, 2017 at 10:22 AM, Johann Nallathamby 
wrote:

> Hi All,
>
> We noticed $subject. I don't think this is valid because IS User Portal
> and Carbon management console should be treated as two SPs. So user portal
> reading the audience from authenticator.xml is wrong. Also it reads it even
> if SAML2 SSO authenticator is disabled. So this will create even more
> problems when both User Portal and Carbon management console is enabled for
> SSO. Correct way of validating audience should be by defining the audience
> in auth_config.json in the dashboard webapp.
>
> Can we please fix this for IS 5.4.0?
>
> Thanks & Regards,
> Johann.
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Configuring Subject Claim URI for File based Service Provider didn't work and no proper documentation to get it done

[Isura Karunaratne]

HI Johann,

Created a Jira to track the issue [1]. Will fix this with IS 5.4.0

Thanks
Isura.

[1] https://wso2.org/jira/browse/IDENTITY-6192

On Wed, Jul 19, 2017 at 2:29 PM, Samuel Gnaniah  wrote:

> Ack for docs. Can we get some content for this?
>
> *Samuel Gnaniah*
> Lead Technical Writer
>
> WSO2 (pvt.) Ltd.
> Colombo, Sri Lanka
> (+94) 773131798 <+94%2077%20313%201798>
>
> On Tue, Jul 18, 2017 at 10:51 AM, Johann Nallathamby 
> wrote:
>
>> Hi All,
>>
>> I tried to get "Subject Claim URI" configuration working for a file based
>> SP, pointing it to a different claim other than username, but didn't
>> succeed. Also seems our documentation is still lacking on how to get this
>> done.
>>
>> Thanks & Regards,
>> Johann.
>>
>> --
>>
>> *Johann Dilantha Nallathamby*
>> Senior Lead Solutions Engineer
>> WSO2, Inc.
>> lean.enterprise.middleware
>>
>> Mobile - *+9476950*
>> Blog - *http://nallaa.wordpress.com *
>>
>
>


-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IDENTITY-3355] Better if only warning is shown for signature verification failures

[Isura Karunaratne]

Hi Sugirjan,

+1 for the warning message without printing the exception trace. We
can add exception
trace as a debug log.

Thanks
Isura.

On Thu, Jul 20, 2017 at 6:47 PM, Sugirjan Ragunaathan 
wrote:

> Hi,
>
> I'm working on the WSO2 public JIRA issue $subject [1].
>
> In the Source code [2], when the SAML2 signature is validated and if
> validation exception is catched, then the exception is logged as well as
> debug message.
>
> } catch (ValidationException e) {
> if (log.isDebugEnabled()) {
> log.debug("SAML Signature validation failed from domain : " + 
> domainName, e);
> }
> }
>
>
> In the Source code [3],  if validation exception is catched, then the
> exception is logged as a warning message not as a debug message.
>
> } catch (IdentitySAML2SSOException e) {
> log.warn("Signature validation failed for the SAML Message : Failed to 
> construct the X509CredentialImpl for the alias " +
> alias, e);
> return false;
> }
>
> What is the best implementation way for handling this exception?
>
> [1]Better if only warning is shown for signature verification failures
> (not the whole exception) 
>
> [2]https://github.com/wso2-extensions/identity-carbon-
> auth-saml2/blob/v5.2.3/components/org.wso2.carbon.
> identity.authenticator.saml2.sso/src/main/java/org/wso2/
> carbon/identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java#L509
>
> [3]https://github.com/wso2-extensions/identity-inbound-
> auth-saml/blob/v5.3.0/components/org.wso2.carbon.
> identity.sso.saml/src/main/java/org/wso2/carbon/identity/
> sso/saml/util/SAMLSSOUtil.java#L882
>
> Thanks.
>
> Regards,
> *R. Sugirjan*
> Software Engineering - Intern | WSO2
>
> Email:  sugir...@wso2.com
> Mobile: +94768489892 <+94%2076%20848%209892>
> 
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] (IDENTITY-6167) Need to honor modifications to email-admin-config.xml file

[Isura Karunaratne]

Can we move configuration files in a minor release?

Thanks
Isura.

On Thu, Jul 27, 2017 at 12:26 PM, KasunG Gajasinghe  wrote:

>
>
> On Thu, Jul 27, 2017 at 10:20 AM, Harsha Thirimanna 
> wrote:
>
>>
>>
>> On Thu, Jul 27, 2017 at 9:41 AM, KasunG Gajasinghe 
>> wrote:
>>
>>>
>>>
>>> On Wed, Jul 26, 2017 at 10:39 PM, Harsha Thirimanna 
>>> wrote:
>>>

 On Wed, Jul 26, 2017 at 9:31 PM, KasunG Gajasinghe 
 wrote:

>
>
> On Wed, Jul 26, 2017 at 9:07 PM, Johann Nallathamby 
> wrote:
>
>>
>>
>> On Wed, Jul 26, 2017 at 8:58 PM, Harsha Thirimanna 
>> wrote:
>>
>>> Hi All,
>>>
>>> I think we feel like both pros and cons because of these data file
>>> are located under the configurations. These are not actually config 
>>> files
>>> and as Kasun said if these are under the config folder then anyone can 
>>> feel
>>> to change and expect the changes in system after restarting. And same as
>>> Johan said, we can explain in the documentation clearly about the
>>> behaviour.
>>>
>>> As an alternative solution, can't we have such files in some
>>> different root folder but not under the config or deployment ,because of
>>> these files are not either deployable artifact or configs. Then users 
>>> will
>>> not misunderstand about these files and there can be its own behaviour 
>>> as
>>> what we have now.
>>>
>>
>>> *Harsha Thirimanna*
>>> *Associate Tech Lead | WSO2*
>>>
>>> Email: hars...@wso2.com
>>> Mob: +94715186770 <+94%2071%20518%206770>
>>> Blog: http://harshathirimanna.blogspot.com/
>>> Twitter: http://twitter.com/harshathirimann
>>> Linked-In: linked-in: http://www.linkedin.com/pub/ha
>>> rsha-thirimanna/10/ab8/122
>>> 
>>>
>>> On Wed, Jul 26, 2017 at 5:21 PM, KasunG Gajasinghe 
>>> wrote:
>>>
 Hi Johann,


 On Wed, Jul 26, 2017 at 3:22 PM, Farasath Ahamed <
 farasa...@wso2.com> wrote:

> Hi,
>
> email-admin-config.xml has the default email templates that are
> used for Email notifications.
> Since we have a UI to add/update new Email templates I don't think
> the user has to go to the registry and do any modifications.
>
>
> Thanks,
> Farasath
>
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
> On Wed, Jul 26, 2017 at 1:30 PM, Johann Nallathamby <
> joh...@wso2.com> wrote:
>
>> Hi Kasun,
>>
>> I don't think we need to do this because,
>>
>> 1. This is the model we follow for some other files as well.
>> claim-config.xml
>> identity-event.properties
>>
>>
 Yes, I think Isura mentioned the same. Let me revise my original
 query. The problem I was trying to address is:

 1. There is a config file under repository/conf/ which is only read
 during start-up. Since it is read once, should it really be in the
 repository/conf/?

 2. If a config file is there under repository/conf/, then users
 expect any changes to it will be visible to users. It is not that 
 intuitive
 for a first time user IMO.

>>>
 As the product is quite matured, I think it may be better to look
 into these aspects to make the first time user experience better.  
 Hence,
 the request for $subject.

>>>
>> Agreed. We may be able to improve this.
>>
>>
> Cool.. :) My suggestion is to honor the changes to the file. So, if
> the file hash is changed, we re-upload the changes.
>
> MD5 hash can be stored in registry as a property along with the email
> templates. It is a simple change to [1] as I understand.
>

 ​But after some one change from the UI then it will update the changes
 in registry. But it is not reflected in the file. Again if some one change
 in the file, then registry will override the changes in registry that is
 changed by the UI. Is this expected ?
 ​

>>>
>>> Yes, that happens. User need to stick to one. This is actually a problem
>>> we had in our platform for a while. Some of our configurations are
>>> duplicated in both file system and registry. This leads to much confusion
>>> for a first time user.
>>>
>>
>> ​Agree
>> ​
>>
>>>
>>> What's your suggestion?
>>>
>>
>> ​​I think, main reason is that we consider these 

Re: [Dev] [IS]User account locking

[Isura Karunaratne]

Hi Hanen,

I guess you have not enabled Account Lock from Resident IDP UI. As Hasanthi
pointed out, try the docs and let us know the feedback.

