from:"Sathya Bandara"

[Dev] WSO2 Committers += Sathiyakugan Balakrishnan

2020-11-23 Thread Sathya Bandara

Hi All,

It's my pleasure to announce Sathiyakugan Balakrishnan as a WSO2 Committer.
He has been a valuable contributor and enthusiast to the WSO2 Identity &
Access Management Team.
In recognition of his contribution, dedication, and commitment he has been
voted as a WSO2 committer.

Congratulations Sathiyakugan and keep up the good work...!!!

Thanks,
Sathya
-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Deprecating /identity/connect/register endpoint in WSO2 Identity Server

2020-06-24 Thread Sathya Bandara

Hi all,

We are planning to deprecate */identity/connect/register* endpoint [1] with
Identity Server 5.11.0 onward. We recommend to use
*identity/oauth2/dcr/v1.1/register* endpoint instead for OAuth2 dynamic
client registrations.

Please let us know if you have any concerns regarding this.

[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/tree/master/components/org.wso2.carbon.identity.oidc.dcr

Thanks,
Sathya
-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Iam-dev] [VOTE] Release WSO2 Identity Server 5.10.0 RC2

2020-03-11 Thread Sathya Bandara

closed=1>
>>>>- 5.10.0-Beta
>>>><https://github.com/wso2/product-is/milestone/107?closed=1>
>>>>- 5.10.0-Beta2
>>>><https://github.com/wso2/product-is/milestone/108?closed=1>
>>>>- 5.10.0-Beta3
>>>><https://github.com/wso2/product-is/milestone/109?closed=1>
>>>>- 5.10.0-GA
>>>><https://github.com/wso2/product-is/milestone/92?closed=1>
>>>>
>>>>
>>>> *Source and Distribution*
>>>> The source and distribution
>>>> <https://github.com/wso2/product-is/releases/download/v5.10.0-rc2/wso2is-5.10.0-rc2.zip>
>>>>  are
>>>> available at
>>>> https://github.com/wso2/product-is/releases/tag/v5.10.0-rc2
>>>>
>>>>
>>>> Please download the product, test it, and vote using the following
>>>> convention.
>>>> [+] Stable - go ahead and release
>>>> [-] Broken - do not release (explain why)
>>>>
>>>>
>>>> Thank you,
>>>> WSO2 Identity and Access Management Team
>>>>
>>>> --
>>>> *Janak Amarasena* | Senior Software Engineer | WSO2 Inc.
>>>> (m) +9464144 | (w) +94112145345 | (e) ja...@wso2.com
>>>>
>>>>
>>>> <https://wso2.com/signature>
>>>> ___
>>>> Iam-dev mailing list
>>>> iam-...@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/iam-dev
>>>>
>>>
>>>
>>> --
>>> *Theviyanthan Krishnamohan (Thivi)*
>>> Software Engineer | WSO2 Inc.
>>> Mobile: 94 76 967
>>> Email: theviyant...@wso2.com
>>>
>>> ___
>>> Iam-dev mailing list
>>> iam-...@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/iam-dev
>>>
>>
>>
>> --
>> *Brion Silva* | Software Engineer | WSO2 Inc.
>> (m) +94777933830 | (e) br...@wso2.com
>>
>> <https://wso2.com/signature>
>> ___
>> Iam-dev mailing list
>> iam-...@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/iam-dev
>>
> ___
> Iam-dev mailing list
> iam-...@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/iam-dev
>


-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Shibboleth as an identity provider for APIM-3

2020-01-15 Thread Sathya Bandara

Hi Bernard,

Shibboleth server public certificate configured in IDP config is used to
verify the signature of SAML responses coming from Shibboleth.

When configuring WSO2 as a SP in shibboleth, you need to give WSO2 server’s
public certificate (in wso2carbon.jks). If you have enabled assertion
encryption, then Shibboleth server will encrypt the SAML assertions using
this WSO2 public key. WSO2 server will decrypt assertions using its private
key in wso2carbon.jks.

Hope this clarifies your query.

On Wed, Jan 15, 2020 at 22:24, Bernard Paris 
wrote:

> Hello,
>
> I understood that the certificate defined  into the 'Identity Provider
> Public Certificate' is the *public*  shibboleth certificate needed to
> decrypt the incoming SAML responses.
>
> It was automatically set when I loaded the shibboleth metadata.xml file
> under " SAML2 Web SSO Configuration"  > Metadata File Configuration
>
> On the opposite what I need is to give (where ?)  my certificate with *public
> AND private *keys in order to sign/encrypt the SAML requests.
>
> Am I wrong ?
> Bernard
>
>
> Le 15 janv. 2020 à 17:23, Sathya Bandara  a écrit :
>
> Hi Bernard,
>
> You can upload the certificate into the 'Identity Provider Public
> Certificate' which is available under the 'Basic Information' section of
> Identity Provider configuration.
>
> Thanks,
>
> On Wed, Jan 15, 2020 at 8:19 PM Bernard Paris 
> wrote:
>
>> Hi devs,
>>
>> We want to use Shibboleth as an identity provider for API manager V.3.
>> In the carbon console, via the IdP list, we have added an IdP entry  then
>> under "Federated Authenticators section and the SAML2 Web SSO Configuration
>> section"  we have configured our Shibboleth as identity provider.
>>
>> This IdP entry will behave as an SP for shibboleth.  Since we want
>> Assertion Encryption and signing I understand this "SP like" needs a
>> private/public key in a certificate  to do so.  I've made a self-signed
>> certificate for this, and its public key has been be given to shibboleth in
>> the metadata file (xml path:
>> /EntityDescriptor/SPSSODescriptor/KeyDescriptor/KeyInfo/X509Data/X509Certificate).
>>
>>
>> Now my question is  "where am I to specify this certificate in my
>>  "Federated Authenticators section and the SAML2 Web SSO Configuration
>> section"  ?"
>>
>> I didn't find any field for that  in the "SAML2 Web SSO Configuration
>> section".
>> Unless this encryption use must only use the APIM server certificate in
>> wso2carbon.jks ?
>>
>> Hope my understand is correct, .
>> Thanks for any help.
>>
>> Regards,
>> Bernard
>>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwso2.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fdev=02%7C01%7Cbernard.paris%40uclouvain.be%7C1269b762893b41161cbb08d799d74ed5%7C7ab090d4fa2e4ecfbc7c4127b4d582ec%7C0%7C0%7C637147022330234415=Vxo0b7jIAoXGvgYiv1O1%2BGJuNa1IYHPxG5aihMPy9fM%3D=0>
>>
>
>
> --
> Sathya Bandara
> Senior Software Engineer
> Blog: https://medium.com/@technospace
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmedium.com%2F%40technospace=02%7C01%7Cbernard.paris%40uclouvain.be%7C1269b762893b41161cbb08d799d74ed5%7C7ab090d4fa2e4ecfbc7c4127b4d582ec%7C0%7C0%7C637147022330244406=wHLUBQrufWOEGP1iHmj2Yom%2FyeKKS6BxnE2FXtzsv8I%3D=0>
> WSO2 Inc. http://wso2.com
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwso2.com=02%7C01%7Cbernard.paris%40uclouvain.be%7C1269b762893b41161cbb08d799d74ed5%7C7ab090d4fa2e4ecfbc7c4127b4d582ec%7C0%7C0%7C637147022330244406=dP2aJ1PCQgi%2F4ZvPoXQ4QKDws8UhfItgodQEzy%2BfD38%3D=0>
> Mobile: (+94) 715 360 421
>
> <+94%2071%20411%205032>
>
>
> --
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Shibboleth as an identity provider for APIM-3

2020-01-15 Thread Sathya Bandara

Hi Bernard,

You can upload the certificate into the 'Identity Provider Public
Certificate' which is available under the 'Basic Information' section of
Identity Provider configuration.

Thanks,

On Wed, Jan 15, 2020 at 8:19 PM Bernard Paris 
wrote:

> Hi devs,
>
> We want to use Shibboleth as an identity provider for API manager V.3.
> In the carbon console, via the IdP list, we have added an IdP entry  then
> under "Federated Authenticators section and the SAML2 Web SSO Configuration
> section"  we have configured our Shibboleth as identity provider.
>
> This IdP entry will behave as an SP for shibboleth.  Since we want
> Assertion Encryption and signing I understand this "SP like" needs a
> private/public key in a certificate  to do so.  I've made a self-signed
> certificate for this, and its public key has been be given to shibboleth in
> the metadata file (xml path:
> /EntityDescriptor/SPSSODescriptor/KeyDescriptor/KeyInfo/X509Data/X509Certificate).
>
>
> Now my question is  "where am I to specify this certificate in my
>  "Federated Authenticators section and the SAML2 Web SSO Configuration
> section"  ?"
>
> I didn't find any field for that  in the "SAML2 Web SSO Configuration
> section".
> Unless this encryption use must only use the APIM server certificate in
> wso2carbon.jks ?
>
> Hope my understand is correct, .
> Thanks for any help.
>
> Regards,
> Bernard
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Setup multiple CARBON_DB in a wso2 IS cluster env

2019-12-18 Thread Sathya Bandara

Hi Bernard,

On Wed, Dec 18, 2019 at 3:37 PM Bernard Paris 
wrote:

> Hello,
>
> It is not clear to me what to do with CARBON_DB setup for nodes in a
> WSO2-IS cluster env.
>
> The documentation at
> https://is.docs.wso2.com/en/5.9.0/setup/deployment-guide/
> says that
> "In this cluster setup, we use the default h2 database as the local
> registry in each node individually and the governance and configuration
> registries should be mounted to share across all nodes"
>
> But documentation also warns  "Embedded H2 is NOT RECOMMENDED in
> production", and I can confirm we have had problems in the past while being
> unable  to revover H2 datas so we want mysql.
>
> Reading
> https://is.docs.wso2.com/en/5.9.0/administer/working-with-the-registry/
> tells that the local reg is not to be share.
>
> So I undestand that
>  > local registry will be in CARBON_DB, which is not to be shared -->  we
> have to setup one CARBON_DB for each node
>
Yes your understanding is correct. Local Registry (dbConfig
name="wso2registry") in the registry.xml file is by default pointing to the
CARBON_DB. Local registry stores individual node specific data so it should
not be shared across other nodes in the cluster. Ideally you can use
embedded H2 for the local registry, however if you want to setup mysql then
you have to setup mySQL DB per each node.

> >  governance and configuration registries  will be in a unique and shared
> DB
>
Governance and config registries contain data that needs to be shared
across all the nodes in the cluster so they should be pointing to a single
database from all the nodes. Please refer 'Mounting the registry' section
in [1] to understand further regarding this.

[1] https://docs.wso2.com/display/IS570/Setting+Up+Deployment+Pattern+1

>
> It this correct ?
> Thanks
> Bernard
> ___________
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.9.0 RC2

2019-10-02 Thread Sathya Bandara

   -
>>>>>>>
>>>>>>>Inbuilt support to view and revoke user sessions
>>>>>>>-
>>>>>>>
>>>>>>>Azure AD/Office365 multi-domain federation support
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Fixes
>>>>>>>
>>>>>>> This release includes the following issue fixes and improvements:
>>>>>>>
>>>>>>>-
>>>>>>>
>>>>>>>5.9.0-m1
>>>>>>><https://github.com/wso2/product-is/milestone/85?closed=1>
>>>>>>>-
>>>>>>>
>>>>>>>5.9.0-m2
>>>>>>><https://github.com/wso2/product-is/milestone/86?closed=1>
>>>>>>>-
>>>>>>>
>>>>>>>5.9.0-m3
>>>>>>><https://github.com/wso2/product-is/milestone/87?closed=1>
>>>>>>>-
>>>>>>>
>>>>>>>5.9.0-m4
>>>>>>><https://github.com/wso2/product-is/milestone/88?closed=1>
>>>>>>>-
>>>>>>>
>>>>>>>5.9.0-m5
>>>>>>><https://github.com/wso2/product-is/milestone/90?closed=1>
>>>>>>>-
>>>>>>>
>>>>>>>5.9.0-m6
>>>>>>><https://github.com/wso2/product-is/milestone/91?closed=1>
>>>>>>>-
>>>>>>>
>>>>>>>5.9.0-alpha
>>>>>>><https://github.com/wso2/product-is/milestone/89?closed=1>
>>>>>>>-
>>>>>>>
>>>>>>>5.9.0-beta
>>>>>>><https://github.com/wso2/product-is/milestone/93?closed=1>
>>>>>>>-
>>>>>>>
>>>>>>>5.9.0-GA
>>>>>>><https://github.com/wso2/product-is/milestone/83?closed=1>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Source and Distribution
>>>>>>>
>>>>>>> The source and distribution
>>>>>>> <https://github.com/wso2/product-is/releases/download/v5.9.0-rc2/wso2is-5.9.0-rc2.zip>
>>>>>>> are available at
>>>>>>> https://github.com/wso2/product-is/releases/tag/v5.9.0-rc2
>>>>>>>
>>>>>>>
>>>>>>> Please download the product, test it, and vote using the following
>>>>>>> convention.
>>>>>>>
>>>>>>> [+] Stable - go ahead and release
>>>>>>>
>>>>>>> [-] Broken - do not release (explain why)
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> WSO2 Identity and Access Management Team
>>>>>>>
>>>>>>> *Piraveena Paralogarajah*
>>>>>>> Software Engineer | WSO2 Inc.
>>>>>>> *(m)* +94776099594 | *(e)* pirave...@wso2.com
>>>>>>>
>>>>>>> ___
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Niluka Sripali Monnankulama
>>>>> Software Engineer - WSO2 Sri Lanka
>>>>>
>>>>> Mobile : +94 76 76 52843
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Mathuriga Thavarajah*
>>>> Software Engineer
>>>> WSO2 Inc. - http ://wso2.com
>>>>
>>>> Email : mathur...@wso2.com
>>>> Mobile  : +94778191300
>>>>
>>>>
>>>>
>>>> *[image: http://wso2.com/signature] <http://wso2.com/signature>*
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>
>>
>> --
>> Wijith Bandara
>> Software Engineer | WSO2
>>
>> Email : wij...@wso2.com
>> Mobile : +94718970370
>> Web : http://wso2.com
>>
>> <http://wso2.com/signature>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
>
> Hasanthi Dissanayake | Associate Technical Lead | WSO2 Inc.
> (m) +94718407133 | (w) +94112145345  | Email: hasan...@wso2.com  | Blog:
> https://medium.com/@hasanthipurnimadissanayake
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-30 Thread Sathya Bandara

On Mon, Sep 30, 2019 at 11:23 AM Hasintha Indrajee 
wrote:

>
>
> On Mon, Sep 30, 2019 at 11:17 AM Farasath Ahamed 
> wrote:
>
>>
>>
>> On Fri, Sep 27, 2019 at 5:47 PM Hasintha Indrajee 
>> wrote:
>>
>>> The original problem is we can't execute client authenticators per
>>> application. As per our current implementation we never can have a both
>>> MTLS and Basic Auth client authentication supported in the server while
>>> different clients using Basic auth + MTLS and BasicAuth or MTLS alone.
>>>
>>> Hence I think, the best solution is to make client authenticators
>>> configurable per oauth app. This should be an easy implementation. (Store
>>> engaged authenticators as oauth app property and honour them through an
>>> abstract logic in ClientAuthenticators).
>>>
>> I don't think supporting client authenticators per application would
>> solve this problem either.
>>
>
> Can you please elaborate more on this ?. Simply in this case we can only
> engage Basic client authenticator for this application if we had per
> applications support. Even though mtls is used to enforce extra transport
> level security, it is not required to use certificates derived from mtls
> session to assert client.
>
> @Sathya Bandara  : Is there a spec for MTLS based client
> authentication ? If so we need to read carefully and see whether we need to
> engage mtls authenticator just because of an mtls handshake took place.
> (Don't we need to send an extra header or an attribute asking to
> authenticate client using MTLS session?)
>
In the draft version of spec that was available at the time of
implementation, it did not mention any extra header or attributes to engage
MTLS authentication.. (We had used version 07 ). But in the latest version,
it suggests that we can use distinct set of endpoints on a separate
host/port which are aliases for the original endpoints so clients that need
to use mutual TLS for authentication can use those endpoints instead of the
original ones [1]. Following metadata needs to included in the well-known
endpoint for this.