Thanks
Isura.

On Fri, Jul 21, 2017 at 1:33 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Hanen,
>
> Yes the feature is tested in IS 5.3.0. Did you configure. Please refer the
> 'Configuring the WSO2 Identity Server for account locking' part of [1]. In
> IS 5.3.0 we need to configure some properties using UI as well. So please
> use the document to configure account locking in IS 5.3.0. If still you
> can't make this to work please get back to us.
>
> [1] https://docs.wso2.com/display/IS530/User+Account+Locking+
> and+Account+Disabling#04a3bc93b073466dae2c618e35801c93
>
> Thanks,
> Hasanthi
>
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>
> On Fri, Jul 21, 2017 at 1:02 PM, Hanen Ben Rhouma 
> wrote:
>
>> Hello guys,
>>
>> I have a question related to user account locking. I tried locking admin
>> and even a simple user (with only login permission) via GUI as well as via
>> SOAP call but nothing worked, the accounts are still able to login. Was
>> this feature tested for the 5.3.0 version?
>>
>>
>> Regards,
>> Hanen
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Are we planning to ship Rest API authentication for IS 5.4.0?

[Isura Karunaratne]

Hi Johann,

On Thu, Jul 13, 2017 at 6:45 PM Johann Nallathamby  wrote:

> Hi IAM Team,
>
> As I understand many WSO2 Identity Server users are writing their own Rest
> APIs to authenticate users against Identity Server user stores. Are we
> having any plans of shipping one of this Rest APIs out of the box with IS
> 5.4.0 or 5.5.0?
>

Not with IS 5.4.0, We will prioritize this for IS 5.5.0

Thanks
Isura

>
>
> Thanks & Regards,
> Johann.
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
>
-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Need to increase column width for DATA_VALUE column of IDN_IDENTITY_USER_DATA table

[Isura Karunaratne]

Fixed with https://wso2.org/jira/browse/IDENTITY-6142

On Thu, Jul 13, 2017 at 9:43 AM, Isura Karunaratne <is...@wso2.com> wrote:

>
> On Wed, Jul 12, 2017 at 11:00 PM Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>> Hi IAM Team,
>>
>> Please consider $subject high priority because the default column width
>> is 256 characters which could be insufficient for some use cases.
>> Especially with TOTP authenticator we are encrypting the secret key and
>> storing it in this table. The production recommendation for key size is
>> 2048 bits.
>>
> +1 will do
>
> Thanks
> Isura
>
>>
>>
>> Thanks & Regards,
>> Johann.
>>
>> --
>>
>> *Johann Dilantha Nallathamby*
>> Senior Lead Solutions Engineer
>> WSO2, Inc.
>> lean.enterprise.middleware
>>
>> Mobile - *+9476950*
>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>
>


-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Need to increase column width for DATA_VALUE column of IDN_IDENTITY_USER_DATA table

[Isura Karunaratne]

On Wed, Jul 12, 2017 at 11:00 PM Johann Nallathamby  wrote:

> Hi IAM Team,
>
> Please consider $subject high priority because the default column width is
> 256 characters which could be insufficient for some use cases. Especially
> with TOTP authenticator we are encrypting the secret key and storing it in
> this table. The production recommendation for key size is 2048 bits.
>
+1 will do

Thanks
Isura

>
>
> Thanks & Regards,
> Johann.
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Identity Server 5.3.0 MSSQL script doesn't execute successfully

[Isura Karunaratne]

On Mon, Jul 10, 2017 at 8:36 PM, Johann Nallathamby  wrote:

> Hi IAM Team,
>
> Please check on $subject and fix on IS 5.4.0. This is an L1.
>

We will fix this in IS 5.4.0

>
> [1] https://wso2.org/jira/browse/IDENTITY-6130
>
> Regards,
> Johann.
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Senior Technical Lead - WSO2 Identity Server
> Governance technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Swagger] swagger2cxf-maven-plugin to generate server stub for CXF

[Isura Karunaratne]

Hi Indunil,

On Wed, Jul 5, 2017 at 11:35 AM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> I have used the Swagger Codegen to generation the server stubs from a
> Swagger definition of a REST API for IS 5.4.0.
>
> In there I have added the following plugin to generate server stub for CXF.
>
> 
>> org.wso2.maven.plugins
>> swagger2cxf-maven-plugin
>> 1.0-SNAPSHOT
>> 
>> ${project.basedir}/src/main/resources/api.
>> identity.oauth2.scope.endpoint.yaml
>> 
>> 
>>
>
>
> Also add the following maven build helper plugin.
>
> 
>> org.codehaus.mojo
>> build-helper-maven-plugin
>> 
>> 
>> add-source
>> generate-sources
>> 
>> add-source
>> 
>> 
>> 
>> src/gen/java
>> 
>> 
>> 
>> 
>> 
>>
>
> Then use "mvn swagger2cxf:generate" command to generate the server stubs
> and in src/gen/java folder, set of factories are generated and in main/Java
> folder, a set of impl files are generated.
>
> I have following concerns regarding server stubs generation from Swagger.
>
>- Is this can be automated to do in component build?
>
>
No.

>
>- Or normally this is the way it should handled and need to commit all
>the generated files to git as well?
>
> We have to commit generated files.


>
>- If we are committing the generated files to git, is it recommended
>to add class comments in those?
>
> I don't think we need to add class comments. But, we better to add licence
headers.

Thanks
Isura.

>
> Thanks and Regards
>
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [IS] Features to be included in IS 5.4.0 which required for APIM 3.0

[Isura Karunaratne]

On Wed, Jun 14, 2017 at 11:06 PM, Bhathiya Jayasekara 
wrote:

> Hi Indunil,
>
> A few more details.
>
> On Wed, Jun 14, 2017 at 10:52 PM, Bhathiya Jayasekara 
> wrote:
>
>> Hi Indunil,
>>
>> Please see my comments inline.
>>
>> On Wed, Jun 14, 2017 at 7:28 PM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> Thanks all of your valuable feedbacks. Currently we are implementing
>>> following REST endpoints. We have modeled the the rest API using swagger
>>> and you can find the attached swagger definition as well. Really appreciate
>>> your comments and suggestions on the specified endpoints, please mention if
>>> there are other required endpoints.
>>>
>>>
>>> Endpoint Method Usage Request Body Response
>>> /scopes POST Create Scopes [{"key": "openid", "name": "openid",
>>> "description": "openid scope", "bindings": ["role1", "role2"]}] "HTTP/1.1
>>> 201 Created"
>>>
>>
>> Here the request body is a json array. Does that mean we can create
>> multiple scopes at once? If not, let's get rid of wrappering squire
>> brackets.
>>
>
> My +1 is to have multiple scopes in the request.
>
>
>>
>>
>>>
>>> DELETE Delete Scopes ["key1", "key2"] "HTTP/1.1 201 Deleted"
>>>
>>> PUT Update Scopes [{"key": "openid", "name": "openid", "description":
>>> "openid scope", "bindings": ["role3"]}] "HTTP/1.1 201 Updated"
>>>
>>
>> In these 2 cases the status code should be 200. (We may also use 204 for
>> delete like DCRM spec does.)
>>
>
>

> From the http spec https://tools.ietf.org/html/rfc2616#section-9.7 :
>
>  A successful response SHOULD be 200 (OK) if the response includes an
>entity describing the status, 202 (Accepted) if the action has not
>yet been enacted, or 204 (No Content) if the action has been enacted
>but the response does not include an entity.
>
>
> So you can choose between 200 or 204 depending on the response body you
> send back.
>
> Further, instead of sending a request body in the DELETE request (which is
> not restricted by the spec though), we can send it like this.
>
>  DELETE /scopes?keys=key1,key2
 WDYT?

+1.
@Indunil

Did we consider this when implementing delete scopes?

Thanks
Isura.


>
> Thanks,
> Bhathiya
>
>
>>
>>
>>> /scopes?filter=maxResults+Eq+100 GET Get all available Scopes
>>> [{"key": "openid", "name": "openid", "description": "openid scope",
>>> "bindings": []}]
>>>
>>> /scopes/by-bindings GET Get Scopes by Binding/s {"bindings": ["role1",
>>> "role2"]} [{"key": "openid", "name": "openid", "description": "openid
>>> scope", "bindings": ["role1", "role2"]}]
>>>
>>
>> This should be a POST if you have a request body. Instead of that, how
>> about something like this?
>>
>> /scopes?bindings=role1,role2
>>
>>
>>>
>>> /scopes/keys GET Get all the available
>>> Scope Keys
>>> ["key1", "key2"]
>>>
>>> /scopes/keys/by-bindings GET Get Scope keys
>>> by Binding/s {"bindings": ["role1", "role2"]} ["key1", "key2"]
>>>
>>
>> We can do the same here.
>>
>> /scopes/keys?bindings=role1,role2
>>
>>
>>>
>>> /scopes/{scope_key} GET Get a Scope by Scope Key
>>> {"key": "openid", "name": "openid", "description": "openid scope",
>>> "bindings": []}
>>>
>>> DELETE Delete a Scope by
>>> Scope Key
>>> "HTTP/1.1 201 Deleted"
>>>
>>> PUT Update a Scope by
>>> Scope Key {"key": "openid", "name": "openid", "description": "openid
>>> scope", "bindings": ["role3", "role4"]} "HTTP/1.1 201 Updated"
>>>
>>
>> Need to change the status codes as suggested above.
>>
>> Thanks,
>> Bhathiya
>>
>>
>>>
>>>
>>> @Nuwan: We have a suggestion to modified the database schema as follows
>>> to properly store bindings (considering the performance issues in using
>>> comma separated values and renaming the "ROLES" field to a generic name),
>>> but need to discuss about this and finalize.
>>>
>>>
>>> ​
>>> Appreciate your comments and suggestions and I will arrange a meeting
>>> tomorrow to have a further discussion on this.
>>>
>>> Thanks and Regards
>>>
>>>
>>> On Mon, Jun 12, 2017 at 2:53 AM, Nuwan Dias  wrote:
>>>

 On Fri, Jun 9, 2017 at 5:46 AM Indunil Upeksha Rathnayake <
 indu...@wso2.com> wrote:

> Hi,
>
> We are currently working on implementing following features which are
> needed for APIM 3.0. You can find the initial discussion details in [1].
>
>1. Sign UserInfo JWT response
>2. Scope registration and Scope binding
>3. DCRM
>
>
> *Sign UserInfo JWT response:*
> JWT user info response signing implementation is in [1].
>
> Currently in APIM, there is a key manager global wise configuration to
> configure needed claims which needed to be send in user info response. We
> need to consider, when no SP wise requested claims are configured as in
> APIM, whether we need to send all the claims bound for a specific scope in
> oidc-scope-config.xml.
> Currently in IS, we are sending only those claims which are common in
> both OIDC 

Re: [Dev] Please increase the TOKEN_SCOPE column length in IDN_OAUTH2_ACCESS_TOKEN_SCOPE table

[Isura Karunaratne]

On Thu, Jun 22, 2017 at 12:21 PM, Nuwan Dias  wrote:

> Please remember to include this change in the migration script (5.3.0 to
> 5.4.0) as well.
>
Noted. [1] is used to maintain the changes from 5.3.0 to 5.4.0.

[1] https://wso2.org/jira/browse/IDENTITY-6094

Thanks
Isura.

>
> On Thu, Jun 22, 2017 at 12:19 PM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> Created a JIRA for this in [1], will be fixed in 5.4.0-m2.
>>
>> [1] https://wso2.org/jira/browse/IDENTITY-6093
>>
>> Thanks and Regards
>>
>> On Thu, Jun 22, 2017 at 11:54 AM, Naduni Pamudika 
>> wrote:
>>
>>> Hi IS Team,
>>>
>>> I am working on the SSO Login feature in APIM, and there I need to have
>>> a bit longer scopes list. When I was trying to send the access token
>>> request it gave an error saying "Value too long for column "TOKEN_SCOPE
>>> VARCHAR(60) NOT NULL"".
>>>
>>> Noticed that you have size 2048 for the scopes in other places [1,2].
>>> Can you please increase this [3] as well?
>>>
>>> [1] https://github.com/wso2/carbon-identity-framework/blob/m
>>> aster/features/identity-core/org.wso2.carbon.identity.core.s
>>> erver.feature/resources/dbscripts/mysql.sql#L31
>>> [2] https://github.com/wso2/carbon-identity-framework/blob/m
>>> aster/features/identity-core/org.wso2.carbon.identity.core.s
>>> erver.feature/resources/dbscripts/mysql.sql#L86
>>> [3] https://github.com/wso2/carbon-identity-framework/blob/m
>>> aster/features/identity-core/org.wso2.carbon.identity.core.s
>>> erver.feature/resources/dbscripts/mysql.sql#L105
>>>
>>> Thank you.
>>> Naduni
>>>
>>> --
>>> *Naduni Pamudika*
>>> Software Engineer | WSO2
>>> Mobile: +94 719 143658 <+94%2071%20914%203658>
>>> [image: http://wso2.com/signature] 
>>>
>>
>>
>>
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>> Mobile   0772182255
>>
>
>
>
> --
> Nuwan Dias
>
> Software Architect - WSO2, Inc. http://wso2.com
> email : nuw...@wso2.com
> Phone : +94 777 775 729 <+94%2077%20777%205729>
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Custom UserStore works on 5.1.0, 5.2.0 not working in 5.3.0 and 5.4.0-M1

[Isura Karunaratne]

Hi

On Wed, Jun 21, 2017 at 11:06 AM, Farasath Ahamed <farasa...@wso2.com>
wrote:

>
>
>
>
> On Wed, Jun 21, 2017 at 11:03 AM, Isura Karunaratne <is...@wso2.com>
> wrote:
>
>>
>>
>> On Tue, Jun 20, 2017 at 11:29 PM, Johann Nallathamby <joh...@wso2.com>
>> wrote:
>>
>>> If these two handlers are disabled by default there shouldn't be any
>>> problem. According to default identity-event.properties file they are
>>> disabled. How come they get triggered then?
>>>
>>
>> Yes. By default the account lock/disabled features are disabled. If it is
>> required to use account lock/disable features, there should be a way to
>> store user properties.
>>
>
> Looks like we haven't used the property to check whether the listener is
> enabled or disabled although we have defined in identity-event.properties.
> Therefore the handlers get fired on pre-authentications
>

Yes. This issue is fixed with https://wso2.org/jira/browse/IDENTITY-6091

Thanks
Isura.

>
>
>>
>> Also, if the um_user_attribute table is not there, most of the use cases
>> will be broken. (Add User/ Update User/ Get  Users ...). So, I think that
>> user store is incomplete.
>>
>> Thanks
>> Isura.
>>
>>
>>>
>>> On Tue, Jun 20, 2017 at 7:25 PM, Farasath Ahamed <farasa...@wso2.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> The minimum requirement to write a custom JDBC user store manager so
>>>> far (before IS 5.3.0) was to simply override the doAuthenticate() method.
>>>> So a custom user store that was written for 5.0.0 worked without any
>>>> modifications (may be dependency changes).
>>>>
>>>> But when we use the same code on IS 5.3.0, the custom user store
>>>> implementations that only override the doAuthenticate() are broken because
>>>> account disabled[1] and account locked[2] handlers introduced in IS 5.3.0.
>>>>
>>>> These two handlers call the getUserClaimValues() method of the
>>>> userstore to retrieve some claims. Since we haven't overridden the method
>>>> in custom userstore implementation it calls the super class. This leads to
>>>> trying to find the claims from a non-existing table[3].
>>>>
>>>> One way to solve is to override the getUserClaimValues() method. But in
>>>> the PoV of the extension developer, this would be an unnecessary step if
>>>> the custom user store is just used for authentication only as explained in
>>>> [4].
>>>>
>>>> Even in the official docs[5], we do not have any mention of having to
>>>> implement the getUserClaimValues() method.
>>>>
>>>> What would be the correct and the most efficient way to resolve this?
>>>> Appreciate your thoughts.
>>>>
>>>>
>>>>
>>>> [1] https://github.com/wso2-extensions/identity-event-handle
>>>> r-account-lock/blob/master/components/org.wso2.carbon.identi
>>>> ty.handler.event.account.lock/src/main/java/org/wso2/carbon/
>>>> identity/handler/event/account/lock/AccountDisableHandler.java#L89
>>>>
>>>> [2] https://github.com/wso2-extensions/identity-event-handle
>>>> r-account-lock/blob/master/components/org.wso2.carbon.identi
>>>> ty.handler.event.account.lock/src/main/java/org/wso2/carbon/
>>>> identity/handler/event/account/lock/AccountLockHandler.java#L186
>>>>
>>>> [3] https://wso2.org/jira/browse/IDENTITY-6074?focusedCommen
>>>> tId=134555=com.atlassian.jira.plugin.system.issuetabpan
>>>> els:comment-tabpanel#comment-134555
>>>>
>>>> [4] https://wso2.org/jira/browse/IDENTITY-6074
>>>>
>>>>
>>>>
>>>>
>>>> Thanks,
>>>> Farasath Ahamed
>>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>>> Mobile: +94777603866
>>>> Blog: blog.farazath.com
>>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>>> <http://wso2.com/signature>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>>
>>> *Johann Dilantha Nallathamby*
>>> Senior Technical Lead - WSO2 Identity Server
>>> Governance Technologies Team
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile - *+9476950*
>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Senior Software Engineer | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>


-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Custom UserStore works on 5.1.0, 5.2.0 not working in 5.3.0 and 5.4.0-M1

[Isura Karunaratne]

On Tue, Jun 20, 2017 at 11:29 PM, Johann Nallathamby 
wrote:

> If these two handlers are disabled by default there shouldn't be any
> problem. According to default identity-event.properties file they are
> disabled. How come they get triggered then?
>

Yes. By default the account lock/disabled features are disabled. If it is
required to use account lock/disable features, there should be a way to
store user properties.