 "mtls_endpoint_aliases": {
   "token_endpoint": "https://mtls.example.com/token;,
   "revocation_endpoint": "https://mtls.example.com/revo;,
   "introspection_endpoint": "https://mtls.example.com/introspect;
 }



[1] https://tools.ietf.org/html/draft-ietf-oauth-mtls-17#section-5

>
>>
> What the spec tries to limit is using multiple authentication mechanisms
>> in the *same request*. That does not mean that the application should be
>> limited to one authentication mechanism.
>>
>> Are we suggesting to limit an application to allow only one
>> authentication mechanism?
>>
>>>
>>> However It's rationale to turn this MTLS client authenticator off for OB
>>> since it's one of their OOTB use cases.
>>>
>>> On Fri, Sep 27, 2019 at 5:08 PM Harsha Kumara  wrote:
>>>
>>>> Hi All,
>>>>
>>>> When I configured the IS as KM, same issue occured during the token
>>>> generation as our client initialize using the required keystores. Client
>>>> will set the javax.servlet.request.X509Certificate by default. Our products
>>>> support http verify clent as option which means client can authenticate
>>>> with one or two way SSL. Also there are clients who secure their token
>>>> endpoint with mutual authentication along with the default authentication
>>>> used in the grant types. AFAIK, in OB usecases it require token endpoint to
>>>> secured with MutualTLS. I believe this authenticator should be disabled by
>>>> default. @Hasintha Indrajee  WDYT?
>>>>
>>>> Thanks,
>>>> Harsha
>>>>
>>>> On Sat, Sep 21, 2019 at 10:12 AM Harsha Kumara 
>>>> wrote:
>>>>
>>>>> Thank you for the information. Since I'm using the alpha4 update, it
>>>>> should have that fix. I'll check further
>>>>>
>>>>> On Sat, Sep 21, 2019 at 12:20 AM Sathya Bandara 
>>>>> wrote:
>>>>>
>>>>>> That PR was not merged. Instead the missing registry configs were
>>>>>> re-added [1]
>>>>>>
>>>>>> [1] https://github.com/wso2/product-is/pull/6076
>>>>>>
>>>>>> On Fri, Sep 20, 2019 at 8:35 PM Harsha Kumara 
>>>>>> wrote:
>>>>>>
>>>>>>> Since this either should handle at client side and mandate not to
>>>>>

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Sathya Bandara

That PR was not merged. Instead the missing registry configs were re-added
[1]

[1] https://github.com/wso2/product-is/pull/6076

On Fri, Sep 20, 2019 at 8:35 PM Harsha Kumara  wrote:

> Since this either should handle at client side and mandate not to send the
> certificate or we have to disable the handler. Looks like we have disabled
> the handler by default in
> https://github.com/wso2/carbon-identity-framework/pull/2336/files
>
> But I don't see it in the wso2is-5.9.0-alpha4-SNAPSHOT. Was it revert
> again?
>
> Thanks,
> Harsha
>
> On Fri, Sep 20, 2019 at 7:53 PM Harsha Kumara  wrote:
>
>> Thanks a lot @Sathya Bandara  That should be the issue.
>> I will check and update the thread.
>>
>> Thanks,
>> Harsha
>>
>> On Fri, Sep 20, 2019 at 7:14 PM Sathya Bandara  wrote:
>>
>>> We came across a similar issue where the OIDC federated authenticator
>>> sets the certificate by default to the request [1]. This has occurred due
>>> to a change to registry.xml with new config model. When the changes were
>>> reverted it worked as expected [2]. Maybe the same issue exists with APIM?
>>>
>>> [1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5"
>>> [2] https://github.com/wso2/product-is/issues/6013
>>>
>>> On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara  wrote:
>>>
>>>> Yes that's correct. I'm using the openid authenticator, so it sets the
>>>> certificate by default to the header, hence multiple authenticators getting
>>>> triggered..But mutual SSL is handled at the transport layer and even with
>>>> mutual authentication, client id and secret will be present in the request.
>>>> I feel there is something wrong with the logic.
>>>>
>>>> On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara  wrote:
>>>>
>>>>> If client secret is used for client authentication with POST request
>>>>> to the token endpoint, then its not required to send the certificate.
>>>>>
>>>>> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara 
>>>>> wrote:
>>>>>
>>>>>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in
>>>>>> the request during the authorization code exchange?
>>>>>>
>>>>>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara 
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Harsha,
>>>>>>>
>>>>>>> In the oauth spec [1], it mandates that client should not use more
>>>>>>> than one authentication mechanism per request. Hence, we have that
>>>>>>> validation here.
>>>>>>>
>>>>>>> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara 
>>>>>>> wrote:
>>>>>>>
>>>>>>>> As we can configure multiple authenticators, and add them based on
>>>>>>>> canAuthenticate method response, why we need to return above error if
>>>>>>>> multiple authenticators engaged?
>>>>>>>>
>>>>>>>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara 
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> It seems the logic of checking authenticator list greater than 1
>>>>>>>>> should be correct?
>>>>>>>>>
>>>>>>>>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara 
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> With the API Manager 3.0.0 release, we are going to add OIDC
>>>>>>>>>> authenticator to the API Manager as we already had that capability in
>>>>>>>>>> directly through the site.json configuration.
>>>>>>>>>>
>>>>>>>>>> However to try the scenario, I have followed the document[1].
>>>>>>>>>>
>>>>>>>>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got
>>>>>>>>>> below error during the authorization code exchange.
>>>>>>>>>>
>>>>>>>>>> [2019-0

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Sathya Bandara

We came across a similar issue where the OIDC federated authenticator sets
the certificate by default to the request [1]. This has occurred due to a
change to registry.xml with new config model. When the changes were
reverted it worked as expected [2]. Maybe the same issue exists with APIM?

[1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5"
[2] https://github.com/wso2/product-is/issues/6013

On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara  wrote:

> Yes that's correct. I'm using the openid authenticator, so it sets the
> certificate by default to the header, hence multiple authenticators getting
> triggered..But mutual SSL is handled at the transport layer and even with
> mutual authentication, client id and secret will be present in the request.
> I feel there is something wrong with the logic.
>
> On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara  wrote:
>
>> If client secret is used for client authentication with POST request to
>> the token endpoint, then its not required to send the certificate.
>>
>> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara  wrote:
>>
>>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in the
>>> request during the authorization code exchange?
>>>
>>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara  wrote:
>>>
>>>> Hi Harsha,
>>>>
>>>> In the oauth spec [1], it mandates that client should not use more than
>>>> one authentication mechanism per request. Hence, we have that validation
>>>> here.
>>>>
>>>> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>>>>
>>>> Thanks,
>>>>
>>>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara  wrote:
>>>>
>>>>> As we can configure multiple authenticators, and add them based on
>>>>> canAuthenticate method response, why we need to return above error if
>>>>> multiple authenticators engaged?
>>>>>
>>>>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara 
>>>>> wrote:
>>>>>
>>>>>> It seems the logic of checking authenticator list greater than 1
>>>>>> should be correct?
>>>>>>
>>>>>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara 
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> With the API Manager 3.0.0 release, we are going to add OIDC
>>>>>>> authenticator to the API Manager as we already had that capability in
>>>>>>> directly through the site.json configuration.
>>>>>>>
>>>>>>> However to try the scenario, I have followed the document[1].
>>>>>>>
>>>>>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below
>>>>>>> error during the authorization code exchange.
>>>>>>>
>>>>>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
>>>>>>> failed exception!
>>>>>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>>>>>>> invalid_request, The client MUST NOT use more than one authentication
>>>>>>> method in each
>>>>>>> at
>>>>>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
>>>>>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
>>>>>>> at
>>>>>>>
>>>>>>> This error occurred due to engaging the MutualTLSAuthenticator in
>>>>>>> the token exchange flow. Below check returns list of authenticators 
>>>>>>> greater
>>>>>>> than one due to engaging this authenticator. It seems during the token
>>>>>>> exchange flow, we send the certificate in the header which lead to 
>>>>>>> trigger
>>>>>>> the MutualTLSAuthenticator enable checks and add to the authenticator 
>>>>>>> list.
>>>>>>> If I removed the mutual authenticator jar, this started to work.
>>>>>>>
>>>>>>> // Will return an invalid request response if multiple authentication 
>>>>>>> mechanisms are engaged irrespective of
>>>>>>> // whether the grant type is confidential or not.
>>>>>

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Sathya Bandara

If client secret is used for client authentication with POST request to the
token endpoint, then its not required to send the certificate.

On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara  wrote:

> So if so our OpenIDConnectAuthenticator shouldn't set certificate in the
> request during the authorization code exchange?
>
> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara  wrote:
>
>> Hi Harsha,
>>
>> In the oauth spec [1], it mandates that client should not use more than
>> one authentication mechanism per request. Hence, we have that validation
>> here.
>>
>> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>>
>> Thanks,
>>
>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara  wrote:
>>
>>> As we can configure multiple authenticators, and add them based on
>>> canAuthenticate method response, why we need to return above error if
>>> multiple authenticators engaged?
>>>
>>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara  wrote:
>>>
>>>> It seems the logic of checking authenticator list greater than 1 should
>>>> be correct?
>>>>
>>>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara  wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> With the API Manager 3.0.0 release, we are going to add OIDC
>>>>> authenticator to the API Manager as we already had that capability in
>>>>> directly through the site.json configuration.
>>>>>
>>>>> However to try the scenario, I have followed the document[1].
>>>>>
>>>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below
>>>>> error during the authorization code exchange.
>>>>>
>>>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
>>>>> failed exception!
>>>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>>>>> invalid_request, The client MUST NOT use more than one authentication
>>>>> method in each
>>>>> at
>>>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
>>>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
>>>>> at
>>>>>
>>>>> This error occurred due to engaging the MutualTLSAuthenticator in the
>>>>> token exchange flow. Below check returns list of authenticators greater
>>>>> than one due to engaging this authenticator. It seems during the token
>>>>> exchange flow, we send the certificate in the header which lead to trigger
>>>>> the MutualTLSAuthenticator enable checks and add to the authenticator 
>>>>> list.
>>>>> If I removed the mutual authenticator jar, this started to work.
>>>>>
>>>>> // Will return an invalid request response if multiple authentication 
>>>>> mechanisms are engaged irrespective of
>>>>> // whether the grant type is confidential or not.
>>>>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
>>>>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The 
>>>>> client MUST NOT use more than one " +
>>>>> "authentication method in each", tokenReqDTO);
>>>>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
>>>>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
>>>>> isRefreshRequest);
>>>>> return tokenRespDTO;
>>>>> }
>>>>>
>>>>>
>>>>> Generally people will configure ODIC with external provider and won't
>>>>> encounter this kind of problem. For testing if tried with our IS as OIDC
>>>>> provider, this will leads to trigger the above error.
>>>>>
>>>>> Is it required to engage mutual tls authenticator when certificate
>>>>> present? Can't we ship it by default setting to false?
>>>>>
>>>>> [1]
>>>>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect
>>>>>
>>>>> Thanks,
>>>>> Harsha
>>>>> --
>>>>>
>>>>> *Harsha Kumara*
>>>>>
>>>>> Technical Lead, WSO2 Inc.
>>>>> Mobile: +94775505618
>>>>> Email: hars...@wso2.coim
>>>&g

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Sathya Bandara

Hi Harsha,

In the oauth spec [1], it mandates that client should not use more than one
authentication mechanism per request. Hence, we have that validation here.

[1] https://tools.ietf.org/html/rfc6749#section-2.3

Thanks,

On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara  wrote:

> As we can configure multiple authenticators, and add them based on
> canAuthenticate method response, why we need to return above error if
> multiple authenticators engaged?
>
> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara  wrote:
>
>> It seems the logic of checking authenticator list greater than 1 should
>> be correct?
>>
>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara  wrote:
>>
>>> Hi,
>>>
>>> With the API Manager 3.0.0 release, we are going to add OIDC
>>> authenticator to the API Manager as we already had that capability in
>>> directly through the site.json configuration.
>>>
>>> However to try the scenario, I have followed the document[1].
>>>
>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below
>>> error during the authorization code exchange.
>>>
>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
>>> failed exception!
>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>>> invalid_request, The client MUST NOT use more than one authentication
>>> method in each
>>> at
>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
>>> at
>>>
>>> This error occurred due to engaging the MutualTLSAuthenticator in the
>>> token exchange flow. Below check returns list of authenticators greater
>>> than one due to engaging this authenticator. It seems during the token
>>> exchange flow, we send the certificate in the header which lead to trigger
>>> the MutualTLSAuthenticator enable checks and add to the authenticator list.
>>> If I removed the mutual authenticator jar, this started to work.
>>>
>>> // Will return an invalid request response if multiple authentication 
>>> mechanisms are engaged irrespective of
>>> // whether the grant type is confidential or not.
>>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
>>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The 
>>> client MUST NOT use more than one " +
>>> "authentication method in each", tokenReqDTO);
>>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
>>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
>>> isRefreshRequest);
>>> return tokenRespDTO;
>>> }
>>>
>>>
>>> Generally people will configure ODIC with external provider and won't
>>> encounter this kind of problem. For testing if tried with our IS as OIDC
>>> provider, this will leads to trigger the above error.
>>>
>>> Is it required to engage mutual tls authenticator when certificate
>>> present? Can't we ship it by default setting to false?
>>>
>>> [1]
>>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect
>>>
>>> Thanks,
>>> Harsha
>>> --
>>>
>>> *Harsha Kumara*
>>>
>>> Technical Lead, WSO2 Inc.
>>> Mobile: +94775505618
>>> Email: hars...@wso2.coim
>>> Blog: harshcreationz.blogspot.com
>>>
>>> GET INTEGRATION AGILE
>>> Integration Agility for Digitally Driven Business
>>>
>>
>>
>> --
>>
>> *Harsha Kumara*
>>
>> Technical Lead, WSO2 Inc.
>> Mobile: +94775505618
>> Email: hars...@wso2.coim
>> Blog: harshcreationz.blogspot.com
>>
>> GET INTEGRATION AGILE
>> Integration Agility for Digitally Driven Business
>>
>
>
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>


-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.9.0-alpha Released!

2019-08-28 Thread Sathya Bandara

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.9.0 alpha!
Download

You can download WSO2 Identity Server 5.9.0 alpha from here
<https://github.com/wso2/product-is/releases/download/v5.9.0-alpha/wso2is-5.9.0-alpha.zip>
.

You can download WSO2 Identity Server Analytics 5.9.0 alpha from here
<https://github.com/wso2/analytics-is/releases/download/v5.9.0-alpha/wso2is-analytics-5.9.0-alpha.zip>
.
How to run

Extract the downloaded zip file.
2.

Go to the bin directory in the extracted folder.
3.

Run the wso2server.sh file if you are on a Linux/Mac OS or run the
wso2server.bat file if you are on a Windows OS.
4.

Optionally, if you need to start the OSGi console with the server, use
the -DosgiConsole property when starting the server.

What's new in WSO2 Identity Server 5.9.0 alpha

A list of all the new features and bug fixes shipped with this release can
be found here <https://github.com/wso2/product-is/milestone/89?closed=1>.

Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

IS Runtime <https://github.com/wso2/product-is/issues>
-

IS Analytics <https://github.com/wso2/analytics-is/issues>

Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

Developer List: dev@wso2.org
-

Architecture List: architect...@wso2.org
-

User Forum: StackOverflow
<http://stackoverflow.com/questions/tagged/wso2is>

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues <https://github.com/wso2/product-is/issues>.

For more information about WSO2 Identity Server, please see
https://wso2.com/identity-and-access-management or visit the WSO2 Oxygen
Tank <http://wso2.com/library/> developer portal for additional resources.

~ The WSO2 Identity and Access Management Team ~

--
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Multiple keys support in JWKS endpoint

2019-04-23 Thread Sathya Bandara

Hi Inthirakumaaran,

What about the case where the user sends a JWT signed with the old key,
along with JWT grant type to IS? Then don't we need to update the JWT
signature validation logic to obtain the keys for the respective JWTs based
on the 'kid' value?

Thanks,
Sathya

On Tue, Apr 23, 2019 at 11:31 AM Inthirakumaaran Tharmakulasingham <
inthirakumaa...@wso2.com> wrote:

> Hi Shammi,
>
> Thanks for the input
>
> So, in each an every validation request step of 6, Certificate resolver
>> has to send all the JWKs to JWKS endpoint or will they be cached int he
>> JWKS endpoint? If we can cache them, there will be a performance
>> improvement right ? However, we have to make sure the cache invalidation
>> time out is there.
>>
>
> Already the keys are cached in the keystore manager and in the certificate
> resolver, we will perform some validation before exposing those JWKS. I'll
> look into the cache validation time out and make sure it performs as
> expected.
>
> Thanks and regards
> kumaaran
>
> *Inthirakumaaran*
> Software Engineer | WSO2
>
> E-mail:inthirakumaa...@wso2.com
> Mobile:+94775558050
> Web:https://wso2.com
>
> <http://wso2.com/signature>
>
>
>

-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Removing PKCE column check during OAuth data persistence

2019-04-11 Thread Sathya Bandara

Hi all,

Curently in AuthorizationCodeDAOImpl [1] and OAuthAppDAO we have the
'isPkceEnabled' flag to check the availability of PKCE columns during data
persistence. This has been added to handle the migration scenarios. The
PKCE feature was introduced with IS 5.2.0 and we already have 6 major
releases after this version addressing the migration aspects. Therefore we
have decided to remove this column check from the code level with 5.8.0 as
it becomes redundant.

Please share your thoughts and concerns on this.

[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AuthorizationCodeDAOImpl.java#L95

Thanks,
Sathya
-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Tenant OIDC logout fails with 'ID token signature validation failed.' error

2019-04-05 Thread Sathya Bandara

Hi Farasath,

For federated users, we are setting the SP's tenant domain as user tenant
domain. However userstore domain will be null. Therefore we can pass only
the tenant domain in the realm. WDYT?