Also, if the um_user_attribute table is not there, most of the use cases
will be broken. (Add User/ Update User/ Get  Users ...). So, I think that
user store is incomplete.

Thanks
Isura.


>
> On Tue, Jun 20, 2017 at 7:25 PM, Farasath Ahamed 
> wrote:
>
>> Hi,
>>
>> The minimum requirement to write a custom JDBC user store manager so far
>> (before IS 5.3.0) was to simply override the doAuthenticate() method. So a
>> custom user store that was written for 5.0.0 worked without any
>> modifications (may be dependency changes).
>>
>> But when we use the same code on IS 5.3.0, the custom user store
>> implementations that only override the doAuthenticate() are broken because
>> account disabled[1] and account locked[2] handlers introduced in IS 5.3.0.
>>
>> These two handlers call the getUserClaimValues() method of the
>> userstore to retrieve some claims. Since we haven't overridden the method
>> in custom userstore implementation it calls the super class. This leads to
>> trying to find the claims from a non-existing table[3].
>>
>> One way to solve is to override the getUserClaimValues() method. But in
>> the PoV of the extension developer, this would be an unnecessary step if
>> the custom user store is just used for authentication only as explained in
>> [4].
>>
>> Even in the official docs[5], we do not have any mention of having to
>> implement the getUserClaimValues() method.
>>
>> What would be the correct and the most efficient way to resolve this?
>> Appreciate your thoughts.
>>
>>
>>
>> [1] https://github.com/wso2-extensions/identity-event-handle
>> r-account-lock/blob/master/components/org.wso2.carbon.
>> identity.handler.event.account.lock/src/main/java/org/wso2/
>> carbon/identity/handler/event/account/lock/AccountDisableHandler.java#L89
>>
>> [2] https://github.com/wso2-extensions/identity-event-handle
>> r-account-lock/blob/master/components/org.wso2.carbon.
>> identity.handler.event.account.lock/src/main/java/org/wso2/
>> carbon/identity/handler/event/account/lock/AccountLockHandler.java#L186
>>
>> [3] https://wso2.org/jira/browse/IDENTITY-6074?focusedCommen
>> tId=134555=com.atlassian.jira.plugin.system.
>> issuetabpanels:comment-tabpanel#comment-134555
>>
>> [4] https://wso2.org/jira/browse/IDENTITY-6074
>>
>>
>>
>>
>> Thanks,
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>> 
>>
>>
>>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Senior Technical Lead - WSO2 Identity Server
> Governance Technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com *
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Default Claim Mapping for Multiple User Stores from claim-config.xml

[Isura Karunaratne]

Hi,

On Thu, Jun 15, 2017 at 8:46 PM, Gayan Gunawardana  wrote:

> Hi All,
>
> 
> http://wso2.org/claims/givenname
> First Name
> givenName
> First Name
> 
> 1
> 
>  
>
> With this configuration *givenName *map to*
> http://wso2.org/claims/givenname  *for*
> PRIMARY *user store
>
> *. *
> In IS 5.3.0 we can set map attribute from drop down for multiple user
> stores.
>
>
> ​
> Is there a way to do same configuration from claim-config.xml ? If not
> isn't it better to support by changing structure of claim-config.xml ?
>

AFAIK, there is no such a way to configure secondary user stores mapped
attributes from claim-config.xml file. Claim config file reads only the
first server startup and tenant creation. Since we can deploy secondary
userstores in first startup, +1 to support this.

Thanks
Isura.

>
> Thanks,
> Gayan
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture][IS][APIM] Providing a SCIM Id for admin user in SCIM

[Isura Karunaratne]

Hi Tharika,

On Mon, Jun 12, 2017 at 2:25 PM, Tharika Madurapperuma 
wrote:

> Hi All,
>
>In APIM 3.0, we plan to have a feature for enabling Read, Update,
> Delete permissions for an API based on roles in API Publisher. For user
> validation purposes, we need to retrieve the list of roles for the loggedin
> user. This role list is retrieved using the user's SCIM Id. But since the
> admin user by default does not have an ID as per [1] and is not regarded as
> a SCIM user, we wont be able to retrieve the list of roles for the admin.
>
>There are two possible options for making this work.
>
>*Option 1: *Either from APIM 3.0 side we should make a call to the
> SCIM endpoint and update the admin user to have a SCIM ID as in [1],
> preferably during startup or
>   * Option 2: *We can make the admin user have an Id by default from SCIM
> Implementation in IS.
>
>If we go with Option 1, it amounts to an additional call to the SCIM
> endpoint to update the user and a question arises as to where we should be
> updating it. The SCIM Id for the admin user is needed only in this scenario
> for retrieving roles currently, hence updating the admin user during
> startup is questionable.
>
>IMO Option 2 is preferrable because it will not result in an additional
> update as in Option 1 above.
>
>WDYT?
>
>Will there be any plans to include this capability in IS 5.4.0?
>
This capability will not include in IS 5.4.0 release, if this is urgent, we
can prioritize

Thanks
Isura.

>
>[1] [Dev] [IS] Admin/Tenant Admin Users cannot be filtered to get the
> SCIM ID
>
> Thanks,
> Tharika.
>
> --
> *Tharika Madurapperuma*
> Software Engineer | WSO2, Inc.
>
> Email : thar...@wso2.com
> Mobile : +94777875624 <+94%2077%20787%205624>
> Web : http://wso2.com
>
> 
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Ask password cannot be configured from management console when using identity REST API

[Isura Karunaratne]

On Tue, Jun 6, 2017 at 9:12 PM Danushka Fernando <danush...@wso2.com> wrote:

> So Johan/ Isura
> How should we approach here? If its not new feature we ask user to add
> default password? In that case we dont need this to fixed I guess.
>

We shouldn't use a default password, instead we have to generate a random
password.

Thanks
Isura

>
> Thanks & Regards
> Danushka Fernando
> Associate Tech Lead
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729
>
> On Tue, Jun 6, 2017 at 9:02 PM, Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>>
>>
>> On Tue, Jun 6, 2017 at 8:52 PM, Isura Karunaratne <is...@wso2.com> wrote:
>>
>>> Hi Danushka,
>>>
>>> You have to set a none empty password while adding a user.
>>>
>>
>> Sorry, I saw your reply only after I sent my reply :)
>>
>>
>>>
>>> Thanks
>>> Isura
>>>
>>> On Tue, Jun 6, 2017 at 8:46 PM Danushka Fernando <danush...@wso2.com>
>>> wrote:
>>>
>>>> Hi All
>>>>
>>>> I am working on jira [1]. I could enable User Onboarding / ASK Password
>>>> New version and then get the UI displayed according to that. But we cannot
>>>> create user without password here. Reason is following code is throwing the
>>>> exception saying ASK Password is disabled. How should we proceed?
>>>>
>>>>
>>>> package org.wso2.carbon.identity.mgt;
>>>>
>>>> ...
>>>>
>>>> public class IdentityMgtEventListener extends 
>>>> AbstractIdentityUserOperationEventListener {
>>>>
>>>> ...
>>>>
>>>> @Override
>>>> public boolean doPreAddUser(String userName, Object credential, String[] 
>>>> roleList,
>>>> Map<String, String> claims, String profile,
>>>> UserStoreManager userStoreManager) throws 
>>>> UserStoreException {
>>>>
>>>>
>>>> if (!isEnable()) {
>>>> if (credential == null || StringUtils.isBlank(credential.toString())) {
>>>> log.error("Identity Management listener is disabled");
>>>> throw new UserStoreException(PASSWORD_INVALID + 
>>>> ASK_PASSWORD_FEATURE_IS_DISABLED);
>>>> }
>>>> return true;
>>>> }
>>>>
>>>>
>>>> [2017-06-06 19:45:43,491] ERROR 
>>>> {org.wso2.carbon.identity.mgt.IdentityMgtEventListener} -  Identity 
>>>> Management listener is disabled[2017-06-06 19:45:43,493] ERROR 
>>>> {org.wso2.carbon.user.mgt.UserRealmProxy} -  PasswordInvalidAsk Password 
>>>> Feature is disabled
>>>> org.wso2.carbon.user.core.UserStoreException: PasswordInvalidAsk Password 
>>>> Feature is disabled
>>>>at 
>>>> org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:172)
>>>>at 
>>>> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1443)
>>>>at 
>>>> org.wso2.carbon.user.mgt.UserRealmProxy.addUser(UserRealmProxy.java:770)
>>>>at org.wso2.carbon.user.mgt.UserAdmin.addUser(UserAdmin.java:199)
>>>>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>at 
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>>at 
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>at java.lang.reflect.Method.invoke(Method.java:498)
>>>>at 
>>>> org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
>>>>at 
>>>> org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
>>>>at 
>>>> org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
>>>>at 
>>>> org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110)
>>>>at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
>>>>at 
>>>> org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:169)
>>>>at 
>>>> org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTranspo

Re: [Dev] Ask password cannot be configured from management console when using identity REST API

[Isura Karunaratne]

Hi Danushka,

You have to set a none empty password while adding a user.

Thanks
Isura

On Tue, Jun 6, 2017 at 8:46 PM Danushka Fernando  wrote:

> Hi All
>
> I am working on jira [1]. I could enable User Onboarding / ASK Password
> New version and then get the UI displayed according to that. But we cannot
> create user without password here. Reason is following code is throwing the
> exception saying ASK Password is disabled. How should we proceed?
>
>
> package org.wso2.carbon.identity.mgt;
>
> ...
>
> public class IdentityMgtEventListener extends 
> AbstractIdentityUserOperationEventListener {
>
> ...
>
> @Override
> public boolean doPreAddUser(String userName, Object credential, String[] 
> roleList,
> Map claims, String profile,
> UserStoreManager userStoreManager) throws 
> UserStoreException {
>
>
> if (!isEnable()) {
> if (credential == null || StringUtils.isBlank(credential.toString())) {
> log.error("Identity Management listener is disabled");
> throw new UserStoreException(PASSWORD_INVALID + 
> ASK_PASSWORD_FEATURE_IS_DISABLED);
> }
> return true;
> }
>
>
> [2017-06-06 19:45:43,491] ERROR 
> {org.wso2.carbon.identity.mgt.IdentityMgtEventListener} -  Identity 
> Management listener is disabled[2017-06-06 19:45:43,493] ERROR 
> {org.wso2.carbon.user.mgt.UserRealmProxy} -  PasswordInvalidAsk Password 
> Feature is disabled
> org.wso2.carbon.user.core.UserStoreException: PasswordInvalidAsk Password 
> Feature is disabled
>   at 
> org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:172)
>   at 
> org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1443)
>   at 
> org.wso2.carbon.user.mgt.UserRealmProxy.addUser(UserRealmProxy.java:770)
>   at org.wso2.carbon.user.mgt.UserAdmin.addUser(UserAdmin.java:199)
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>   at 
> org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)
>   at 
> org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)
>   at 
> org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
>   at 
> org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110)
>   at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
>   at 
> org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:169)
>   at 
> org.apache.axis2.transport.local.LocalTransportReceiver.processMessage(LocalTransportReceiver.java:82)
>   at 
> org.wso2.carbon.core.transports.local.CarbonLocalTransportSender.finalizeSendWithToAddress(CarbonLocalTransportSender.java:45)
>   at 
> org.apache.axis2.transport.local.LocalTransportSender.invoke(LocalTransportSender.java:77)
>   at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
>   at 
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
>   at 
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
>   at 
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
>   at 
> org.wso2.carbon.user.mgt.stub.UserAdminStub.addUser(UserAdminStub.java:2188)
>   at 
> org.wso2.carbon.user.mgt.ui.UserAdminClient.addUser(UserAdminClient.java:94)
>   at 
> org.apache.jsp.user.add_002dfinish_002dajaxprocessor_jsp._jspService(add_002dfinish_002dajaxprocessor_jsp.java:152)
>   at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>   at 
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
>   at 
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
>   at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>   at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)
>   at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>   at 
> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
>   at 
> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>   at 
> 

Re: [Dev] API 2.1.0 + Identity Server 5.3.0

[Isura Karunaratne]

Can you attach SAML response receives to store application using SSO Tracer
Firefox plugin? Also, attach the repository/deployment/server/userstores in
both nodes.

Thanks
Isura.

On Thu, Jun 1, 2017 at 6:28 PM, Vazquez-Hidalgo, Javier <
javier.vazquez-hida...@tdsecurities.com> wrote:

> Hi Isura,
>
>
>
> Thanks for your response, I added the secondary user store to the API
> manager and the problem goes away ONLY if I disable SSO on the store. With
> SSO enabled I can only login with users from the primary store.
>
>
>
> Any ideas on how to get it working with SSO?
>
>
>
> Thanks,
>
> Javier
>
>
>
> *From:* Isura Karunaratne [mailto:is...@wso2.com]
> *Sent:* Wednesday, May 31, 2017 6:26 AM
>
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> HI Javier,
>
>
>
> It looks like you have not configured secondary user store in API Manager
> instance. You can get rid of the authorization issue by configuring the
> read-only secondary user store in APIM as well.
>
>
>
> Since the Authorization handles in APIM instance, user store should be
> shared with APIM as well.
>
>
>
> Thanks
>
> Isura.
>
>
>
> On Tue, May 30, 2017 at 7:18 PM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hi Isura,
>
>
>
> In the log files, please search for “vazquj2”. That is the user who fails
> to login. I’ll send the conf files shortly. After more research it seems
> that APIM is looking user roles in UM_ROLES instead of UM_HYBRID_ROLES.
>
>
>
> Thanks,
>
> Javier
>
>
>
> *From:* Isura Karunaratne [mailto:is...@wso2.com]
> *Sent:* Monday, May 29, 2017 1:24 AM
>
>
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> Hi Javier,
>
>
>
> According to the apim-wso2carbon.log file, only admin user tried login to
> the APIM instance and it was a success login.  Please attach the log, once
> the store login failure occurs. Also, attach the conf folders in each
> products.
>
>
>
> Thanks
>
> Isura.
>
>
>
> On Fri, May 26, 2017 at 8:56 PM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hi Isura,
>
>
>
> Thanks for your help!
>
>
>
> Attached to the email are both logs with “log4j.logger.org.wso2.carbon.
> user.core=DEBUG” enabled.
>
>
>
> Regards,
>
> Javier
>
>
>
> *From:* Isura Karunaratne [mailto:is...@wso2.com]
> *Sent:* Friday, May 26, 2017 3:10 AM
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> Hi Javier,
>
>
>
> We need additional information to analyze the issue. Attach the
> wso2carbon.log file after enabling the debug logs for
> org.wso2.carbon.user.core package as follows.
>
>
>
> Add following entry to /repository/conf/log4j.properties file
>
>
>
> log4j.logger.org.wso2.carbon.user.core=DEBUG
>
>
>
>
>
> Thanks
>
> Isura.
>
>
>
> On Fri, May 26, 2017 at 12:50 AM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hello,
>
>
>
> I’m trying to setup APIM 2.1.0 + Identity Server 5.3.0 on separate boxes,
> at this point I have all configurations in place with shared databases and
> I added a secondary User Store (Read-Only LDAP) on the Identity Server and
> I’m able to assign permissions, etc..
>
>
>
> The problem I’m having is that when I try to login to the API Store using
> a user from the secondary user store I get the following error in the login
> screen:
>
>
>
> “Error! Login failed. Insufficient Privileges.”
>
>
>
> APIM Logs:
>
> -
>
>
>
> [2017-05-25 14:49:52,812] ERROR - JDBCAuthorizationManager Error occurred
> while accessing Java Security Manager Privilege Block
>
> [2017-05-25 14:49:52,812] ERROR - APIStoreHostObject Login failed.
> Insufficient Privileges.
>
>
>
> IS Log:
>
> ---
>
> [2017-05-25 14:49:52,498]  INFO 
> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
> -  'DOMAIN/xxx@carbon.super [-1234]' logged in at [2017-05-25
> 14:49:52,497-0400]
>
>
>
> So, it seems that the user is authenticated but something is happening.
>
>
>
> Just to be clear, the user from the secondary user store has
> “Internal/subscriber” role which should be sufficient to login.
>
>
>
> I also created a test user in the IS primary store and assigned
> “Internal/subsc

Re: [Dev] Use "/identity" claims for identity mgt functionalities

[Isura Karunaratne]

Yes. Identity claim support is there in previous IS releases as well.