On Fri, Apr 5, 2019 at 9:36 AM Farasath Ahamed  wrote:

> Hi Devs,
>
> Also what about the value of " *realm*" claim when the user is a
> federated one?
>
> Regards,
> Farasath
>
> On Fri, Apr 5, 2019 at 9:32 AM Hasini Witharana  wrote:
>
>> Hi Ruwan/Sathya,
>>
>> There are some standard claims defined in the OIDC specification[1], none
>> of them can be used instead of "realm", "tenant_domain".
>> However, the spec also says that it is okay to add any other claims to
>> id_token[2].
>>
>> [1] -
>> https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
>> [2] - https://openid.net/specs/openid-connect-core-1_0.html#IDToken
>>
>> Thank You.
>> Hasini
>>
>> On Fri, Apr 5, 2019 at 6:30 AM Ruwan Abeykoon  wrote:
>>
>>> Hi Sathya,
>>> I do not see any issue adding the info-set to the id-token, as
>>> conceptually it carries more information about the users identity.
>>> Did we checked if there an standard claims in id token we could use,
>>> instead of "realm", "tenant_domain", etc.
>>>
>>> Cheers,
>>> Ruwan A
>>>
>>> On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara  wrote:
>>>
>>>> Hi all,
>>>>
>>>> In OIDC logout flow, we send the ID token as a user identification
>>>> method similar to following request.
>>>>
>>>> https://localhost:9443/oidc/logout?id_token_hint=
>>>> _logout_redirect_uri=
>>>> http://localhost:8080/playground2/oauth2client=1
>>>>
>>>> when validating the ID token, we are trying to get tenant domain from
>>>> subject claim of the id token hint [1] in the default flow. This will only
>>>> work if '*append tenant domain to subject identifier'* is selected in
>>>> the SP configuration. In other scenarios it fails with the error
>>>> "access_denied ID token signature validation failed." This is because if
>>>> subject does not contain the tenant domain, we try to validate the id token
>>>> with super tenant's keystore. Further this fails when subject identifier is
>>>> set as email claim, and email contains a different domain such as
>>>> sat...@wso2.com 
>>>>
>>>> We have a config to enable/disable signing ID token with SP's keystore
>>>> identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by
>>>> default, ID token will be signed and validated using user's tenant domain
>>>> leading to above issue.
>>>>
>>>> As a possible solution, we have decided to include user tenant domain
>>>> and userstore domain as claims in the id token generated by IS. This can be
>>>> disabled by a config however in the default pack it will be enabled by
>>>> default. Sample id token will be as follows.
>>>>
>>>> {
>>>>   "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ",
>>>>   "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa",
>>>>   "sub": "sathya",
>>>>
>>>>
>>>>
>>>> *  "realm": {"tenant_domain: "wso2.com <http://wso2.com>",
>>>> "userstore_domain: "PRIMARY"  }*,
>>>>   "iss": "https://localhost:9443/oauth2/token;,
>>>>   "exp": 1554367465,
>>>>   "iat": 1554363865,
>>>> }
>>>>
>>>> Also 'SignJWTWithSPKey' property will be enabled by default in the
>>>> product, honoring service provider's tenant domain when obtaining keys for
>>>> signing and validating id tokens.
>>>>
>>>> Highly appreciate your suggestions and concerns on this.
>>>>
>>>> [1]
>>>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331
>>>> Thanks,
>>>> Sathya
>>>> --
>>>> Sathya Bandara
>>>> Senior Software Engineer
>>>> Blog: https://medium.com/@technospace
>>>> WSO2 Inc. http://wso2.com
>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>>>
>>

[Dev] Tenant OIDC logout fails with 'ID token signature validation failed.' error

2019-04-04 Thread Sathya Bandara

Hi all,

In OIDC logout flow, we send the ID token as a user identification method
similar to following request.

https://localhost:9443/oidc/logout?id_token_hint=
_logout_redirect_uri=
http://localhost:8080/playground2/oauth2client=1

when validating the ID token, we are trying to get tenant domain from
subject claim of the id token hint [1] in the default flow. This will only
work if '*append tenant domain to subject identifier'* is selected in the
SP configuration. In other scenarios it fails with the error "access_denied
ID token signature validation failed." This is because if subject does not
contain the tenant domain, we try to validate the id token with super
tenant's keystore. Further this fails when subject identifier is set as
email claim, and email contains a different domain such as sat...@wso2.com

We have a config to enable/disable signing ID token with SP's keystore
identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by
default, ID token will be signed and validated using user's tenant domain
leading to above issue.

As a possible solution, we have decided to include user tenant domain and
userstore domain as claims in the id token generated by IS. This can be
disabled by a config however in the default pack it will be enabled by
default. Sample id token will be as follows.

{
"at_hash": "Bi9jGB-EIZ94gVzHZv5trQ",
"aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa",
"sub": "sathya",

* "realm": {"tenant_domain: "wso2.com <http://wso2.com>",
"userstore_domain: "PRIMARY" }*,
"iss": "https://localhost:9443/oauth2/token;,
"exp": 1554367465,
"iat": 1554363865,
}

Also 'SignJWTWithSPKey' property will be enabled by default in the product,
honoring service provider's tenant domain when obtaining keys for signing
and validating id tokens.

Highly appreciate your suggestions and concerns on this.

[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331
Thanks,
Sathya
--
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Adding a user to a group in SCIM2

2019-01-02 Thread Sathya Bandara

Hi Shazni,

PATCH operation is already supported in SCIM2 groups endpoint. Please refer
'Patch Group' section in [1] which contains sample commands to add a new
member to a group

[1]
https://docs.wso2.com/display/ISCONNECTORS/Configuring+SCIM+2.0+Provisioning+Connector

Thanks,
Sathya

On Thu, Jan 3, 2019 at 12:01 PM Shazni Nazeer  wrote:

> Hi team,
>
> Do we support the $subject?
>
> In the docs [1] there's no operation for adding a user to a group and this
> is something is very much needed. I could add a user to a group with the
> "Update Group" operation but in this case, we'll have to provide the entire
> existing users in the member's list, otherwise, those users will be removed
> from the group.
>
> The StackOverflow.query [2] also talks about it and mentions a PATCH
> method that would not need to list all the current members in the call. If
> this is already there, could someone point me the way to do it?
>
> [1] https://docs.wso2.com/display/IS540/apidocs/SCIM2-endpoints/
> [2]
> https://stackoverflow.com/questions/21905233/create-edit-users-with-group-or-role-in-wso2-is
>
> regards,
>
> --
> Shazni Nazeer
>
> Mob : +94 37331
> LinkedIn : http://lk.linkedin.com/in/shazninazeer
>
> Blogs :
>
> https://medium.com/@mshazninazeer
> http://shazninazeer.blogspot.com
>
> <http://wso2.com/signature>
>


-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issues with creating a user over SCIM2 in WSO2IS 5.4.1

2018-12-20 Thread Sathya Bandara

2:21:34,397] DEBUG
> {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
> -  Cache hit for local claim list for tenant: -1234
>
> [2018-12-20 22:21:34,406] DEBUG
> {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
> -  Cache hit for local claim list for tenant: -1234
>
> [2018-12-20 22:21:34,406] DEBUG
> {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
> -  Cache hit for local claim list for tenant: -1234
>
> [2018-12-20 22:21:34,406] DEBUG
> {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
> -  Cache hit for local claim list for tenant: -1234
>
> [2018-12-20 22:21:34,406] DEBUG
> {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
> -  Cache hit for local claim list for tenant: -1234
>
> [2018-12-20 22:21:34,406] DEBUG
> {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
> -  Cache hit for local claim list for tenant: -1234
>
> [2018-12-20 22:21:34,406] DEBUG
> {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
> -  Cache hit for local claim list for tenant: -1234
>
> [2018-12-20 22:21:34,406] DEBUG
> {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO}
> -  Cache hit for local claim list for tenant: -1234
>
> *[2018-12-20 22:21:34,406] ERROR
> {org.wso2.carbon.user.core.common.AbstractUserStoreManager} -  Error
> occurred while accessing Java Security Manager Privilege Block*
>
>
>
> Any idea how to overcome this would be greatly appreciated since this is
> for us a big blocker.
>
>
>
> Thank you,
>
> Ciprian
> CONFIDENTIALITY NOTICE: This email message and any attachments are for the
> sole use of the intended recipient(s) and may contain confidential
> information of Cognosante Holdings, LLC and/or its subsidiaries, including
> Cognosante, LLC, Cognosante Consulting, LLC, and Cognosante MVH, LLC and is
> protected by law. If you have received this in error, please reply to the
> sender and delete it from your system. If you are the intended recipient,
> you may use the information contained in this message and any files
> attached only as authorized.
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Soap request to add Google IdP in WSO2 identity server.

2018-08-13 Thread Sathya Bandara

Hi Shiva,

You can refer [1] to get a sample SOAP request to add identity providers
with required properties. Here under 
you can add the required properties with a  element.


[1]
https://docs.wso2.com/display/IS541/Configuring+a+SP+and+IdP+Using+Service+Calls

On Mon, Aug 13, 2018 at 10:57 PM, Shiva Kumar 
wrote:

> Hi All,
>
> I am not able to find SOAP request to add google federated identity
> provider, the documentation is not completely understood. I am able to
> create IdP but how can I add callback url and some properties to  that IdP.
>
>
> Thank you,
>
> Shiva Kumar
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] APIM : How to integrate google and facebook to APIM via Identity service at the same time?

2018-08-10 Thread Sathya Bandara

Hi Youcef,

For this purpose you can configure two identity providers for Facebook and
Google in your Key manager (Identity Server node).
Under the local and outbound Authentication configuration section of your
service provider choose *Advanced Configurations*.
In Advanced Configurations, you can configure authentication steps and
additional authentication options.

You can add both Google and Facebook as two federated authenticators in the
same step (two options in the same step configuration).
Then during login user will be prompted a page to select from which IDP he
needs to authenticate from.

Thanks,
Sathya

On Fri, Aug 10, 2018 at 11:23 AM, Youcef HILEM 
wrote:

> Hi
>
> + DEV
>
> http://wso2-oxygen-tank.10903.n7.nabble.com/APIM-How-to-
> integrate-google-and-facebook-to-APIM-via-Identity-service-
> at-the-same-time-td157740.html
>
> APIM : How to integrate google and facebook to APIM via Identity service at
> the same time?
> Jul 22, 2018; 12:18pm — by  Youcef HILEMonline Youcef HILEM
> Hi,
> I have the same need as the one described here:
> https://stackoverflow.com/questions/37266609/how-to-
> integrate-google-and-facebook-to-api-m-via-identity-service-at-the-same-t
>
>
> My environment is : wso2 API-M cluster and the Key manager is wso2
> identity
> service.
> What I wanna do is : User can login via Google or Facebook account to
> API-M
> publisher and store.
> My question is : how to do this without IS as KM
> (https://docs.wso2.com/display/AM250/Log+in+to+the+
> API+Store+using+Social+Media)
> ?
>
> Our main need is to open the store to customers / partners.
> The publisher can use our internal IDP.
>
> Thanks
> Youcef HILEM
>
>
>
> --
> Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-
> Development-f3.html
> ___________
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] File Upload to Application Server 5.3.0 with Admin Services

2018-07-09 Thread Sathya Bandara

r occurred while 
> deploying webapp : 
> /home/ubuntu/wso2as-5.3.0/repository/deployment/server/webapps/VersionSample#2.war
> org.wso2.carbon.CarbonException: Error while deploying webapp: 
> StandardContext[VersionSample#2.war].File[/home/ubuntu/wso2as-5.3.0/repository/deployment/server/webapps/VersionSample#2.war]
>   at 
> org.wso2.carbon.webapp.mgt.TomcatGenericWebappsDeployer.handleWebappDeployment(TomcatGenericWebappsDeployer.java:412)
>   at 
> org.wso2.carbon.webapp.mgt.TomcatGenericWebappsDeployer.handleWarWebappDeployment(TomcatGenericWebappsDeployer.java:212)
>   at 
> org.wso2.carbon.webapp.mgt.TomcatGenericWebappsDeployer.handleHotDeployment(TomcatGenericWebappsDeployer.java:179)
>   at 
> org.wso2.carbon.webapp.mgt.TomcatGenericWebappsDeployer.deploy(TomcatGenericWebappsDeployer.java:144)
>   at 
> org.wso2.carbon.webapp.mgt.AbstractWebappDeployer.deployThisWebApp(AbstractWebappDeployer.java:224)
>   at 
> org.wso2.carbon.webapp.mgt.AbstractWebappDeployer.deploy(AbstractWebappDeployer.java:114)
>   at 
> org.wso2.carbon.webapp.deployer.WebappDeployer.deploy(WebappDeployer.java:42)
>   at 
> org.apache.axis2.deployment.repository.util.DeploymentFileData.deploy(DeploymentFileData.java:136)
>   at 
> org.apache.axis2.deployment.DeploymentEngine.doDeploy(DeploymentEngine.java:807)
>   at 
> org.apache.axis2.deployment.repository.util.WSInfoList.update(WSInfoList.java:144)
>   at 
> org.apache.axis2.deployment.RepositoryListener.update(RepositoryListener.java:377)
>   at 
> org.apache.axis2.deployment.RepositoryListener.checkServices(RepositoryListener.java:254)
>   at 
> org.apache.axis2.deployment.RepositoryListener.startListener(RepositoryListener.java:371)
>   at 
> org.apache.axis2.deployment.scheduler.SchedulerTask.checkRepository(SchedulerTask.java:59)
>   at 
> org.apache.axis2.deployment.scheduler.SchedulerTask.run(SchedulerTask.java:67)
>   at 
> org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask.runAxisDeployment(CarbonDeploymentSchedulerTask.java:93)
>   at 
> org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask.run(CarbonDeploymentSchedulerTask.java:138)
>   at 
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>   at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>   at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>   at java.lang.Thread.run(Thread.java:748)
> Caused by: org.wso2.carbon.tomcat.CarbonTomcatException: Webapp failed to 
> deploy
>   at 
> org.wso2.carbon.tomcat.internal.CarbonTomcat.addWebApp(CarbonTomcat.java:356)
>   at 
> org.wso2.carbon.tomcat.internal.CarbonTomcat.addWebApp(CarbonTomcat.java:252)
>   at 
> org.wso2.carbon.webapp.mgt.TomcatGenericWebappsDeployer.handleWebappDeployment(TomcatGenericWebappsDeployer.java:314)
>   ... 23 more
> Caused by: java.util.zip.ZipException: error in opening zip file
>   at java.util.zip.ZipFile.open(Native Method)
>   at java.util.zip.ZipFile.(ZipFile.java:225)
>   at java.util.zip.ZipFile.(ZipFile.java:155)
>   at java.util.jar.JarFile.(JarFile.java:166)
>   at java.util.jar.JarFile.(JarFile.java:103)
>   at 
> org.wso2.carbon.tomcat.internal.CarbonTomcat.addWebApp(CarbonTomcat.java:331)
>   ... 25 more
>
>
>
> Below is the request I've sent.
>
> http://schemas.xmlsoap.org/soap/envelope/; 
> xmlns:xsd="http://org.apache.axis2/xsd; 
> xmlns:xsd1="http://mgt.webapp.carbon.wso2.org/xsd;>
>
>
>   
>  
>  
> 
> cid:VersionSample#2.war
> 
> VersionSample#2.war
> 
> localhost
> 
>  
>   
>
>
>
> Did I missed anything ? Any thoughts on this would be appreciated.
>
>
> Regards
>
> Maneesha
>
>
> --
> Maneesha Wijesekara
> Software Engineer - QA Team
> WSO2 Inc.
>
> Email: manee...@wso2.com
> Linkedin: http://linkedin.com/in/maneeshawijesekara
> Mobile: +94712443119
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release of WSO2 Identity Server 5.6.0 RC3

2018-06-19 Thread Sathya Bandara

Hi all,

I've tested following scenarios on the IS 5.6.0-RC3 pack.

User management (add/update/remove users).
User management in secondary userstores (Read-Write LDAP).
Consent Management in SAML SSO.
SAML to SAML federation.
Creating workflows definitions for primary userstore users.
Engaging/Disabling workflows on user-store operations.
Enable role based authorization using XACML for service providers.
Tenant creation/update/disabling.

No blocking issues are found.

[+] Stable - go ahead and release.

Thanks,
Sathya


On Tue, Jun 19, 2018 at 12:26 PM, Vihanga Liyanage  wrote:

> Hi all,
>
> I've tested following scenarios on the IS 5.6.0-RC3 pack with default
> database setup.
>
>- Enable user self-registration and self-register a new user.
>- Add multiple consent purposes with multiple PII categories.
>- Login to dashboard and see whether we can see the default consent
>and above added PII categories.
>- Confirm claims are getting filtered based on consents.
>- Configure a service provider with OpenID Connect and acquire access
>tokens via Authorization Code, Implicit, Client Credential and Password
>grant types.
>- Enable ID token encryption for the service provider and test the
>flow with decryption for all grant types.
>- Delete the self-signed up user, create another user with the exact
>same username, log in to the dashboard and see what are the consents
>shown.
>- Revoke consents of the user via the dashboard and try accessing the
>SP to verify the consents are asked again.
>- Delete the SP, login to the dashboard and see whether the consents
>are deleted for that SP.
>
> No blocking issues are found.
>
> [+] Stable - go ahead and release.
>
> Thanks,
> Vihanga.
>
> On Fri, Jun 15, 2018 at 6:29 PM Madawa Soysa  wrote:
>
>> Hi all,
>>
>> We are pleased to announce the third release candidate of WSO2 Identity
>> Server 5.6.0.
>>
>> This release fixes the following issues
>>
>>- 5.6.0-RC Fixes
>><https://github.com/wso2/product-is/milestone/40?closed=1>
>>- 5.6.0-Beta Fixes
>><https://github.com/wso2/product-is/milestone/39?closed=1>
>>- 5.6.0-Alpha2 Fixes
>><https://github.com/wso2/product-is/milestone/43?closed=1>
>>- 5.6.0-Alpha Fixes
>><https://github.com/wso2/product-is/milestone/38?closed=1>
>>- 5.6.0-M7 Fixes
>><https://github.com/wso2/product-is/milestone/37?closed=1>
>>- 5.6.0-M6 Fixes
>><https://github.com/wso2/product-is/milestone/36?closed=1>
>>- 5.6.0-M5 Fixes
>><https://github.com/wso2/product-is/milestone/35?closed=1>
>>- 5.6.0-M4 Fixes
>><https://github.com/wso2/product-is/milestone/34?closed=1>
>>- 5.6.0-M3 Fixes
>><https://github.com/wso2/product-is/milestone/33?closed=1>
>>- 5.6.0-M2 Fixes
>><https://github.com/wso2/product-is/milestone/31?closed=1>
>>- 5.6.0-M1 Fixes
>><https://github.com/wso2/product-is/milestone/30?closed=1>
>>
>> Source and distribution,
>> Runtime -  https://github.com/wso2/product-is/releases/tag/v5.6.0-rc3
>> Analytics - https://github.com/wso2/analytics-is/releases/v5.6.0-rc3
>>
>> Please download, test the product and vote.
>>
>> [+] Stable - go ahead and release
>> [-] Broken - do not release (explain why)
>>
>> Thanks,
>> WSO2 Identity and Access Management Team
>> --
>>
>> Madawa Soysa / Senior Software Engineer
>> mada...@wso2.com / +94714616050
>>
>> *WSO2 Inc.*
>> lean.enterprise.middleware
>>
>>   <https://wso2.com/signature>
>>
>>
>>
>>
>
> --
>
> Vihanga Liyanage
>
> Software Engineer | WS*O₂* Inc.
>
> M : +*94710124103* | http://wso2.com
>
> [image: http://wso2.com/signature] <http://wso2.com/signature>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.5.0 Released!