Thanks
Isura.

On Sat, Jun 3, 2017 at 11:33 PM, Hasintha Indrajee 
wrote:

> AFAIK there is no difference in the way we handle identity claims within
> IS from 5.0.0 up to now. So these connectors will not be useful if the
> userstore is read-only. Better to improve these connectors.
>
> But then again we may need to provide migration scripts and update
> documents if we are to do this change.
>
> On Sat, Jun 3, 2017 at 5:10 PM, Malaka Silva  wrote:
>
>> Hi Hasintha,
>>
>> I guess this only supports since IS version 530? Most of the
>> authenticators identity claims were not considered and will be an issue
>> when read only user store is used. Something we have to improve in general.
>>
>> On Sat, Jun 3, 2017 at 10:08 AM, Hasintha Indrajee 
>> wrote:
>>
>>> Hi connector team,
>>>
>>> I noticed that password policy connector [1] is not using an identity
>>> claim to store lastPasswordChangedTimestamp which is not correct. These
>>> kind of claims should be identity claims. The reason for being an identity
>>> claim is to use them even if the userstore is read only. If we use this
>>> claim in this way, this claim will be useless if the userstore is read
>>> only. The correct claim will look like "http://wso2.org/claims/identi
>>> ty/lastPasswordUpdateTimeStamp"
>>>
>>>
>>> [1] https://github.com/wso2-extensions/identity-outbound-aut
>>> h-passwordPolicy
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453 <077%20189%202453>
>>>
>>>
>>
>>
>> --
>>
>> Best Regards,
>>
>> Malaka Silva
>> Associate Director / Architect
>> M: +94 777 219 791 <077%20721%209791>
>> Tel : 94 11 214 5345
>> Fax :94 11 2145300 <011%202%20145300>
>> Skype : malaka.sampath.silva
>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
>> Blog : http://mrmalakasilva.blogspot.com/
>>
>> WSO2, Inc.
>> lean . enterprise . middleware
>> https://wso2.com/signature
>> http://www.wso2.com/about/team/malaka-silva/
>> 
>> https://store.wso2.com/store/
>>
>> Don't make Trees rare, we should keep them with care
>>
>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API 2.1.0 + Identity Server 5.3.0

[Isura Karunaratne]

HI Javier,

It looks like you have not configured secondary user store in API Manager
instance. You can get rid of the authorization issue by configuring the
read-only secondary user store in APIM as well.

Since the Authorization handles in APIM instance, user store should be
shared with APIM as well.

Thanks
Isura.

On Tue, May 30, 2017 at 7:18 PM, Vazquez-Hidalgo, Javier <
javier.vazquez-hida...@tdsecurities.com> wrote:

> Hi Isura,
>
>
>
> In the log files, please search for “vazquj2”. That is the user who fails
> to login. I’ll send the conf files shortly. After more research it seems
> that APIM is looking user roles in UM_ROLES instead of UM_HYBRID_ROLES.
>
>
>
> Thanks,
>
> Javier
>
>
>
> *From:* Isura Karunaratne [mailto:is...@wso2.com]
> *Sent:* Monday, May 29, 2017 1:24 AM
>
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> Hi Javier,
>
>
>
> According to the apim-wso2carbon.log file, only admin user tried login to
> the APIM instance and it was a success login.  Please attach the log, once
> the store login failure occurs. Also, attach the conf folders in each
> products.
>
>
>
> Thanks
>
> Isura.
>
>
>
> On Fri, May 26, 2017 at 8:56 PM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hi Isura,
>
>
>
> Thanks for your help!
>
>
>
> Attached to the email are both logs with “log4j.logger.org.wso2.carbon.
> user.core=DEBUG” enabled.
>
>
>
> Regards,
>
> Javier
>
>
>
> *From:* Isura Karunaratne [mailto:is...@wso2.com]
> *Sent:* Friday, May 26, 2017 3:10 AM
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> Hi Javier,
>
>
>
> We need additional information to analyze the issue. Attach the
> wso2carbon.log file after enabling the debug logs for
> org.wso2.carbon.user.core package as follows.
>
>
>
> Add following entry to /repository/conf/log4j.properties file
>
>
>
> log4j.logger.org.wso2.carbon.user.core=DEBUG
>
>
>
>
>
> Thanks
>
> Isura.
>
>
>
> On Fri, May 26, 2017 at 12:50 AM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hello,
>
>
>
> I’m trying to setup APIM 2.1.0 + Identity Server 5.3.0 on separate boxes,
> at this point I have all configurations in place with shared databases and
> I added a secondary User Store (Read-Only LDAP) on the Identity Server and
> I’m able to assign permissions, etc..
>
>
>
> The problem I’m having is that when I try to login to the API Store using
> a user from the secondary user store I get the following error in the login
> screen:
>
>
>
> “Error! Login failed. Insufficient Privileges.”
>
>
>
> APIM Logs:
>
> -
>
>
>
> [2017-05-25 14:49:52,812] ERROR - JDBCAuthorizationManager Error occurred
> while accessing Java Security Manager Privilege Block
>
> [2017-05-25 14:49:52,812] ERROR - APIStoreHostObject Login failed.
> Insufficient Privileges.
>
>
>
> IS Log:
>
> ---
>
> [2017-05-25 14:49:52,498]  INFO {org.wso2.carbon.core.services
> .util.CarbonAuthenticationUtil} -  'DOMAIN/xxx@carbon.super [-1234]'
> logged in at [2017-05-25 14:49:52,497-0400]
>
>
>
> So, it seems that the user is authenticated but something is happening.
>
>
>
> Just to be clear, the user from the secondary user store has
> “Internal/subscriber” role which should be sufficient to login.
>
>
>
> I also created a test user in the IS primary store and assigned
> “Internal/subscriber” role and that worked fine.
>
>
>
>
>
> Any help or pointers is appreciated.
>
>
>
> Thanks,
>
> Javier Vazquez
>
>
>
>
>
>
>
> If you wish to unsubscribe from receiving commercial electronic messages
> from TD Bank Group, please click here <http://www.td.com/tdoptout> or go
> to the following web address: www.td.com/tdoptout
> Si vous souhaitez vous désabonner des messages électroniques de nature
> commerciale envoyés par Groupe Banque TD veuillez cliquer ici
> <http://www.td.com/tddesab> ou vous rendre à l'adresse www.td.com/tddesab
>
>
> NOTICE: Confidential message which may be privileged. Unauthorized
> use/disclosure prohibited. If received in error, please go to
> www.td.com/legal for instructions.
> AVIS : Message confidentiel dont le contenu peut être privilégié.
> Utilisation/divulgation interdites sans permission. Si reçu par erreur,
> prière d'aller au www.td.com/francais/avis_juridique pour

Re: [Dev] API 2.1.0 + Identity Server 5.3.0

[Isura Karunaratne]

Hi Javier,

According to the apim-wso2carbon.log file, only admin user tried login to
the APIM instance and it was a success login.  Please attach the log, once
the store login failure occurs. Also, attach the conf folders in each
products.

Thanks
Isura.

On Fri, May 26, 2017 at 8:56 PM, Vazquez-Hidalgo, Javier <
javier.vazquez-hida...@tdsecurities.com> wrote:

> Hi Isura,
>
>
>
> Thanks for your help!
>
>
>
> Attached to the email are both logs with “log4j.logger.org.wso2.carbon.
> user.core=DEBUG” enabled.
>
>
>
> Regards,
>
> Javier
>
>
>
> *From:* Isura Karunaratne [mailto:is...@wso2.com]
> *Sent:* Friday, May 26, 2017 3:10 AM
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> Hi Javier,
>
>
>
> We need additional information to analyze the issue. Attach the
> wso2carbon.log file after enabling the debug logs for
> org.wso2.carbon.user.core package as follows.
>
>
>
> Add following entry to /repository/conf/log4j.properties file
>
>
>
> log4j.logger.org.wso2.carbon.user.core=DEBUG
>
>
>
>
>
> Thanks
>
> Isura.
>
>
>
> On Fri, May 26, 2017 at 12:50 AM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hello,
>
>
>
> I’m trying to setup APIM 2.1.0 + Identity Server 5.3.0 on separate boxes,
> at this point I have all configurations in place with shared databases and
> I added a secondary User Store (Read-Only LDAP) on the Identity Server and
> I’m able to assign permissions, etc..
>
>
>
> The problem I’m having is that when I try to login to the API Store using
> a user from the secondary user store I get the following error in the login
> screen:
>
>
>
> “Error! Login failed. Insufficient Privileges.”
>
>
>
> APIM Logs:
>
> -
>
>
>
> [2017-05-25 14:49:52,812] ERROR - JDBCAuthorizationManager Error occurred
> while accessing Java Security Manager Privilege Block
>
> [2017-05-25 14:49:52,812] ERROR - APIStoreHostObject Login failed.
> Insufficient Privileges.
>
>
>
> IS Log:
>
> ---
>
> [2017-05-25 14:49:52,498]  INFO 
> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
> -  'DOMAIN/xxx@carbon.super [-1234]' logged in at [2017-05-25
> 14:49:52,497-0400]
>
>
>
> So, it seems that the user is authenticated but something is happening.
>
>
>
> Just to be clear, the user from the secondary user store has
> “Internal/subscriber” role which should be sufficient to login.
>
>
>
> I also created a test user in the IS primary store and assigned
> “Internal/subscriber” role and that worked fine.
>
>
>
>
>
> Any help or pointers is appreciated.
>
>
>
> Thanks,
>
> Javier Vazquez
>
>
>
>
>
>
>
> If you wish to unsubscribe from receiving commercial electronic messages
> from TD Bank Group, please click here <http://www.td.com/tdoptout> or go
> to the following web address: www.td.com/tdoptout
> Si vous souhaitez vous désabonner des messages électroniques de nature
> commerciale envoyés par Groupe Banque TD veuillez cliquer ici
> <http://www.td.com/tddesab> ou vous rendre à l'adresse www.td.com/tddesab
>
>
> NOTICE: Confidential message which may be privileged. Unauthorized
> use/disclosure prohibited. If received in error, please go to
> www.td.com/legal for instructions.
> AVIS : Message confidentiel dont le contenu peut être privilégié.
> Utilisation/divulgation interdites sans permission. Si reçu par erreur,
> prière d'aller au www.td.com/francais/avis_juridique pour des
> instructions.
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
>
>
>
> --
>
> *Isura Dilhara Karunaratne*
>
> Senior Software Engineer | WSO2
>
> Email: is...@wso2.com
>
> Mob : +94 772 254 810 <+94%2077%20225%204810>
>
> Blog : http://isurad.blogspot.com/
>
>
>
>
>
>
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API 2.1.0 + Identity Server 5.3.0

[Isura Karunaratne]

Hi Javier,

We need additional information to analyze the issue. Attach the
wso2carbon.log file after enabling the debug logs for
org.wso2.carbon.user.core package as follows.

Add following entry to /repository/conf/log4j.properties file

log4j.logger.org.wso2.carbon.user.core=DEBUG


Thanks
Isura.

On Fri, May 26, 2017 at 12:50 AM, Vazquez-Hidalgo, Javier <
javier.vazquez-hida...@tdsecurities.com> wrote:

> Hello,
>
>
>
> I’m trying to setup APIM 2.1.0 + Identity Server 5.3.0 on separate boxes,
> at this point I have all configurations in place with shared databases and
> I added a secondary User Store (Read-Only LDAP) on the Identity Server and
> I’m able to assign permissions, etc..
>
>
>
> The problem I’m having is that when I try to login to the API Store using
> a user from the secondary user store I get the following error in the login
> screen:
>
>
>
> “Error! Login failed. Insufficient Privileges.”
>
>
>
> APIM Logs:
>
> -
>
>
>
> [2017-05-25 14:49:52,812] ERROR - JDBCAuthorizationManager Error occurred
> while accessing Java Security Manager Privilege Block
>
> [2017-05-25 14:49:52,812] ERROR - APIStoreHostObject Login failed.
> Insufficient Privileges.
>
>
>
> IS Log:
>
> ---
>
> [2017-05-25 14:49:52,498]  INFO 
> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
> -  'DOMAIN/xxx@carbon.super [-1234]' logged in at [2017-05-25
> 14:49:52,497-0400]
>
>
>
> So, it seems that the user is authenticated but something is happening.
>
>
>
> Just to be clear, the user from the secondary user store has
> “Internal/subscriber” role which should be sufficient to login.
>
>
>
> I also created a test user in the IS primary store and assigned
> “Internal/subscriber” role and that worked fine.
>
>
>
>
>
> Any help or pointers is appreciated.
>
>
>
> Thanks,
>
> Javier Vazquez
>
>
>
>
>
>
>
> If you wish to unsubscribe from receiving commercial electronic messages
> from TD Bank Group, please click here  or go
> to the following web address: www.td.com/tdoptout
> Si vous souhaitez vous désabonner des messages électroniques de nature
> commerciale envoyés par Groupe Banque TD veuillez cliquer ici
>  ou vous rendre à l'adresse www.td.com/tddesab
>
>
> NOTICE: Confidential message which may be privileged. Unauthorized
> use/disclosure prohibited. If received in error, please go to
> www.td.com/legal for instructions.
> AVIS : Message confidentiel dont le contenu peut être privilégié.
> Utilisation/divulgation interdites sans permission. Si reçu par erreur,
> prière d'aller au www.td.com/francais/avis_juridique pour des
> instructions.
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Implemeting Scope Validator

[Isura Karunaratne]

Hi Hasanthi,

As we discussed, client credential grant type should not return an ID
token. So, we have to change the identity.xml file to enable scope
validator by default and make IdTokenAllowed=true in implicit and password
grant handlers.

Thanks
Isura.


On Fri, May 26, 2017 at 7:18 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Isura,
>
> If the scope validator is enabled and IdTokenAllowed is not defined for a
> grant type, other than authorization_code grant it wont return any id
> token.
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>
> On Thu, May 25, 2017 at 11:46 AM, Isura Karunaratne <is...@wso2.com>
> wrote:
>
>> Hi Hasanthi,
>>
>> If the property IdTokenAllowed is not defined for a grant type, what is
>> the default behavior?
>>
>> Thanks
>> Isura.
>>
>> On Wed, May 17, 2017 at 3:29 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> We have suggested a new property  for the parent
>>>  along with the  segment  to
>>> on/off the functionality of issuing the id token for grant types. For
>>> oauthorization_code grant type we ignore this property and issue id token
>>> by default for the 'openid' scope.
>>>
>>> Thanks,
>>>
>>> Hasanthi Dissanayake
>>>
>>> Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133| http://wso2.com <http://wso2.com/>
>>>
>>> On Wed, May 17, 2017 at 7:52 AM, Pushpalanka Jayawardhana <
>>> la...@wso2.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> On Tue, May 16, 2017 at 10:56 PM, Hasanthi Purnima Dissanayake <
>>>> hasan...@wso2.com> wrote:
>>>>
>>>>> Hi Farasath, Lanka
>>>>>>
>>>>>> What about extension grant types like SAML2BearerGrant, JWTBearer or
>>>>>> any other custom grant type we write?
>>>>>> AFAIR we do issue id_tokens to any grant type when "openid" scope is
>>>>>> present.
>>>>>
>>>>>
>>>>> IMO using "openid" scope to issue id_tokens like SAML2Bearer ,etc is
>>>>> not required.
>>>>>
>>>>> If our current implementation allows id_token generation for all types
>>>>>> wouldn't this break existing clients?
>>>>>
>>>>>
>>>>> This is an optional configuration, so we don't break any existing
>>>>> clients here.
>>>>>
>>>>> @Lanka,
>>>>>
>>>>>>
>>>>>> 
>>>>>> 
>>>>>> authorization_code
>>>>>> org
>>>>>> .wso2.carbon.identity.oauth2.token.handlers.grant.Authorizat
>>>>>> ionCodeGrantHandler
>>>>>> *true*
>>>>>> 
>>>>>> ..
>>>>>> 
>>>>>>
>>>>>> We can ship default configuration as the behavior we currently have,
>>>>>> so none of the existing scenarios break.
>>>>>> OIDC scope validator can consume this information from here.
>>>>>>
>>>>>
>>>>> We already have below configuration for the APIM for JDBC Scope
>>>>> validation.
>>>>>
>>>>> 

[Dev] Possibility of OOM when running RegistryCleanUpTask when tenant count is high

[Isura Karunaratne]

Hi Kernal Team,


In RegistryCleanUpTask we need to load all the tenant's registry and delete
some expired registry resources.