2018-04-11 Thread Sathya Bandara

WSO2 Identity Server 5.5.0 Released!

The WSO2 Identity Server team is pleased to announce the release of WSO2
Identity Server version 5.5.0.

WSO2 Identity Server is an open source identity and access management
server. It supports a wide array of authentication protocols such as SAML
2.0 Web SSO, OAuth 2.0/1.0a, OpenID Connect, and WS-Federation Passive. It
supports role based authorization and fine grained authorization with XACML
2.0/3.0 while inbound/outbound provisioning is supported through SCIM and
SPML.

WSO2 Identity Server is developed on top of the revolutionary WSO2 Carbon
platform, an OSGi based framework that provides seamless modularity to your
SOA solution via componentization.


All the major features have been developed as pluggable Carbon components.

You can download this distribution from
https://wso2.com/identity-and-access-management/install

Online documentation is available at
http://docs.wso2.org/wiki/display/IS550/WSO2+Identity+Server+Documentation.
How to Run

1. Extract the downloaded zip

2. Go to the bin directory in the extracted folder

3. Run the wso2server.sh or wso2server.bat files as appropriate

4. If you need to start the OSGi console with the server, use the property
-DosgiConsole when starting the server.
New Features in this Release

WSO2 Identity Server version 5.5.0 is part of WSO2’s Spring 2018 Release

which includes new features and updates across all products, solutions, and
services, that together empower organizations to rapidly comply with GDPR
.

The following includes major GDPR related features provided in WSO2 IS 5.5.0


   -

   Privacy Tool Kit - Supports removing references to a deleted user's
   identity as and when required.
   -

   Personal Information Export Capability - End users can retrieve personal
   information stored in WSO2 Identity Server.
   -

   Request Object Support - Ability to send authentication request
   parameters in a self-contained JWT.
   -

   User Consent for Single-Sign-On - Provides users with choice and control
   over sharing their personal data.
   -

   User Consent for Self Sign Up - Capability to provide consent during
   user self registration.
   -

   Consent  Management API - Manage user consents for collecting and
   sharing user's personal information.
   -

   Consent Purposes Management - An interactive UI to manage consent
   purposes/PII categories.
   -

   Private Key JWT Client Authentication - Facilitating OAuth2 client
   authentication using a signed JWT.


This release includes functional improvements and fixes to the product. The
complete list of improvements and bug fixes available with the release can
be found at the following locations:


   -

   5.5.0-RC2 fixes
   

   -

   5.5.0-RC1 fixes
   

   -

   5.5.0-Beta fixes
   

   -

   5.5.0-Alpha3 fixes
   

   -

   5.5.0-Alpha2 fixes
   

   -

   5.5.0-Alpha fixes
   

   -

   5.5.0-M4 fixes
   

   -

   5.5.0-M3 fixes
   

   -

   5.5.0-M2 fixes
   

   -

   5.5.0-M1 fixes
   


Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following locations:

IS Runtime 

IS Analytics 
How You Can ContributeMailing Lists

Join our mailing list and correspond with the developers directly.

Developer list: dev@wso2.org | Subscribe | Mail Archive


User forum: StackOverflow 
Reporting Issues

We encourage you to report issues, documentation faults, and feature
requests regarding WSO2 Identity Server or in the Carbon base framework
through the public WSO2 Identity Server JIRA.
Support

We are committed to ensure your enterprise middleware deployment is
completely supported from evaluation to production through a WSO2
Subscription. Our unique approach ensures that all support leverages our
open development methodology and is provided by the very same engineers who
build the technology. For more

[Dev] Add support to map SCIM claims to WSO2 Identity Claims in Identity Server

2018-04-11 Thread Sathya Bandara

Hi,

Currently in Identity Server when the local mapped claims of SCIM claims
are WSO2 identity claims, those claims are not getting updated in SCIM
related operations.

In IdentityStoreEventListener, most of the user related operations are
intercepted such that identity claims can be handled separately. It
validates the claim URI to be of the type of an identity claim URI before
storing the claims in IdentityDataStore [2].

In the claim maps we pass to the user-store manager from SCIM operations,
the claim URIs belong to the SCIM claim dialect [1]. When the claim URI is
of SCIM dialect, it will get skipped from IdentityStoreEventListener
validations. Hence we cannot map SCIM claims to identity claims internally.
As a solution to this, before passing the claim values to user-store
manager for user related operations (e.g. add user, update user) we can
convert the claims URIs to the mapped claims in local dialect.

In SCIM PUT operation, we delete each user claim separately before updating
user claim values [3]. However intercepting delete user claim values (
doPreDeleteUserClaimValue
/doPostDeleteUserClaimValue) are not supported in
IdentityStoreEventListener currently. Therefore it is not possible to
update Identity claims via SCIM PUT operation.

As possible solutions to this issue we have following two options.

1. Implement doPreDeleteUserClaimValue/doPostDeleteUserClaimValue
methods in IdentityStoreEventListener.
2. Skip Identity Claims when deleting existing claims before setting the
new claims in SCIM PUT operation as the doPreSetUserClaimValues() in
IdentityStoreEventListener will replace the existing claims with the new
claims.

Appreciate your suggestions on this.

[1]
https://github.com/wso2-extensions/identity-inbound-provisioning-scim/blob/master/components/org.wso2.carbon.identity.scim.provider/src/main/java/org/wso2/carbon/identity/scim/provider/impl/SCIMUserManager.java#L191

[2]
https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/listener/IdentityStoreEventListener.java#L107

[3]
https://github.com/wso2-extensions/identity-inbound-provisioning-scim/blob/master/components/org.wso2.carbon.identity.scim.provider/src/main/java/org/wso2/carbon/identity/scim/provider/impl/SCIMUserManager.java#L510

[4]
https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.governance/src/main/java/org/wso2/carbon/identity/governance/listener/IdentityStoreEventListener.java#L203

Thanks.
Sathya

--
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Introduce custom attributes to Identity Server embedded LDAP schema.

2018-04-03 Thread Sathya Bandara

Hi Isura,

Did you generate the new is-default-schema.zip by customizing the ldif
files manually?

Thanks,
Sathya

On Mon, Dec 4, 2017 at 1:50 PM, Isura Karunaratne <is...@wso2.com> wrote:

> Hi Asela,
>
> On Mon, Dec 4, 2017 at 1:31 PM, Asela Pathberiya <as...@wso2.com> wrote:
>
>>
>>
>> On Mon, Dec 4, 2017 at 12:48 PM, Isura Karunaratne <is...@wso2.com>
>> wrote:
>>
>>> This is done with following PRs
>>>
>>> https://github.com/wso2-extensions/identity-userstore-ldap/pull/15/
>>>
>>
>>> https://github.com/wso2/carbon-identity-framework/pull/1224
>>>
>>> Thanks
>>> Isura.
>>>
>>> On Wed, Nov 29, 2017 at 10:42 AM, Isura Karunaratne <is...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Nov 29, 2017 at 10:16 AM, Isura Karunaratne <is...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> We need to update the LDIF to support following attributes by default
>>>>> in the embedded LDAP.
>>>>>
>>>>>- verifyEmail
>>>>>- askPassword
>>>>>- forcePasswordReset
>>>>>- failedRecoveryAttempts
>>>>>- primaryChallengeQuestion
>>>>>- emailVerified
>>>>>- challengeQuestionUris
>>>>>- failedLockoutCount
>>>>>- lastLoginTime
>>>>>- lastPasswordUpdate
>>>>>- phoneVerified
>>>>>- accountDisabled
>>>>>
>>>>> It looks like updating identityPerson.ldif [1] file is not enough to
>>>>> cater to requirement and need to generate the is-default-schema.zip file 
>>>>> as
>>>>> well.
>>>>>
>>>>
>>
>> In PR, it seems to be that you are updated the ldif file.  Is there any
>> other thing which you did ?
>>
>
> Yes. Updated is-default-schema.zip file as well. It is also the in the PR
> :)
>
> [1] features/org.wso2.carbon.ldap.server.server.feature/
> resources/conf/is-default-schema.zip
> <https://github.com/wso2-extensions/identity-userstore-ldap/pull/15/files#diff-89eb521e87befb126adc90084ea56441>
>
>
> Thanks
> Isura.
>
>>
>> Thanks,
>> Asela.
>>
>>
>>>
>>>>> What would be the best way to generate the is-default-schema.zip?
>>>>>
>>>>>
>>>>> [1] https://github.com/wso2-extensions/identity-userstore-ldap/b
>>>>> lob/master/features/org.wso2.carbon.ldap.server.server.featu
>>>>> re/resources/conf/identityPerson.ldif
>>>>>
>>>>> [2] https://github.com/wso2-extensions/identity-userstore-ld
>>>>> ap/blob/master/features/org.wso2.carbon.ldap.server.server.f
>>>>> eature/resources/conf/is-default-schema.zip
>>>>>
>>>>> --
>>>>>
>>>>> *Isura Dilhara Karunaratne*
>>>>> Associate Technical Lead | WSO2
>>>>> Email: is...@wso2.com
>>>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>>>> Blog : http://isurad.blogspot.com/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Isura Dilhara Karunaratne*
>>>> Associate Technical Lead | WSO2
>>>> Email: is...@wso2.com
>>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>>> Blog : http://isurad.blogspot.com/
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> *Isura Dilhara Karunaratne*
>>> Associate Technical Lead | WSO2
>>> Email: is...@wso2.com
>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>> Blog : http://isurad.blogspot.com/
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Thanks & Regards,
>> Asela
>>
>> ATL
>> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>>  +358 449 228 979
>>
>> http://soasecurity.org/
>> http://xacmlinfo.org/
>>
>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Identity Server SCIM Implementation issue with PATCH request

2018-03-17 Thread Sathya Bandara

Hi Tharindu,

I tested this scenario on 5.4.1 updated pack and this scenario was working
properly. Please find the curl commands i executed below.

*PATCH ADD request*

curl -v -k --user admin:admin -X PATCH -d
'{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"displayName":"display"}}]}'
--header "Content-Type:application/json"
https://localhost:9443/scim2/Users/6a66ad20-3686-476c-a401-84cd47b05699

*Response *

200 Ok
{"emails":[{"type":"other","value":"sath...@wso2.com
"},{"type":"home","value":"sat...@wso2.com
"}],"meta":{"created":"2018-03-17T15:01:42Z","location":"
https://localhost:9443/scim2/Users/6a66ad20-3686-476c-a401-84cd47b05699
","lastModified":"2018-03-17T15:27:00Z"},"displayName":"display","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"EnterpriseUser":{"manager":{"displayName":"display"}},"name":{"familyName":"jackson"},"id":"6a66ad20-3686-476c-a401-84cd47b05699","userName":"kim3"}

However this also updates enterprise schema User displayName attribute as
both schemas:core:2.0:User and scim:schemas:extension:enterprise:2.0:User
has a displayName attribute mapped to WSO2 local claim
http://wso2.org/claims/displayName.

I could reproduce the behavior explained by Tharindu when I tried to PATCH
an existing attribute along with a non-existing attribute (both scenarios
worked correctly when executed independently)  it failed with 500 Internal
Server error giving below stack trace.

Caused by: org.wso2.carbon.user.core.UserStoreException: One or more
attributes you are trying to add/update are not supported by underlying
LDAP for user : kim3
at
org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.handleException(ReadWriteLDAPUserStoreManager.java:2126)
at
org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.doDeleteUserClaimValue(ReadWriteLDAPUserStoreManager.java:1103)
at
org.wso2.carbon.user.core.common.AbstractUserStoreManager.deleteUserClaimValue(AbstractUserStoreManager.java:1497)
... 66 more
Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
code 16 - NO_SUCH_ATTRIBUTE: failed for Modify Request
Object : 'uid=kim3,ou=Users,dc=wso2,dc=org'
Modification[0]
Operation :  delete
Modification
displayName: (null)
: ERR_55 Trying to remove an non-existant attribute: ATTRIBUTE_TYPE (
2.16.840.1.113730.3.1.241
 NAME 'displayName'
 DESC RFC2798: preferred name to be used when displaying entries
 EQUALITY caseIgnoreMatch
 SUBSTR caseIgnoreSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 SINGLE-VALUE
 USAGE userApplications

We need to investigate further to find out the exact cause. Created a
github issue to track this [1]

[1] https://github.com/wso2/product-is/issues/2978

Thanks.
Sathya

On Fri, Mar 16, 2018 at 3:16 PM, Tharindu Malawaraarachchi <
tharind...@wso2.com> wrote:

> Hi all,
>
> I have been using SCIM 2.0 REST API of the wso2 Identity Server for
> testing my Ballerina SCIM 2.0 connector and I encountered some issues in
> the Identity Server SCIM implementation.
>
>
>- When I try to update some of the attributes of Identity Server
>resource User, it gives an internal server error and removes many of the
>attributes of the specified user. Please refer the below case.
>
>
> This is the existing User in the Identity Server User store.
>
>
>
> I try to update the displayName of this user by sending a PATCH request
> to  https://localhost:9443/scim2/Users/1a3e769d-cbd3-
> 475d-abef-ce275ab22c4e
> <https://localhost:9443/scim2/Users/98951f31-e595-4b53-842e-d928c1396a4a> with
> a json body.
>
>
>
> Ideally, this should update the relevant field but instead gives an error.
>
>
> Further, it *removes many of the other fields from the specified User* in
> the user store.
> Now the specified User would look like below.
>
>
> This same issue happens when for few other attributes like emails,
> externalId, and userType when try to execute a PATCH request.
> --
> *Tharindu Malawaraarachchi*
> Software Engineer | WSO2
>
> tharind...@wso2.com
> +94 719340143 <+94%2071%20934%200143>
> https://www.linkedin.com/in/tharindun/
>
>

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [VOTE] Release WSO2 Identity Server 5.5.0 RC2

2018-03-15 Thread Sathya Bandara

   - 5.5.0-Alpha3 fixes
>>>>>>
>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha3>
>>>>>>- 5.5.0-Alpha2 fixes
>>>>>>
>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha2>
>>>>>>- 5.5.0-Alpha fixes
>>>>>>
>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha>
>>>>>>- 5.5.0-M4 fixes
>>>>>>
>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M4>
>>>>>>- 5.5.0-M3 fixes
>>>>>>
>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M3>
>>>>>>- 5.5.0-M2 fixes
>>>>>>
>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M2>
>>>>>>- 5.5.0-M1 fixes
>>>>>>
>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M1>
>>>>>>
>>>>>>
>>>>>> Source and distribution
>>>>>>
>>>>>> Runtime - https://github.com/wso2/product-is/releases/v5.5.0-rc2
>>>>>> Analytics - https://github.com/wso2/anal
>>>>>> ytics-is/releases/v5.5.0-rc2
>>>>>>
>>>>>>
>>>>>> Please download, test the product and vote.
>>>>>>
>>>>>> [+] Stable - go ahead and release
>>>>>> [-] Broken - do not release (explain why)
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> - WSO2 Identity and Access Management Team -
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>> *Darshana Gunawardana*Technical Lead
>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>
>>>>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
>>>>>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
>>>>>> Middleware
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Best Regards,
>>>>>
>>>>> Nuwandi Wickramasinghe
>>>>>
>>>>> Senior Software Engineer
>>>>>
>>>>> WSO2 Inc.
>>>>>
>>>>> Web : http://wso2.com
>>>>>
>>>>> Mobile : 0719214873 <071%20921%204873>
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>>
>>>> *Kind Regards,Nipuni Bhagya*
>>>>
>>>> *Software Engineering Intern*
>>>> *WSO2*
>>>>
>>>>
>>>>
>>>> *Mobile : +94 0779028904 <+94%2077%20767%201807>*
>>>>
>>>> ___
>>>> Architecture mailing list
>>>> architect...@wso2.org
>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>>
>>>>
>>>
>>>
>>> --
>>> *Dinali Rosemin Dabarera*
>>> Software Engineer
>>> WSO2 Lanka (pvt) Ltd.
>>> Web: http://wso2.com/
>>> Email : gdrdabar...@gmail.com
>>> LinkedIn <https://lk.linkedin.com/in/dinalidabarera>
>>> Mobile: +94770198933 <077%20019%208933>
>>>
>>>
>>>
>>>
>>> <https://lk.linkedin.com/in/dinalidabarera>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>> Thanks,
>> --
>> Pushpalanka.
>> --
>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>> Mobile: +94779716248
>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>> ushpalanka/ | Twitter: @pushpalanka
>>
>>
>> ___
>> Architecture mailing list
>> architect...@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Denuwanthi De Silva
> Senior Software Engineer;
> WSO2 Inc.; http://wso2.com,
> Email: denuwan...@wso2.com
> Blog: https://denuwanthi.wordpress.com/
>
> ___
> Architecture mailing list
> architect...@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [VOTE] Release WSO2 Identity Server 5.5.0 RC1

2018-03-14 Thread Sathya Bandara

Hi all,

We are calling-off this vote as we have found an issue,

   - for user-mgt ui component in EI product
   - in Windows environment

Since we want to align same component versions among EI & IS, we will fix
this and update versions in IS as well. Additionally we will fix the issue
in README.txt along with this.
We will do a RC2 and call for a vote soon.

[1] https://github.com/wso2/product-ei/issues/2004

On Wed, Mar 14, 2018 at 6:29 PM, Nilasini Thirunavukkarasu <
nilas...@wso2.com> wrote:

> Hi,
>
> I have tested the following flows in mysql.
>
>- User management, role management (Primary + Secondary user store)
>- OIDC flow (password grant, authorization code)(Primary + Secondary
>user store)
>- consent management with SAML SSO for primary and secondary users.
>- SAML assertion encryption and response signing.
>
>
> I have tested the following flow with h2
>
>- federated scenario with two IS
>
> +1 to go ahead and release
>
>
> Thanks,
> Nila.
>
>
> On Wed, Mar 14, 2018 at 6:15 PM, Darshana Gunawardana <darsh...@wso2.com>
> wrote:
>
>> Hi Dilini,
>>
>> We will fix this, if we noted any blocker for RC1 release.. If not, let's
>> continue on the vote considering this is a known issue..
>>
>> Thanks,
>>
>> On Wed, Mar 14, 2018 at 6:05 PM, Dilini Gunatilake <dili...@wso2.com>
>> wrote:
>>
>>> Hi,
>>>
>>> The README .txt contains references to old documentation and few other
>>> issues which is reported in [1]. Better if we can fix those. WDUT?
>>>
>>> [1] https://github.com/wso2/product-is/issues/2945
>>>
>>> Regards,
>>> Dilini
>>>
>>>
>>>
>>> On Wed, Mar 14, 2018 at 5:23 PM, Farasath Ahamed <farasa...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> Tested Below scenario on the IS 5.5.0-RC1 pack with MSSQL database
>>>>
>>>>- Create an OAuth app using Dynamic Client Registration endpoint
>>>>- Configured mandatory claims for the service provider
>>>>- Tested OIDC Implicit flow with user consent management enabled
>>>>- Verified that the user claims sent in the id_token are filtered
>>>>based on user consent.
>>>>
>>>> +1 to go ahead and release
>>>>
>>>>
>>>> On Wed, Mar 14, 2018 at 11:16 AM, Sathya Bandara <sat...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> We are pleased to announce the first release candidate of WSO2
>>>>> Identity Server 5.5.0.
>>>>>
>>>>> This is the first release candidate (RC) of the WSO2 Identity Server
>>>>> 5.5.0 release.
>>>>>
>>>>>
>>>>> This release fixes the following issues
>>>>>
>>>>>- 5.5.0-RC1 fixes
>>>>>
>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-RC1>
>>>>>- 5.5.0-Beta fixes
>>>>>
>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-beta>
>>>>>- 5.5.0-Alpha3 fixes
>>>>>
>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha3>
>>>>>- 5.5.0-Alpha2 fixes
>>>>>
>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha2>
>>>>>- 5.5.0-Alpha fixes
>>>>>
>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha>
>>>>>- 5.5.0-M4 fixes
>>>>>
>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M4>
>>>>>- 5.5.0-M3 fixes
>>>>>
>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M3>
>>>>>- 5.5.0-M2 fixes
>>>>>
>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M2>
>>>>>- 5.5.0-M1 fixes
>>>>>
>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M1>
>>>>>
>>>>>
>>>>> Source and distribution
>>>>>
>>>>> Runtime - https://github.com/wso2/produc
>>>>> t-is/releases/tag/v5.5.0-rc1
>>>>> Analytics - htt

[Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1

2018-03-13 Thread Sathya Bandara

Hi all,

We are pleased to announce the first release candidate of WSO2 Identity
Server 5.5.0.

This is the first release candidate (RC) of the WSO2 Identity Server 5.5.0
release.


This release fixes the following issues

   - 5.5.0-RC1 fixes
   
<https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-RC1>
   - 5.5.0-Beta fixes
   
<https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-beta>
   - 5.5.0-Alpha3 fixes
   
<https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha3>
   - 5.5.0-Alpha2 fixes
   
<https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha2>
   - 5.5.0-Alpha fixes
   
<https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha>
   - 5.5.0-M4 fixes
   
<https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M4>
   - 5.5.0-M3 fixes
   
<https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M3>
   - 5.5.0-M2 fixes
   
<https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M2>
   - 5.5.0-M1 fixes
   
<https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M1>


Source and distribution

Runtime - https://github.com/wso2/product-is/releases/tag/v5.5.0-rc1
Analytics - https://github.com/wso2/analytics-is/releases/tag/v5.5.0-rc1


Please download, test the product and vote.

[+] Stable - go ahead and release
[-] Broken - do not release (explain why)


Thanks,
- WSO2 Identity and Access Management Team -

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.5.0-Beta Released!

2018-03-06 Thread Sathya Bandara

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.5.0 Beta!
Download

You can download WSO2 Identity Server 5.5.0 Beta distributions from
following locations.

Identity Server:
https://github.com/wso2/product-is/releases/download/v5.5.0-beta/wso2is-5.5.0-beta


IS Analytics: https://github.com/wso2/analytics-is/release
s/download/v5.5.0-beta/wso2is-analytics-5.5.0-beta

How to run

1. Extract the downloaded zip file.

2. Go to the bin directory in the extracted folder.

3. Run the wso2server.sh file if you are on a Linux/Mac OS or run the
wso2server.bat file if you are on a Windows OS.



What's new in WSO2 Identity Server 5.5.0 Beta

   -

   Bug fixes


   



   -

   Improvements


   


A list of all the resolved issues shipped with this release can be found he
re

Online documentation is available at
https://docs.wso2.com/display/IS550/WSO2+Identity+Server+Documentation.

Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

   -

   IS Runtime 
   -

   IS Analytics 



How You Can Contribute

Mailing Lists

Join our mailing list and correspond with the developers directly.

Developer list: dev@wso2.org | Subscribe | Mail Archive


User forum: StackOverflow


Reporting Issues

We encourage you to report issues, improvements, documentation faults, and
feature requests regarding WSO2 Identity Server through WSO2 Identity
Server GIT Issues .

For more information about WSO2 Identity Server, please see
https://wso2.com/identity-and-access-management or visit the WSO2 Oxygen
Tank  developer portal for additional resources.


~ The WSO2 Identity and Access Management Team ~
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Architecture] WSO2 Identity Server 5.5.0-Alpha3 Released!

2018-02-27 Thread Sathya Bandara

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.5.0 Alpha3!
Download

You can download WSO2 Identity Server 5.5.0 Alpha3 distributions from
following locations.

Identity Server: https://github.com/wso2/product-is/releases/download/
v5.5.0-alpha3//wso2is-5.5.0-alpha3
<https://github.com/wso2/product-is/releases/download/v5.5.0-alpha3/wso2is-5.5.0-alpha3.zip>

IS Analytics: https://github.com/wso2/analytics-is/releases/tag/v5.
5.0-alpha3/wso2is-analytics-5.5.0-alpha3
<https://github.com/wso2/analytics-is/releases/download/v5.5.0-alpha3/wso2is-analytics-5.5.0-alpha3.zip>
How to run

1. Extract the downloaded zip file.

2. Go to the bin directory in the extracted folder.

3. Run the wso2server.sh file if you are on a Linux/Mac OS or run the
wso2server.bat file if you are on a Windows OS.

What's new in WSO2 Identity Server 5.5.0 Alpha3

Following includes major features/improvements provided in WSO2 IS
5.5.0-Alpha3.

Tenancy support for PII controllers - Capability to configure PII
controllers per tenant basis.
-

Consent Management in OIDC - Integrating User Consent Management into
OpenID connect Authorization Code and Implicit flow.

A list of new features and bug fixes shipped with this release can be found
here <https://github.com/wso2/product-is/milestone/25?closed=1>

Online documentation is available at https://docs.wso2.com/display/
IS550/WSO2+Identity+Server+Documentation.

Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

IS Runtime <https://github.com/wso2/product-is/issues>
-

IS Analytics <https://github.com/wso2/analytics-is/issues>

How You Can Contribute

Mailing Lists

Join our mailing list and correspond with the developers directly.

Developer list: dev@wso2.org | Subscribe | Mail Archive
<http://mail.wso2.org/mailarchive/dev/>

User forum: StackOverflow
<http://stackoverflow.com/questions/tagged/wso2is>

Reporting Issues

We encourage you to report issues, improvements, documentation faults, and
feature requests regarding WSO2 Identity Server through WSO2 Identity
Server GIT Issues <https://github.com/wso2/product-is/issues>.

~ The WSO2 Identity and Access Management Team ~

--
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Identity Server Documentation for SCIM 2.0 Endpoints Lacks Details

2018-02-27 Thread Sathya Bandara

Hi Sherene,

Can we include the missing SCIM 2.0 endpoint descriptions in [1]

[1] https://docs.wso2.com/display/IS540/apidocs/SCIM2-endpoints/index.html


Thanks,
Sathya

On Tue, Feb 27, 2018 at 10:22 AM, Tharindu Malawaraarachchi <
tharind...@wso2.com> wrote:

> Hi all,
>
> I am currently implementing a ballerina User Administration Connector for
> wso2 Identity Server which uses SCIM 2.0 specification for managing user
> identities.
>
> The IS documentation for SCIM 2.0 endpoints
> <https://docs.wso2.com/display/IS540/apidocs/SCIM2-endpoints/index.html>[1]
> doesn't reflect the full set of endpoints which are exposed through
> Identity Server REST API. A better description of endpoints can be found
> here
> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+SCIM+2.0+Provisioning+Connector#ConfiguringSCIM2.0ProvisioningConnector-/UsersEndpoint>
> [2].
>
> Here is a summary of main missing points from Identity Server SCIM 2.0
> documentation[1],
>
>- Patch operation is missing from /User, /Group and /Me endpoints
>- Filter operation in both /User and /Group endpoints doesn't reflect
>the proper filter functionality. This operation suits more under Listing
>Users and Groups.
>- /Bulk endpoint is completely missing.
>
>
> [1] https://docs.wso2.com/display/IS540/apidocs/SCIM2-endpoints/index.html
> [2] https://docs.wso2.com/display/ISCONNECTORS/Configuring+SCIM+2.0+
> Provisioning+Connector#ConfiguringSCIM2.0ProvisioningConnector-/
> UsersEndpoint
> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+SCIM+2.0+Provisioning+Connector#ConfiguringSCIM2.0ProvisioningConnector-/UsersEndpoint>
> --
> *Tharindu Malawaraarachchi*
> Software Engineer | WSO2
>
> Email : tharind...@wso2.com
> Mobile : +94 719340143 <+94%2071%20934%200143>
> web : http://wso2.com
> <https://www.google.com/url?q=http://wso2.com=D=1517653978118000=AFQjCNFMXiaN5ZS-Ta3kNBGyAoGqshFZYg>
> https://us18.wso2con.com/
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Architecture] WSO2 Identity Server 5.5.0-Alpha2 Released!

2018-02-22 Thread Sathya Bandara

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.5.0 Alpha2!
Download

You can download WSO2 Identity Server 5.5.0 Alpha2 distributions from
following locations.


Identity Server:
https://github.com/wso2/product-is/releases/download/v5.5.0-alpha2//wso2is-5.5.0-alpha2
<https://github.com/wso2/product-is/releases/download/v5.5.0-alpha2/wso2is-5.5.0-alpha2.zip>

IS Analytics: https://github.com/wso2/analytics-is/releases/tag/v5.
5.0-alpha2/wso2is-analytics-5.5.0-alpha2
<https://github.com/wso2/analytics-is/releases/download/v5.5.0-alpha2/wso2is-analytics-5.5.0-alpha2.zip>
How to run

1. Extract the downloaded zip file.

2. Go to the bin directory in the extracted folder.

3. Run the wso2server.sh file if you are on a Linux/Mac OS or run the
wso2server.bat file if you are on a Windows OS.



What's new in WSO2 Identity Server 5.5.0 Alpha2

Following includes major features/improvements provided in WSO2 IS
5.5.0-Alpha2



   -

   Tenancy Support for Self Sign Up Page
   <https://docs.wso2.com/display/IS550/Self+Sign+Up+and+Account+Confirmation>
   - Facility to view the self registration page honoring tenant
   configurations.
   -

   System Consent Management from user Dashboard
   
<https://docs.wso2.com/display/IS550/Using+the+End+User+Dashboard#UsingtheEndUserDashboard-Configuringconsentforservices>
   - Separate resident IDP consent in the dashboard gadget to manage consents.


   -

   Display names for user claims in consent SSO page
   <https://docs.wso2.com/display/IS550/Consent+Management+with+Single-Sign-On>
   - Ability to show display names of consent requested claims in consent
   SSO page.
   -

   Upload service provider public certificates
   
<https://docs.wso2.com/display/IS550/Adding+and+Configuring+a+Service+Provider>
   - Capability to register service provider specific public certificate via
   file upload.

A list of all the new features and bug fixes shipped with this release can
be found here <https://github.com/wso2/product-is/milestone/22?closed=1>

Online documentation is available at https://docs.wso2.com/display/
IS550/WSO2+Identity+Server+Documentation.


Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

   -

   IS Runtime <https://github.com/wso2/product-is/issues>
   -

   IS Analytics <https://github.com/wso2/analytics-is/issues>



How You Can Contribute

Mailing Lists

Join our mailing list and correspond with the developers directly.

Developer list: dev@wso2.org | Subscribe | Mail Archive
<http://mail.wso2.org/mailarchive/dev/>

User forum: StackOverflow
<http://stackoverflow.com/questions/tagged/wso2is>

Reporting Issues

We encourage you to report issues, improvements, documentation faults, and
feature requests regarding WSO2 Identity Server through WSO2 Identity
Server GIT Issues <https://github.com/wso2/product-is/issues>.

For more information about WSO2 Identity Server, please see
https://wso2.com/identity-and-access-management or visit the WSO2 Oxygen
Tank <http://wso2.com/library/> developer portal for additional resources.


~ The WSO2 Identity and Access Management Team ~


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [IS 5.5.0] TLS Mutual Authentication for OAuth 2.0 clients

2018-02-20 Thread Sathya Bandara

Hi all,

I'm currently working on integrating the changes in [1] to provide the
capability to upload client certificates to truststore during run time
without restart.

As per the implementation in [1] the default trust manager will be replaced
with a custom trust manager which will reload the client-truststore.jks
whenever there is a SSL validation failure. However in the case where there
are many SSL failures it will reload the JKS file for each and every
validation failure which will slow the server.

With the above mentioned concern, should I proceed with this integration?
Appreciate your thoughts.

[1] https://github.com/wso2/carbon-identity/pull/1511

Thanks,
Sathya


On Mon, Feb 19, 2018 at 3:57 PM, Sathya Bandara <sat...@wso2.com> wrote:

> Hi all,
>
> The basic implementation for this feature is completed and we held an
> initial code review for this. Review notes can be found in [1]. We were
> able to identify the following key limitations when including this feature
> in the product.
>
>
>1. In order to use the client certificate in the authentication
>request, the certificate needs to be imported to our truststore as a
>pre-requisite. As a result we will have to ask to restart the server. Even
>if we add the certificate via Management console it will not be applied
>unless the server is restarted with the current implementation. In order to
>overcome this requirement , we need to improve our existing implementation
>to add certificates at runtime without restarting the server. Part of this
>improvement is already provided in [1] which provides the following
>capabilities.
>
>- Alter UI to view the default trust store.
>   - Alter keystore management service to support the addition of
>   trust stores.
>   - Create a X509TrustManager implementation that dynamically reloads
>   any changes made to the trust store. Anyone using this
>   "DynamicX509TrustManager" with SSLContext will not require to restart 
> the
>   server for changes to client trust store to take effect.
>
>   2. Since in the current approach of mutual authentication using
>TLS, we need to add the client certificate to the cient-trustore.jks in
>order handle mutual TLS at at web container level (tomcat), during TLS
>handshake. In this scenario all the client certificates will be accessible
>globally since we cannot override the trustore at SP level. Since our admin
>services are protected by the Mutual-SSL-authenticator, clients can
>successfully authenticate from mutual SSL authenticator using their
>certificates and consume admin services. As a work-around we can
>specifically ask to disable the mutual-SSL-authenticator if the requirement
>is to use mutual TLS for client authentication. However, the proper
>solution would be to find an approach for the web container to dynamically
>identify the client specific certificates during runtime.
>
>3. Configuring the Tomcat connector for TLS Using the Server Keystore
>requires to restart Tomcat whenever we change the contents of the keystore
>since they are cached at launch and are not re-examined until the server
>process is bounced. We need to investigate an approach to avoid server
>restart and dynamically load the keystore content. One possible solution
>would be to implement a custom trustManagerClass and then use it to load
>the KeyStore on every ssl-session [3].
>
> In order to overcome the above limitations, supplementary
> features/capabilities are required. Please find the following task break
> down in order to address these limitations.
>
> Task 1 - Capability to upload the client certificate to the trustore.jks
> from UI and dynamically apply the certificate changes during runtime.
>
>- Sub-Task 1 - Merge the changes in [2] to carbon-identity-framework
>master branch and test the functionality.
>
>
>- Sub-Task 2 - Implement a mechanism to sync truststore changes in
>cluster.
>
>
>- Sub-Task 3 - Investigate an approach to avoid tomcat restart and
>dynamically load the keystore content for the connector.
>
>
> Task 2 - Address the conflicts with existing authenticators (e.g.
> MutualSSLAuthenticator/X509 Authenticator) when engaging the TLS Mutual
> Authenticator.
>
>- Sub-Task 1: Improve the existing MutualSSLAuthenticator to add a
>secondary factor of validation.
>
>
>- Sub-Task 2: Improve the existing X509 Authenticator to add a
>secondary factor of validation.
>
>
> Appreciate your feedback and suggestions.
>
> [1] Invitation: [Review] User Story - Mutual TLS Authentication for Oauth
> 2.0 clients @ Mon Feb 12, 2018 2pm - 3pm (IS

Re: [Dev] Query Regarding the JIRA BUG- IDEBTITY-4250

2018-02-19 Thread Sathya Bandara

  "sub":"admin",
>
>"email":"ad...@wso2.com",
>
>"website":"https://wso2.com; <https://wso2.com/>,
>
>"name":"admin",
>
>"family_name":"admin",
>
>"preferred_username":"admin",
>
>"given_name":"admin",
>
>"profile":"https://wso2.com; <https://wso2.com/>,
>
>"country":"Sri Lanka"
>
> }
>
>
>
> Thanks & Regards
>
> Monika Sharma
>
>
>
>
>
>
>
>
>
> --
>
> Regards,
>
>
>
> *Darshana Gunawardana*
>
> Technical Lead
>
> WSO2 Inc.; http://wso2.com
> * E-mail: **darsh...@wso2.com* <darsh...@wso2.com>
> * Mobile: +94718566859 <+94%2071%20856%206859>*
> Lean . Enterprise . Middleware
>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
> Middleware
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Architecture] WSO2 Identity Server 5.5.0-Alpha Released!

2018-02-16 Thread Sathya Bandara

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.5.0 Alpha!
Download

You can download WSO2 Identity Server 5.5.0 Alpha distributions from
following locations.

Identity Server:
https://github.com/wso2/product-is/releases/download/v5.5.0-alpha
<https://github.com/wso2/product-is/releases/download/v5.5.0-alpha/wso2is-5.5.0-alpha.zip>

IS Analytics: https://github.com/wso2/analytics-is/releases/tag/v5.5.0-alpha
<https://github.com/wso2/analytics-is/releases/download/v5.5.0-alpha/wso2is-5.5.0-alpha.zip>
How to run

1. Extract the downloaded zip file.

2. Go to the bin directory in the extracted folder.

3. Run the wso2server.sh file if you are on a Linux/Mac OS or run the
wso2server.bat file if you are on a Windows OS.



What's new in WSO2 Identity Server 5.5.0 Alpha

WSO2 Identity Server 5.5.0-Alpha is designed based on privacy best
practices and adhering to GDPR. Your GDPR compliance in IAM and API
security space can be fulfilled with WSO2 IS. Following includes major GDPR
related features provided in WSO2 IS 5.5.0-Alpha.



   -

   Privacy Tool Kit
   
<https://docs.wso2.com/display/IS550/Removing+References+to+Deleted+User+Identities>
-
   Supports removing references to a deleted user's identity as and when
   required.
   
<https://docs.wso2.com/display/IS550/Using+the+End+User+Dashboard#UsingtheEndUserDashboard-Exportingpersonalinformation>
   -

   Personal Information Export Capability
   
<https://docs.wso2.com/display/IS550/Using+the+End+User+Dashboard#UsingtheEndUserDashboard-Exportingpersonalinformation>
   - End users can retrieve  personal information stored in WSO2 Identity
   Server.
   <https://docs.wso2.com/display/IS550/Consent+Management+with+Single-Sign-On>
   -

   User Consent for Single-Sign-On
   <https://docs.wso2.com/display/IS550/Consent+Management+with+Single-Sign-On>
   - Provides users with choice and control over sharing their personal data.
   <https://docs.wso2.com/display/IS550/Consent+Management+for+Self+Sign+Up>
   -

   User Consent for Self Sign Up
   <https://docs.wso2.com/display/IS550/Consent+Management+for+Self+Sign+Up>
   - Capability to provide consent when a user self registers to WSO2 Identity
   Server. <https://docs.wso2.com/display/IS550/Managing+Consent+Purposes>
   -

   Consent Purposes Management
   <https://docs.wso2.com/display/IS550/Managing+Consent+Purposes> -  An
   interactive UI to manage consent purposes/PII categories.
   
<https://docs.wso2.com/display/IS550/Private+Key+JWT+Client+Authentication+for+OIDC>
   -

   Private Key JWT Client Authentication
   
<https://docs.wso2.com/display/IS550/Private+Key+JWT+Client+Authentication+for+OIDC>
   - Facilitating client authentication using a signed JWT.
   -

   Encrypted ID token for OIDC Flow
   
<https://docs.wso2.com/display/IS550/Testing+OIDC+Encrypted+ID+Token+with+IS+5.5.0>
   - Capability to encrypt ID tokens with a registered public key.

A list of all the new features and bug fixes shipped with this release can
be found here <https://github.com/wso2/product-is/milestone/20?closed=1>

Online documentation is available at
https://docs.wso2.com/display/IS550/WSO2+Identity+Server+Documentation.


Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

   -

   IS Runtime <https://github.com/wso2/product-is/issues>
   -

   IS Analytics <https://github.com/wso2/analytics-is/issues>



How You Can Contribute

Mailing Lists

Join our mailing list and correspond with the developers directly.

Developer list: dev@wso2.org | Subscribe | Mail Archive
<http://mail.wso2.org/mailarchive/dev/>

User forum: StackOverflow
<http://stackoverflow.com/questions/tagged/wso2is>

Reporting Issues

We encourage you to report issues, improvements, documentation faults, and
feature requests regarding WSO2 Identity Server through WSO2 Identity
Server GIT Issues <https://github.com/wso2/product-is/issues>.

For more information about WSO2 Identity Server, please see
https://wso2.com/identity-and-access-management or visit the WSO2 Oxygen
Tank <http://wso2.com/library/> developer portal for additional resources.


~ The WSO2 Identity and Access Management Team ~


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Branch release-5.5.0-alpha created in product-is for 5.5.0-alpha release

2018-02-14 Thread Sathya Bandara

Hi all,

We have done the $subject. We will be using this branch [1] for Identity
Server 5.5.0-alpha development work and release.

[1] https://github.com/wso2/product-is/tree/release-5.5.0-alpha

Thanks,
Sathya
-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.5.0-M4 Released!

2018-02-08 Thread Sathya Bandara

*WSO2 Identity and Access Management team is pleased to announce the
release of Identity Server 5.5.0 M4!DownloadYou can download WSO2 Identity
Server 5.5.0 M4 from here
<https://github.com/wso2/product-is/releases/download/v5.5.0-m4/wso2is-5.5.0-m4.zip>.How
to run 1. Extract the downloaded zip file. 2. Go to the bin directory in
the extracted folder. 3. Run the wso2server.sh file if you are on a
Linux/Mac OS or run the wso2server.bat file if you are on a Windows OS. 4.
Optionally, if you need to start the OSGi console with the server, use the
-DosgiConsole property when starting the server.What's new in WSO2 Identity
Server 5.5.0 M4*


   -

   Consent Management API
   <https://docs.wso2.com/display/IS550/Consent+Management+Using+REST+APIs> to
   manage user consents for collecting and sharing user's personal information
   .
   -

   Request Object Support for OIDC
   
<https://docs.wso2.com/display/IS550/Request+Object+Support+for+WSO2+Identity+Server>
   providing ability to send authentication request parameters in a
   self-contained JWT instead of plain request parameters complying with GDPR
   and PSD2 standards.
   -

   Store service provider cert in DB instead of the keystore
   
<https://docs.wso2.com/display/IS550/Adding+and+Configuring+a+Service+Provider>
   facilitating the upload of Service Provider specific public certificates.
   -

   UI Based JWT configuration support
   
<https://docs.wso2.com/display/IS550/Configuring+OAuth2-OpenID+Connect+Single-Sign-On>
   for configuring service provider specific JWT audiences via SP Oauth config
   UI.





*A list of all the new features and bug fixes shipped with this release can
be found here <https://github.com/wso2/product-is/milestone/18?closed=1>
<https://github.com/wso2/product-is/milestone/15?closed=1>Online
documentation is available at
https://docs.wso2.com/display/IS550/WSO2+Identity+Server+Documentation
<https://docs.wso2.com/display/IS550/WSO2+Identity+Server+Documentation>.*
















*Known IssuesAll the open issues pertaining to WSO2 Identity Server are
reported at the following location: - IS Runtime
<https://github.com/wso2/product-is/issues>How You Can ContributeMailing
ListsJoin our mailing list and correspond with the developers directly.
Developer list: dev@wso2.org <dev@wso2.org> | Subscribe | Mail Archive
<http://mail.wso2.org/mailarchive/dev/> User forum: StackOverflow
<http://stackoverflow.com/questions/tagged/wso2is>Reporting IssuesWe
encourage you to report issues, improvements, documentation faults, and
feature requests regarding WSO2 Identity Server through WSO2 Identity
Server GIT Issues <https://github.com/wso2/product-is/issues>.For more
information about WSO2 Identity Server, please see
https://wso2.com/identity-and-access-management
<https://wso2.com/identity-and-access-management> or visit the WSO2 Oxygen
Tank <http://wso2.com/library/> developer portal for additional resources.~
The WSO2 Identity and Access Management Team ~*
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Architecture] WSO2 Identity Server 5.5.0-M3 Released!

2018-02-01 Thread Sathya Bandara

The WSO2 Identity and Access Management team is pleased to announce the
release of WSO2 Identity Server 5.5.0 M3
What's new in WSO2 Identity Server 5.5.0 M3

New Features & Bug Fixes: A list of new features and bug fixes shipped with
this release can be found here
<https://github.com/wso2/product-is/milestone/17?closed=1>
Download

You can download WSO2 Identity Server 5.5.0 M3 from here
<https://github.com/wso2/product-is/releases/download/v5.5.0-m3/wso2is-5.5.0-m3.zip>
.
Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   -

   Developer List: dev@wso2.org
   -

   Architecture List: architect...@wso2.org
   -

   User Forum: StackOverflow
   <http://stackoverflow.com/questions/tagged/wso2is>

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues <https://github.com/wso2/product-is/issues>.


~ The WSO2 Identity and Access Management Team ~


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Architecture] WSO2 Identity Server 5.5.0-M2 Released!

2018-01-26 Thread Sathya Bandara

The WSO2 Identity and Access Management team is pleased to announce the
release of WSO2 Identity Server 5.5.0 M2
What's new in WSO2 Identity Server 5.5.0 M2

New Features & Bug Fixes: A list of new features and bug fixes shipped with
this release can be found here
<https://github.com/wso2/product-is/milestone/15?closed=1>
Download

You can download WSO2 Identity Server 5.5.0 M2 from here
<https://github.com/wso2/product-is/releases/download/v5.5.0-m2/wso2is-5.5.0-m2.zip>
.
Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   -

   Developer List: dev@wso2.org
   -

   Architecture List: architect...@wso2.org
   -

   User Forum: StackOverflow
   <http://stackoverflow.com/questions/tagged/wso2is>

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues <https://github.com/wso2/product-is/issues>.


~ The WSO2 Identity and Access Management Team ~


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] User with an authenticated session is not prompted for login after SP configuration change

2018-01-20 Thread Sathya Bandara

Hi,

Thanks Tharindu and Farasath for the clarifications.

On Sat, Jan 20, 2018 at 9:12 AM, Farasath Ahamed <farasa...@wso2.com> wrote:

>
>
> On Friday, January 19, 2018, Sathya Bandara <sat...@wso2.com> wrote:
>
>> Hi all,
>>
>> When there is an already authenticated session for an application user
>> with Identity Server, there is no necessity to prompt for another login to
>> the IS if the user logs into the application from another tab in the same
>> browser.
>> However we can change the service providers authentication scheme
>> (authentication steps and authenticators in each step) while the user has
>> this session.
>> In this case, if the user tries to log into the application he is not
>> prompted for re-authentication. This is the default behavior of IS.
>> Shouldn't we prompt the user to authenticate if the service provider's
>> authentication scheme is modified or is this an intended behavior?
>>
>> Appreciate your thoughts on this.
>>
>
> The reason for this behaviour is that we cache the service provider
> configuration in the users session context(context created for successful
> authentication ). This session context is stored against the cookie
> (commonauth) used to identify whether the user already has a session in IS.
>
> So whenever a user reauthenticates user's authenticated steps/idps are
> compared with cached service proivder configs.
>
> When you change the service provider configs it does not get reflected in
> the cached service provider configs in the user's authenticated session.
>
> With the current implementation this is the expected behaviour.
>
> But IMO we should improve this to always fetch the latest service provider
> configs and compare user's authentication steps/IDPs against it. (ie. We
> should avoid caching configurations)
>
> Shall we create a github issue to track this improvement?
>
+1. created a github issue [1] to track this.

>
> Thanks,
>> Sathya
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>
>
> --
> Farasath Ahamed
> Senior Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 <https://twitter.com/farazath619>
> <http://wso2.com/signature>
>
>
>
>
>
[1] https://github.com/wso2/product-is/issues/2137

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] User with an authenticated session is not prompted for login after SP configuration change

2018-01-19 Thread Sathya Bandara

Hi all,

When there is an already authenticated session for an application user with
Identity Server, there is no necessity to prompt for another login to the
IS if the user logs into the application from another tab in the same
browser.
However we can change the service providers authentication scheme
(authentication steps and authenticators in each step) while the user has
this session.
In this case, if the user tries to log into the application he is not
prompted for re-authentication. This is the default behavior of IS.
Shouldn't we prompt the user to authenticate if the service provider's
authentication scheme is modified or is this an intended behavior?

Appreciate your thoughts on this.

Thanks,
Sathya
-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Architecture] WSO2 Identity Server 5.5.0-M1 Released!

2018-01-18 Thread Sathya Bandara

The WSO2 Identity and Access Management team is pleased to announce the
release of WSO2 Identity Server 5.5.0 M1
What's new in WSO2 Identity Server 5.5.0 M1

New Features & Bug Fixes: A list of new features and bug fixes shipped with
this release can be found here
<https://github.com/wso2/product-is/milestone/14?closed=1>
Download

You can download WSO2 Identity Server 5.5.0 M1 from here
<https://github.com/wso2/product-is/releases/download/v5.5.0-m1/wso2is-5.5.0-m1.zip>
.
Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   -

   Developer List: dev@wso2.org
   -

   Architecture List: architect...@wso2.org
   -

   User Forum: StackOverflow
   <http://stackoverflow.com/questions/tagged/wso2is>

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues <https://github.com/wso2/product-is/issues>.


~ The WSO2 Identity and Access Management Team ~


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture][IS 5.5.0] Conditional steps based on HTTP context

2018-01-18 Thread Sathya Bandara

Hi,

Thanks for the suggestion. I have modified the existing
DefaultRequestCoordinator and removed ConditionalRequestCoordinator since
there are no functional level changes in DefaultRequestCoordinator.

Following is a sample script to enforce conditional authentication based on
the HTTP context.


function(context) {
executeStep({
id: '1',
on: {
success: function (context) {

if (context.request.cookies.testcookie) {
log.info("--- cookie testcookie found in
request.");
log.info("--- cookie testcookie.value: " +
context.request.cookies.testcookie.value);
log.info("--- cookie testcookie.domain: " +
context.request.cookies.testcookie.domain);
log.info("--- cookie testcookie.max-age: "
+ context.request.cookies.testcookie["max-age"]);
log.info("--- cookie testcookie.path: " +
context.request.cookies.testcookie.path);
log.info("--- cookie testcookie.secure: " +
context.request.cookies.testcookie.secure);
log.info("--- cookie testcookie.version: "
+ context.request.cookies.testcookie.version);
log.info("--- cookie testcookie.httpOnly: "
+ context.request.cookies.testcookie.httpOnly);
} else {
executeStep({
id: '2',
on: {
success: function (context)
{
log.info("--- setting cookie :
testcookie");

context.response.headers["Set-Cookie"] = "testcookie=1FD36B269C61;
Path=/; Secure; HttpOnly; Expires=Wed, 21 Jan 2018 07:28:00 GMT"
}
}
});
}
}
}
});
}


In the above script, we define a cookie called *testcookie*. At the initial
authentication stage, the user has to go through both step 1 and step 2. If
authentication is successful, we will set a cookie (testcookie) in the
user's browser. At the next login session, if this cookie is found in the
authentication request, user will be authenticated from the first step
itself and the second authentication step will get skipped.

Thanks,
Sathya

On Wed, Jan 17, 2018 at 6:56 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote:

> Hi Sathya,
>
> We can enhance the DefaultRequestCoordinator itself, rather than
> extending and creating new coordinator, as there is no functional change
> done by adding the "request" and "response" to authentication context.
>
> Cheers,
> Ruwan
>
> On Wed, Jan 17, 2018 at 10:40 AM, Sathya Bandara <sat...@wso2.com> wrote:
>
>> Hi all,
>>
>> We are currently working on improving the conditional authentication
>> support using JavaScript feature [1] to be able to handle authentication
>> conditions based on HTTP context.
>>
>> Following is the approach taken to achieve this requirement.
>>
>> In order to store the HTTP request and response I have modified the
>> default AuthenticationContext class to have additional state variables for
>> the authentication request and response(current request and response).
>> These variables are declared as transient such that they will not be used
>> for the object state at serialization. Furthermore, an additional variable
>> will be used to keep a reference to the initial authentication request
>> (initialRequest). When the second request comes, we will only update the
>> current request and response variables.
>>
>> The DefaultRequestCoordinator will be replaced with
>> ConditionalRequestCoordinator. In ConditionalRequestCordinator, inside
>> initializeFlow() method which gets called for the initial authentication
>> request, we instantiate an AuthenticationContext object. To this object, I
>> will set the current request, current response and initial request which is
>> the same as current request for the initial case. From the second request
>> for the ConditionalRequestCoordinator, only the current request and
>> response will be updated.
>>
>> In addition to the changes in the authentication framework, I have
>> implemented JavaScript wrapper classes for the HttpServletRequest and
>> HttpServletResponse Java classes in order to provide access to the
>> request/response state variables within JavaScript. Following are some
>> examples.
>>
>> *Request headers (context.request.headers)*
>>
>> context.request.headers.Authorization - this will give the value of th

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-17 Thread Sathya Bandara

Hi,

On Thu, Jan 18, 2018 at 12:20 PM, Godwin Shrimal <god...@wso2.com> wrote:

> Hi Sathya,
>
> Ideally, user should get authenticated even you send without user store
> domain. right?
>

Yes. user gets authenticated without the user store domain. If the user is
in super tenant domain(carbon.super), we can discard the tenant domain as
well.

>
>
> Thanks
> Godwin
>
>
> On Thu, Jan 18, 2018 at 1:15 PM, Sathya Bandara <sat...@wso2.com> wrote:
>
>> Hi Thomas,
>>
>> Can you try with the following curl command.
>>
>> curl -v -X POST --basic -u : -H
>> "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d
>> "grant_type=password=/sathya1@carbon.super=admin"
>>  https://localhost:8243/token
>>
>> [1] https://docs.wso2.com/display/AM210/Password+Grant
>>
>> On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND <
>> thomas.legr...@versusmind.eu> wrote:
>>
>>> Hello,
>>>
>>> I configured the Identity Server (IS) to be the Key Manager of the API
>>> Manager (APIM). In the IS, I configured a secondary user store where I will
>>> have my users of my applications. But, I think I missed something because
>>> when I want to generate a OAuth token for a user stored in this secondary
>>> user store, I have an error:
>>>
>>> My request:
>>>
>>> curl -k -d "grant_type=password=="
>>> -H "Authorization: Basic "
>>> https://apim:8243/token
>>>
>>> The response:
>>>
>>> {"error_description":"Authentication failed for
>>> @carbon.super","error":"invalid_grant"}.
>>>
>>> In the application in the store of the APIM, "Password" is ticked so the
>>> grant_type is right.
>>> And I tried with the following pattern for the :
>>> - 
>>> - /
>>> - \
>>>
>>> Can you help me? How can I ensure that the APIM uses all of the user
>>> stores from the IS.
>>>
>>> Regards,
>>>
>>> Thomas
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Godwin Amila Shrimal*
> Associate Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>
> mobile: *+94772264165*
> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
> <https://www.linkedin.com/in/godwin-amila-2ba26844/>*
> twitter: https://twitter.com/godwinamila
> <http://wso2.com/signature>
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API Manager with Identity Server as Key Manager - IS secondary user store to connect to APIM Store

2018-01-17 Thread Sathya Bandara

Hi Thomas,

Can you try with the following curl command.

curl -v -X POST --basic -u : -H
"Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d
"grant_type=password=/sathya1@carbon.super=admin"
 https://localhost:8243/token

[1] https://docs.wso2.com/display/AM210/Password+Grant

On Wed, Jan 17, 2018 at 7:11 PM, Thomas LEGRAND <
thomas.legr...@versusmind.eu> wrote:

> Hello,
>
> I configured the Identity Server (IS) to be the Key Manager of the API
> Manager (APIM). In the IS, I configured a secondary user store where I will
> have my users of my applications. But, I think I missed something because
> when I want to generate a OAuth token for a user stored in this secondary
> user store, I have an error:
>
> My request:
>
> curl -k -d "grant_type=password=="
> -H "Authorization: Basic "
> https://apim:8243/token
>
> The response:
>
> {"error_description":"Authentication failed for @carbon.super","
> error":"invalid_grant"}.
>
> In the application in the store of the APIM, "Password" is ticked so the
> grant_type is right.
> And I tried with the following pattern for the :
> - 
> - /
> - \
>
> Can you help me? How can I ensure that the APIM uses all of the user
> stores from the IS.
>
> Regards,
>
> Thomas
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Architecture][IS 5.5.0] Conditional steps based on HTTP context

2018-01-16 Thread Sathya Bandara

Hi all,

We are currently working on improving the conditional authentication
support using JavaScript feature [1] to be able to handle authentication
conditions based on HTTP context.

Following is the approach taken to achieve this requirement.

In order to store the HTTP request and response I have modified the default
AuthenticationContext class to have additional state variables for the
authentication request and response(current request and response). These
variables are declared as transient such that they will not be used for the
object state at serialization. Furthermore, an additional variable will be
used to keep a reference to the initial authentication request
(initialRequest). When the second request comes, we will only update the
current request and response variables.

The DefaultRequestCoordinator will be replaced with
ConditionalRequestCoordinator. In ConditionalRequestCordinator, inside
initializeFlow() method which gets called for the initial authentication
request, we instantiate an AuthenticationContext object. To this object, I
will set the current request, current response and initial request which is
the same as current request for the initial case. From the second request
for the ConditionalRequestCoordinator, only the current request and
response will be updated.

In addition to the changes in the authentication framework, I have
implemented JavaScript wrapper classes for the HttpServletRequest and
HttpServletResponse Java classes in order to provide access to the
request/response state variables within JavaScript. Following are some
examples.

*Request headers (context.request.headers)*

context.request.headers.Authorization - this will give the value of the
Authorization header.

*Request parameters (context.request.params)*

context.request.params.redirect_uri - this will give the value of the
request parameter redirect_uri

*Cookies in request (context.request.cookies)*

context.cookies.commonAuthId - this will create a JavaScript wrapper for
the Cookie Java Class. We can access individual cookie attributes using
this wrapper as follows.

context.request.cookies.commonAuthId.domain
context.request.cookies.commonAuthId.value

In request, we can only query existing attributes (headers and request
parameters). cannot add or modify existing values.

Similar approach was used for the HttpServletResponse class as well.
However in HttpServletResponse, we have the capability to add new headers
to the response.

*Adding headers to the response*

In order to wrap the setHeader() in JavaScript, I used the following
implementation.

public class JsHeaders extends AbstractJSObject {

private Map wrapped;
private HttpServletResponse response;

public JsHeaders(Map wrapped, HttpServletResponse response) {

this.wrapped = wrapped;
this.response = response;
}

@Override
public void setMember(String name, Object value) {

if (wrapped == null) {
super.setMember(name, value);
} else {
wrapped.put(name, value);
response.setHeader(name, (String) value); //replaces the value
if the name exists.
}
}
}

Here, I keep the existing headers in a map. Whenever
context.response.headers is called , an instance of the JsHeaders wrapper
is returned which contains the header map and a reference to the response.
Once a new header is added as in example context.response.headers.Authorization
= "sample_value", the setMember() function is called. It will add the
header (header name and value) to the referenced response.

e.g. context.response.headers["Content-Type"] = 'application/json'


*Adding cookies to the response *

Similarly, when adding a new cookie to the response, we will add a new
header to the response with the header name 'set-cookie'. This is similar
to the approach used in nodejs [2].

response.headers["set-cookie"] or response.headers.set-cookie can be used.

An example would be as follows.

response.headers.["Set-Cookie"] = ['crsftoken=xssometokenx',
'language=javascript']

Highly appreciate your thoughts and suggestions.

[1] [Architecture] Conditional Authentication Support on WSO2 Identity
Server
[2] https://nodejs.org/api/http.html#http_response_setheader_name_value
<https://nodejs.org/docs/v0.4.0/api/http.html#response.setHeader>

Thanks,
Sathya

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.5.0 is ready for the release process

2018-01-11 Thread Sathya Bandara

The WSO2 Identity and Access Management team is pleased to announce that
WSO2 Identity Server 5.5.0 branch is ready to be released. We have
performed a dry release to verify and confirm that the release process for WSO2
Identity Serve 5.5.0-M1 is now in a ready state.
You can build the distribution from the source tag, following the steps
given below.

*Building from the source*

   1. Install Java8 or above
   2. Install Apache Maven 3.x.x(https://maven.apache.org/download.cgi#)
   3. Get the source,
  - You can directly download the source from
  https://github.com/wso2/product-is/tree/5.5.x
   4. Run one of the below maven commands from product-is directory,
  - *mvn** clean install* (To build the binary and source distributions
  with the tests)
  - *mvn** clean install -Dmaven.test.skip=true* (To build the binary
  and source distributions, without running any of the
unit/integration tests)
   5. You can find the binary distribution in
product-is/modules/distribution/target
   directory.

What's new in WSO2 Identity Server 5.5.0 (As Of 2018 Jan 11)


New feature : Conditional Authentication Support using JavaScript
<https://github.com/wso2/carbon-identity-framework/issues/1253>

<https://github.com/wso2/product-is/milestone/11?closed=1>
Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   -

   Developer List: dev@wso2.org
   -

   Architecture List: architect...@wso2.org
   -

   User Forum: StackOverflow
   <http://stackoverflow.com/questions/tagged/wso2is>

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues <https://github.com/wso2/product-is/issues>.


~ The WSO2 Identity and Access Management Team ~


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Sample authenticators for multi-factor authentication schemes

2018-01-10 Thread Sathya Bandara

Hi all,

I'm currently working on adding sample authenticators to product-is (WSO2
Identity Server 5.5.0) which can be used to demonstrate multi-factor
authentication schemes [1]. This includes the following local
authenticators.

   - Sample fingerprint authenticator
   - Sample retina authenticator
   - Sample hardware key authenticator

In addition, these authenticators can be used to test and verify the
end-to-end flow of conditional authentication support using JavaScript
feature [2].

[1] https://github.com/wso2/product-is/pull/2024
[2] Mail subject "[Architecture] Conditional Authentication Support on WSO2
Identity Server"

Thanks,
Sathya

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Branch feature-OIDC-enh-5.3.x in product-is is renamed as 5.5.x

2018-01-04 Thread Sathya Bandara

Hi all,

We have done the $subject. We will be using this branch for Identity Server
5.5.0 development work and releases.

Thanks,
Sathya

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How to configure SCIM to generate an email when ask password option is provided for user creation

2017-11-04 Thread Sathya Bandara

On Nov 4, 2017 12:27 PM, "Sashika Wijesinghe" <sash...@wso2.com> wrote:

Hi Sathya,

Thanks for the configuration requirements provided above. It helps to
resolve the issue.

According to the current implementation, since we are mapping the claims
for SCIM extension isn't it better to have the claim configurations mapped
in the scim-schema-extension.config itself when we bundle the pack rather
than asking the user to add these configurations manually?


+1 to this. I think we should provide the relevant claim mappings OOTB for
the extension attributes which are already defined in
scim-sceham-extension.config other than default scim attributes, including
these two attributes. If the user wants to define custom extension
attributes then we can provide necessary configuration details to do claim
mappings with local claims.

Thanks,
Sathya


Thanks
Sashika



On Fri, Nov 3, 2017 at 9:37 PM, Sathya Bandara <sat...@wso2.com> wrote:

> Hi Sashika,
>
> I guess the documentation is missing some configuration details. The
> askPassword and verifyEmail extension attributes should be configured in
> $SERVER_HOME/repository/conf/scim-schema-extension.config file in
> addition to the other extension attributes which are already defined there,
> as follows.
>
> {
> "attributeURI":"urn:scim:schemas:extension:wso2:1.0:wso2Exte
> nsion.askPassword",
> "attributeName":"askPassword",
> "dataType":"boolean",
> "multiValued":"false",
> "multiValuedAttributeChildName":"null",
> "description":"The User's manager",
> "schemaURI":"urn:scim:schemas:extension:wso2:1.0",
> "readOnly":"false",
> "required":"false",
> "caseExact":"false",
> "subAttributes":"null"
> },
>
>
> {
> "attributeURI":"urn:scim:schemas:extension:wso2:1.0:wso2Exte
> nsion.verifyEmail",
> "attributeName":"verifyEmail",
> "dataType":"boolean",
> "multiValued":"false",
> "multiValuedAttributeChildName":"null",
> "description":"The User's manager",
> "schemaURI":"urn:scim:schemas:extension:wso2:1.0",
> "readOnly":"false",
> "required":"false",
> "caseExact":"false",
> "subAttributes":"null"
> },
>
> These two attributes should be added to the list of subAttributes of the
> urn:scim:schemas:extension:wso2:1.0 entry which can be find at the end of
> the scim-schema-extension.config file as shown below.
>
> {
> "attributeURI":"urn:scim:schemas:extension:wso2:1.0",
> "attributeName":"wso2Extension",
> "dataType":"null",
> "multiValued":"false",
> "multiValuedAttributeChildName":"null",
> "description":"SCIM wso2 User Schema Extension",
> "schemaURI":"urn:scim:schemas:extension:wso2:1.0",
> "readOnly":"false",
> "required":"false",
> "caseExact":"false",
> "subAttributes":"employeeNumber costCenter organization division
> department manager askPassword verifyEmail"
> }
>
>
> Also The correct approach to create claim mappings for SCIM extension
> attributes is by configuring external claims for the default SCIM dialect
> (scim:schemas:core:1.0) and not by creating a separate dialect for the
> extension schema (scim:schemas:extension:wso2:1.0:wso2Extension). This is
> already identified in [1] and the relevant documents has been updated.
> Please refer Claim Mapping section in [2]. Also I will create a Doc JIRA to
> improve the documentation with necessary configuration details in [3].
>
>
> [1] https://wso2.org/jira/browse/DOCUMENTATION-4647
> [2] https://docs.wso2.com/display/IS530/Extensible+SCIM+User+Sch
> emas+With+WSO2+Identity+Server
> [3] https://docs.wso2.com/display/IS530/Creating+Users+using+the
> +Ask+Password+Option
>
> Thanks,
> Sathya
>
>
>
> On Fri, Nov 3, 2017 at 2:46 PM, Sashika Wijesinghe <sash...@wso2.com>
> wrote:
>
>> Hi All,
>>
>> I want to create users with ask password option using SCIM 1.1. I have
>> configured the server as documented in [1].
>>
>> The below curl command is used to create the user. After executing the
>> curl command, the user created successfully but did not receive any email
>> notification for the given email address. This works when I created a user
>> fr

Re: [Dev] How to configure SCIM to generate an email when ask password option is provided for user creation

2017-11-03 Thread Sathya Bandara

Hi Sashika,

I guess the documentation is missing some configuration details. The
askPassword and verifyEmail extension attributes should be configured in
$SERVER_HOME/repository/conf/scim-schema-extension.config file in addition
to the other extension attributes which are already defined there, as
follows.

{
"attributeURI":"urn:scim:schemas:extension:wso2:1.0:wso2Extension.askPassword",
"attributeName":"askPassword",
"dataType":"boolean",
"multiValued":"false",
"multiValuedAttributeChildName":"null",
"description":"The User's manager",
"schemaURI":"urn:scim:schemas:extension:wso2:1.0",
"readOnly":"false",
"required":"false",
"caseExact":"false",
"subAttributes":"null"
},


{
"attributeURI":"urn:scim:schemas:extension:wso2:1.0:wso2Extension.verifyEmail",
"attributeName":"verifyEmail",
"dataType":"boolean",
"multiValued":"false",
"multiValuedAttributeChildName":"null",
"description":"The User's manager",
"schemaURI":"urn:scim:schemas:extension:wso2:1.0",
"readOnly":"false",
"required":"false",
"caseExact":"false",
"subAttributes":"null"
},

These two attributes should be added to the list of subAttributes of the
urn:scim:schemas:extension:wso2:1.0 entry which can be find at the end of
the scim-schema-extension.config file as shown below.

{
"attributeURI":"urn:scim:schemas:extension:wso2:1.0",
"attributeName":"wso2Extension",
"dataType":"null",
"multiValued":"false",
"multiValuedAttributeChildName":"null",
"description":"SCIM wso2 User Schema Extension",
"schemaURI":"urn:scim:schemas:extension:wso2:1.0",
"readOnly":"false",
"required":"false",
"caseExact":"false",
"subAttributes":"employeeNumber costCenter organization division department
manager askPassword verifyEmail"
}


Also The correct approach to create claim mappings for SCIM extension
attributes is by configuring external claims for the default SCIM dialect
(scim:schemas:core:1.0) and not by creating a separate dialect for the
extension schema (scim:schemas:extension:wso2:1.0:wso2Extension). This is
already identified in [1] and the relevant documents has been updated.
Please refer Claim Mapping section in [2]. Also I will create a Doc JIRA to
improve the documentation with necessary configuration details in [3].


[1] https://wso2.org/jira/browse/DOCUMENTATION-4647
[2]
https://docs.wso2.com/display/IS530/Extensible+SCIM+User+Schemas+With+WSO2+Identity+Server
[3]
https://docs.wso2.com/display/IS530/Creating+Users+using+the+Ask+Password+Option

Thanks,
Sathya



On Fri, Nov 3, 2017 at 2:46 PM, Sashika Wijesinghe <sash...@wso2.com> wrote:

> Hi All,
>
> I want to create users with ask password option using SCIM 1.1. I have
> configured the server as documented in [1].
>
> The below curl command is used to create the user. After executing the
> curl command, the user created successfully but did not receive any email
> notification for the given email address. This works when I created a user
> from the management console and SOAP admin service.
>
> Do we need any further configurations to get this done with SCIM 1.1?
>
> curl -v -k --user admin:admin --data "{"schemas":[],"userName":"
> neels","password":"password","wso2Extension":{"askPassword":
> "true"},"emails":"sash...@wso2.com"}" --header "Content-Type:application/json"
> https://localhost:9444/wso2/scim/Users
>
> [1] https://docs.wso2.com/display/IS530/Creating+Users+
> using+the+Ask+Password+Option
>
> Thanks
> Sashika
>
>
>
>
> --
>
> *Sashika WijesingheSoftware Engineer - QA Team*
> Mobile : +94 (0) 774537487
> sash...@wso2.com
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Public JIRA resolved as Not A Bug without Reason

2017-09-16 Thread Sathya Bandara

Hi Johann,

Sorry I have missed it and thanks for pointing out. This issue occurred due
to a misconfiguration. Need to enable JIT provisioning for federated users
before they can be outbound provisioned with this setup. Will update the
ticket with the reason of resolution.

Thanks,
Sathya

On Sat, Sep 16, 2017 at 6:40 PM, Johann Nallathamby <joh...@wso2.com> wrote:

> Sathya/IAM Folks,
>
> It is not acceptable to resolve JIRAs without any reason. Can we please
> include the reason as why it is not a bug? To me it looks like a clear bug.
>
> [1] https://wso2.org/jira/browse/IDENTITY-6375
>
> Thanks & Regards,
> Johann.
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Please review and merge the PR

2017-09-13 Thread Sathya Bandara

Hi,

Can you please review and merge the PR [1]. This is regarding the Issue [2].

[1] https://github.com/wso2/carbon-deployment/pull/273
[2] https://github.com/wso2/carbon-deployment/issues/274


Thanks,
Sathya
-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [SCIM] Why Can't We Enable Both SCIM1 and SCIM2 at the Same Time?

2017-08-31 Thread Sathya Bandara

On Thu, Aug 31, 2017 at 2:18 PM, Johann Nallathamby <joh...@wso2.com> wrote:

> Hi Sathya,
>
> On Thu, Aug 31, 2017 at 12:29 PM, Sathya Bandara <sat...@wso2.com> wrote:
>
>> Hi Johann,
>>
>> IMO having two separate LDAP attributes for the same claims in both SCIM1
>> and SCIM2 would be redundant and cause problems in maintaining user
>> attributes.
>>
>
> True. I didn't say this is the correct solution. I only mentioned it as a
> work around for someone who wants to use both without any conflicts until
> we find a alternative or deprecate SCIM 1.1 :)
>
>
>> If we need to have both listeners enabled at the time I would suggest to
>> use a common util method to generate IDs and do the mappings for the claims
>> that are common to both protocols.
>>
>
> Didn't get how this would help exactly. May be I am missing some context.
>
> However, after reading through your first reply again, now I have another
> question. Why do both the listeners get executed when adding a new user? I
> know they both will get triggered. But can't we look at the dialect URI at
> the top and skip the execution if it's not for that listener?
>
> When adding a user through normal approach(management console) when SCIM
> is enabled, it is not possible to figure out the dialect URI. In this case
> this will not work AFAIU.
>
> Thanks,
> Sathya
>
> Regards,
> Johann.
>
>
>>
>> Thanks,
>> Sathya
>>
>> On Thu, Aug 31, 2017 at 11:37 AM, Johann Nallathamby <joh...@wso2.com>
>> wrote:
>>
>>> Will it work if we have two separate attributes for the problematic
>>> attributes like SCIM ID? If that works I guess that is one solution.
>>>
>>> Or we need to have one listener for both SCIM 1 and SCIM2. But don't
>>> think that's a good solution. Introduces direct coupling between two
>>> implementations.
>>>
>>> Regards,
>>> Johann.
>>>
>>> On Wed, Aug 30, 2017 at 6:33 PM, Sathya Bandara <sat...@wso2.com> wrote:
>>>
>>>> Hi Thilina,
>>>>
>>>> If we enable both SCIM1 and SCIM2 listeners at the same time two
>>>> different SCIM IDs will be generated for the same user when adding a new
>>>> user through SCIM. Also both SCIM1 and SCIM2 claims are mapped to the same
>>>> LDAP user attributes. Even though both listeners get triggered only the
>>>> SCIM1 ID is mapped to the user ID attribute. But the SCIM2 user creation
>>>> response will contain the SCIM ID generated by SCIM2 listener.
>>>>
>>>> Thanks,
>>>> Sathya
>>>>
>>>> On Wed, Aug 30, 2017 at 6:25 PM, Thilina Madumal <thilina...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Hi all,
>>>>>
>>>>> While I was trying to fix IDENTITY-6315
>>>>> <https://wso2.org/jira/browse/IDENTITY-6315> I got to know that we
>>>>> can't enable both SCIM1 and SCIM2 at the same time in WSO2 Identity 
>>>>> Server.
>>>>> Is it because of this specific issue or is there any other reasons?
>>>>>
>>>>> Thanks & Regards,
>>>>> Thilina.
>>>>>
>>>>> --
>>>>> *Thilina Madumal*
>>>>> *Software Engineer | **WSO2*
>>>>> Email: thilina...@wso2.com
>>>>> Mobile: *+ <+94%2077%20767%201807>94 774553167*
>>>>> Web:  <http://goog_716986954>http://wso2.com
>>>>>
>>>>> <http://wso2.com/signature>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Sathya Bandara
>>>> Software Engineer
>>>> WSO2 Inc. http://wso2.com
>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>>>
>>>> <+94%2071%20411%205032>
>>>>
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>>
>>> *Johann Dilantha Nallathamby*
>>> Senior Lead Solutions Engineer
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile - *+9476950*
>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>
>>
>>
>>
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [SCIM] Why Can't We Enable Both SCIM1 and SCIM2 at the Same Time?

2017-08-31 Thread Sathya Bandara

Hi Johann,

IMO having two separate LDAP attributes for the same claims in both SCIM1
and SCIM2 would be redundant and cause problems in maintaining user
attributes. If we need to have both listeners enabled at the time I would
suggest to use a common util method to generate IDs and do the mappings for
the claims that are common to both protocols.

Thanks,
Sathya

On Thu, Aug 31, 2017 at 11:37 AM, Johann Nallathamby <joh...@wso2.com>
wrote:

> Will it work if we have two separate attributes for the problematic
> attributes like SCIM ID? If that works I guess that is one solution.
>
> Or we need to have one listener for both SCIM 1 and SCIM2. But don't think
> that's a good solution. Introduces direct coupling between two
> implementations.
>
> Regards,
> Johann.
>
> On Wed, Aug 30, 2017 at 6:33 PM, Sathya Bandara <sat...@wso2.com> wrote:
>
>> Hi Thilina,
>>
>> If we enable both SCIM1 and SCIM2 listeners at the same time two
>> different SCIM IDs will be generated for the same user when adding a new
>> user through SCIM. Also both SCIM1 and SCIM2 claims are mapped to the same
>> LDAP user attributes. Even though both listeners get triggered only the
>> SCIM1 ID is mapped to the user ID attribute. But the SCIM2 user creation
>> response will contain the SCIM ID generated by SCIM2 listener.
>>
>> Thanks,
>> Sathya
>>
>> On Wed, Aug 30, 2017 at 6:25 PM, Thilina Madumal <thilina...@wso2.com>
>> wrote:
>>
>>>
>>> Hi all,
>>>
>>> While I was trying to fix IDENTITY-6315
>>> <https://wso2.org/jira/browse/IDENTITY-6315> I got to know that we
>>> can't enable both SCIM1 and SCIM2 at the same time in WSO2 Identity Server.
>>> Is it because of this specific issue or is there any other reasons?
>>>
>>> Thanks & Regards,
>>> Thilina.
>>>
>>> --
>>> *Thilina Madumal*
>>> *Software Engineer | **WSO2*
>>> Email: thilina...@wso2.com
>>> Mobile: *+ <+94%2077%20767%201807>94 774553167*
>>> Web:  <http://goog_716986954>http://wso2.com
>>>
>>> <http://wso2.com/signature>
>>>
>>>
>>
>>
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [SCIM] Why Can't We Enable Both SCIM1 and SCIM2 at the Same Time?

2017-08-30 Thread Sathya Bandara

Hi Thilina,

If we enable both SCIM1 and SCIM2 listeners at the same time two different
SCIM IDs will be generated for the same user when adding a new user through
SCIM. Also both SCIM1 and SCIM2 claims are mapped to the same LDAP user
attributes. Even though both listeners get triggered only the SCIM1 ID is
mapped to the user ID attribute. But the SCIM2 user creation response will
contain the SCIM ID generated by SCIM2 listener.

Thanks,
Sathya

On Wed, Aug 30, 2017 at 6:25 PM, Thilina Madumal <thilina...@wso2.com>
wrote:

>
> Hi all,
>
> While I was trying to fix IDENTITY-6315
> <https://wso2.org/jira/browse/IDENTITY-6315> I got to know that we can't
> enable both SCIM1 and SCIM2 at the same time in WSO2 Identity Server.
> Is it because of this specific issue or is there any other reasons?
>
> Thanks & Regards,
> Thilina.
>
> --
> *Thilina Madumal*
> *Software Engineer | **WSO2*
> Email: thilina...@wso2.com
> Mobile: *+ <+94%2077%20767%201807>94 774553167*
> Web:  <http://goog_716986954>http://wso2.com
>
> <http://wso2.com/signature>
>
>

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Audience(aud) value in OpenID Connect ID Token vs Token Introspection response

2017-08-27 Thread Sathya Bandara

On Wed, Aug 23, 2017 at 7:27 PM, Prabath Siriwardena <prab...@wso2.com>
wrote:

>
>
> On Wed, Aug 23, 2017 at 4:32 AM, Sathya Bandara <sat...@wso2.com> wrote:
>
>> Hi,
>>
>> The aud claim in id token is used to identify to which parties the JWT is
>> intended for. If the client application needs to process the JWT then it
>> should identify itself as a value in the audiences claim. Therefore it is
>> valid and rational to have the client ID in the audience claim.
>>
>>  Currently, it is possible to configure the audiences for OpenID Connect
>> via identity.xml but it will get applied globally in all SPs. We are going
>> to support multiple audience configuration in IS 5.5.0 via the UI similar
>> to how its done in SAML. As an improvement to this we can include the
>> client identifier in the audience claim as well.
>>
>
> I assume we will let the user define multiple audience values - for an
> access token and an ID token, independently?
>

With the current implementation, the audience values would be configurable
through the SP configuration UI (for an Oauth app). Same values can be used
for both access token and ID token but not independently. However this can
be improved to provide two audience configurations for oauth introspection
and ID token.


Thanks,
Sathya

>
> Thanks & regards,
> -Prabath
>
>
>>
>> Thanks,
>> Sathya
>>
>>
>>
>> On Wed, Aug 23, 2017 at 2:09 PM, Prabath Siriwardena <prab...@wso2.com>
>> wrote:
>>
>>> The audience of the ID token is the web app (or it can also have the
>>> token endpoint - in case of the JWT grant type) - the audience of the
>>> access token is the API (or where it will be used by the web app).. so
>>> those can be two different values..
>>>
>>> This [1] is  a good way we should consider implementing - to request an
>>> access token for a given audience..
>>>
>>> [1]: https://tools.ietf.org/id/draft-tschofenig-oauth-audience-00.html
>>>
>>> Thanks & regards,
>>> -Prabath
>>>
>>>
>>>
>>> On Mon, Aug 21, 2017 at 11:02 PM, Gayan Gunawardana <ga...@wso2.com>
>>> wrote:
>>>
>>>> According to OpenID connect specification [1] "aud" value is client id
>>>> with identifiers for other audiences.
>>>>
>>>>  {
>>>>"iss": "https://server.example.com;,
>>>>"sub": "24400320",
>>>>"aud": "s6BhdRkqt3",
>>>>"nonce": "n-0S6_WzA2Mj",
>>>>"exp": 1311281970,
>>>>"iat": 1311280970,
>>>>"auth_time": 1311280969,
>>>>"acr": "urn:mace:incommon:iap:silver"
>>>>   }
>>>>
>>>> But in token introspection "aud" value is more like service provider
>>>> URL with identifiers for other audiences.
>>>>
>>>>  {
>>>>   "active": true,
>>>>   "client_id": "l238j323ds-23ij4",
>>>>   "username": "jdoe",
>>>>   "scope": "read write dolphin",
>>>>   "sub": "Z5O3upPC88QrAjx00dis",
>>>>   "aud": "https://protected.example.net/resource;,
>>>>   "iss": "https://server.example.com/;,
>>>>   "exp": 1419356238,
>>>>   "iat": 1419350238,
>>>>   "extension_field": "twenty-seven"
>>>>  }
>>>>
>>>> Can we have different Audience values for token introspection response
>>>> and ID Token ? If not we can have both as Audience values.
>>>>
>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken
>>>> [2] https://tools.ietf.org/html/rfc7662#section-2.2
>>>>
>>>> Thanks,
>>>> Gayan
>>>>
>>>> --
>>>> Gayan Gunawardana
>>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>>> Email: ga...@wso2.com
>>>> Mobile: +94 (71) 8020933
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>> Prabath
>>>
>>> Twitter : @prabath
>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>>
>>> Mobile : +1 650 625 7950 <(650)%20625-7950>
>>>
>>> http://facilelogin.com
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +1 650 625 7950 <(650)%20625-7950>
>
> http://facilelogin.com
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Audience(aud) value in OpenID Connect ID Token vs Token Introspection response

2017-08-23 Thread Sathya Bandara

Hi,

The aud claim in id token is used to identify to which parties the JWT is
intended for. If the client application needs to process the JWT then it
should identify itself as a value in the audiences claim. Therefore it is
valid and rational to have the client ID in the audience claim.

 Currently, it is possible to configure the audiences for OpenID Connect
via identity.xml but it will get applied globally in all SPs. We are going
to support multiple audience configuration in IS 5.5.0 via the UI similar
to how its done in SAML. As an improvement to this we can include the
client identifier in the audience claim as well.

Thanks,
Sathya



On Wed, Aug 23, 2017 at 2:09 PM, Prabath Siriwardena <prab...@wso2.com>
wrote:

> The audience of the ID token is the web app (or it can also have the token
> endpoint - in case of the JWT grant type) - the audience of the access
> token is the API (or where it will be used by the web app).. so those can
> be two different values..
>
> This [1] is  a good way we should consider implementing - to request an
> access token for a given audience..
>
> [1]: https://tools.ietf.org/id/draft-tschofenig-oauth-audience-00.html
>
> Thanks & regards,
> -Prabath
>
>
>
> On Mon, Aug 21, 2017 at 11:02 PM, Gayan Gunawardana <ga...@wso2.com>
> wrote:
>
>> According to OpenID connect specification [1] "aud" value is client id
>> with identifiers for other audiences.
>>
>>  {
>>"iss": "https://server.example.com;,
>>"sub": "24400320",
>>"aud": "s6BhdRkqt3",
>>"nonce": "n-0S6_WzA2Mj",
>>"exp": 1311281970,
>>"iat": 1311280970,
>>"auth_time": 1311280969,
>>"acr": "urn:mace:incommon:iap:silver"
>>   }
>>
>> But in token introspection "aud" value is more like service provider URL
>> with identifiers for other audiences.
>>
>>  {
>>   "active": true,
>>   "client_id": "l238j323ds-23ij4",
>>   "username": "jdoe",
>>   "scope": "read write dolphin",
>>   "sub": "Z5O3upPC88QrAjx00dis",
>>   "aud": "https://protected.example.net/resource;,
>>   "iss": "https://server.example.com/;,
>>   "exp": 1419356238,
>>   "iat": 1419350238,
>>   "extension_field": "twenty-seven"
>>  }
>>
>> Can we have different Audience values for token introspection response
>> and ID Token ? If not we can have both as Audience values.
>>
>> [1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken
>> [2] https://tools.ietf.org/html/rfc7662#section-2.2
>>
>> Thanks,
>> Gayan
>>
>> --
>> Gayan Gunawardana
>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +1 650 625 7950 <(650)%20625-7950>
>
> http://facilelogin.com
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Carbon Kernel 4.4.17 RC4

2017-08-17 Thread Sathya Bandara

Hi all,

tested the following with WSO2 Identity server

basic user operations and role operations in primary and secondary
user-stores
configuring tenants (tenant creation, activation, deactivation)

Did not encounter any issues. Hence,
[+] Stable - go ahead and release.

Thanks,
Sathya

On Thu, Aug 17, 2017 at 6:27 PM, Muhammed Shariq <sha...@wso2.com> wrote:

> Hi,
>
> This is the 4th release candidate of WSO2 Carbon Kernel 4.4.17.
>
> This release fixes the following issues:
> https://github.com/wso2/carbon-kernel/milestone/15?closed=1
>
> Please download and test your products with Kernel 4.4.17 RC4 and vote.
> The vote will be open for 72 hours or as long as needed.
>
> Maven staging repository:
> *https://maven.wso2.org/nexus/content/repositories/orgwso2carbon-1191/
> <https://maven.wso2.org/nexus/content/repositories/orgwso2carbon-1191/>*
>
> The tag to be voted upon:
> *https://github.com/wso2/carbon-kernel/releases