I think it may lead to OOM issue if we load all the tenants in a loop since
it takes 30 minutes (default) to unload a tenant.

Can we forcefully unload tenants once the deletion is done in the loop
using  PrivilegedCarbonContext.unloadTenant() method?

Is there a way to check whether a tenant is not utilized at a given time?



Following is the sample code of RegistryCleanUpTask.

Registry registry;
Collection identityDataResource;
try {
Tenant[] tenants =
IdentityMgtServiceComponent.getRealmService().getTenantManager().getAllTenants();
for (int i = 0; i < tenants.length + 1; i++) {
Tenant tenant;
if ( i == tenants.length) {
tenant = new Tenant();
tenant.setDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
tenant.setId(MultitenantConstants.SUPER_TENANT_ID);
} else {
tenant = tenants[i];
}
PrivilegedCarbonContext.startTenantFlow();

PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenant.getDomain());

PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(tenant.getId());
try {
registry = IdentityMgtServiceComponent.getRegistryService().

getConfigSystemRegistry(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
identityDataResource = (Collection)
registry.get(CONFIRMATION_REGISTRY_RESOURCE_PATH);
String[] identityResourcesPaths =
identityDataResource.getChildren();
for (int j = 0; j < identityResourcesPaths.length; j++) {
try {
Resource currentResource =
registry.get(identityResourcesPaths[j]);
if (currentResource instanceof Collection) {
Collection secondaryStoreCollection =
(Collection) currentResource;
String[] secondaryStoreResourcePaths =
secondaryStoreCollection.getChildren();
for (int k = 0; k <
secondaryStoreResourcePaths.length; k++) {
checkAndDeleteRegistryResource(registry,
secondaryStoreResourcePaths[k]);
}
} else {
checkAndDeleteRegistryResource(registry,
identityResourcesPaths[j]);
}
} catch (RegistryException e) {
log.error("Error while retrieving resource at " +
identityResourcesPaths[j], e);
}
}
} catch (ResourceNotFoundException e) {
if(log.isDebugEnabled()){
log.debug("No resource found for tenant " +
tenant.getDomain(), e);
}
} catch (RegistryException e) {
if(log.isDebugEnabled()){
log.debug("Error while deleting the expired
confirmation code.", e);
}
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
}
} catch (UserStoreException e) {
if(log.isDebugEnabled()){
log.debug("Error while getting the tenant manager.", e);
}
}



Thanks

Isura.




-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Validating OAuth App state during Token Requests

[Isura Karunaratne]

On Fri, May 19, 2017 at 3:35 PM, Farasath Ahamed  wrote:

> Created https://wso2.org/jira/browse/IDENTITY-5959 to track this.
>
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
> On Thu, May 18, 2017 at 9:10 PM, Pushpalanka Jayawardhana 
> wrote:
>
>> Hi,
>>
>> On Thu, May 18, 2017 at 4:58 PM, Farasath Ahamed 
>> wrote:
>>
>>> Hi,
>>>
>>> With our current implementation, we check whether an OAuth app is active
>>> at [1]. This happens before we complete client authentication at [2].
>>>
>>> Therefore even for an invalid client_id value, the error message that we
>>> would get will be "Oauth App is not in active state." which is not the
>>> expected behaviour.
>>>
>>> To fix this I see two options,
>>>
>>> 1. Handle the APP_STATE value being NULL (ie. no app was found for given
>>> consumer key) properly. APP_STATE column allows NULL as a value so we can't
>>> exactly say that APP_STATE == 'NULL' would imply that there is no app for a
>>> give consumer key
>>>
>> +1.

Thanks
Isura.

> +1 for this approach. With this we can avoid some processing done in vain
>> and respond invalid requests much early. Saving NULL for APP_STATE seems
>> something we should investigate and fix.
>>
>>>
>>> 2. Move the APP_STATE validation logic to be done after [2]
>>>
>>> WDYT?
>>>
>>> [1] https://github.com/wso2-extensions/identity-inbound-auth
>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth
>>> .endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpo
>>> int/token/OAuth2TokenEndpoint.java#L87-L97
>>>
>>> [2] https://github.com/wso2-extensions/identity-inbound-auth
>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth
>>> /src/main/java/org/wso2/carbon/identity/oauth2/token/AccessT
>>> okenIssuer.java#L168
>>>
>>> Thanks,
>>> Farasath Ahamed
>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>> Mobile: +94777603866
>>> Blog: blog.farazath.com
>>> Twitter: @farazath619 
>>> 
>>>
>>>
>>>
>>
>>
>> --
>> Pushpalanka.
>> --
>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>> Mobile: +94779716248
>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>> ushpalanka/ | Twitter: @pushpalanka
>>
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810 <+94%2077%20225%204810>
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Implemeting Scope Validator

[Isura Karunaratne]

Hi Hasanthi,

If the property IdTokenAllowed is not defined for a grant type, what is the
default behavior?

Thanks
Isura.

On Wed, May 17, 2017 at 3:29 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi All,
>
> We have suggested a new property  for the parent
>  along with the  segment  to on/off
> the functionality of issuing the id token for grant types. For
> oauthorization_code grant type we ignore this property and issue id token
> by default for the 'openid' scope.
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>
> On Wed, May 17, 2017 at 7:52 AM, Pushpalanka Jayawardhana 
> wrote:
>
>> Hi,
>>
>> On Tue, May 16, 2017 at 10:56 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi Farasath, Lanka

 What about extension grant types like SAML2BearerGrant, JWTBearer or
 any other custom grant type we write?
 AFAIR we do issue id_tokens to any grant type when "openid" scope is
 present.
>>>
>>>
>>> IMO using "openid" scope to issue id_tokens like SAML2Bearer ,etc is not
>>> required.
>>>
>>> If our current implementation allows id_token generation for all types
 wouldn't this break existing clients?
>>>
>>>
>>> This is an optional configuration, so we don't break any existing
>>> clients here.
>>>
>>> @Lanka,
>>>

 
 
 authorization_code
 org
 .wso2.carbon.identity.oauth2.token.handlers.grant.Authorizat
 ionCodeGrantHandler
 *true*
 
 ..
 

 We can ship default configuration as the behavior we currently have, so
 none of the existing scenarios break.
 OIDC scope validator can consume this information from here.

>>>
>>> We already have below configuration for the APIM for JDBC Scope
>>> validation.
>>>
>>> 

Re: [Dev] WSO2IS 5.3 initialization Failed: No subject alternative names present

[Isura Karunaratne]

The reason could be,  embedded profile configurations are stored
in WF_BPS_PROFILE  table using your old certificate details. Since you
change the certificate, start the server after removing the default profile
entry from  WF_BPS_PROFILE table.

Thanks
Isura.

On Wed, May 24, 2017 at 12:32 PM, Melodias  wrote:

> Hi,
>
> Thanks everyone for as replies.
>
> I forgot to mention that I'm created a certificates and included my ip as
> the CN. Generated certificates for the steps in this tutorial.
>
> After I generated new certificates and replaced key names and passwords in
> all configurations files, probelm did  not disappeared. ->  "No subject
> alternative names present"
>
>
> I tried change in everything files occurrence localhost ---> ip, but that
> wasn't the solution to the problem.
>
> According to recommendations of your I running wso2is server with flags
> -Dhttpclient.hostnameVerifier=AllowAll, an error occured:
>
> ERROR
> {org.wso2.carbon.identity.workflow.impl.internal.WorkflowImp
> lServiceComponent}
> -  Error occured while adding default bps
> profile.org.wso2.carbon.identity.workflow.impl.WorkflowImplException:
> Error
> while encrypting the passwords of BPS Profile: embeded_bps
>
>
> Any suggest ?
>
>
>
>
>
> --
> View this message in context: http://wso2-oxygen-tank.10903.
> n7.nabble.com/WSO2IS-5-3-initialization-Failed-No-subject-
> alternative-names-present-tp148988p149173.html
> Sent from the WSO2 Development mailing list archive at Nabble.com.
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810 <+94%2077%20225%204810>
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev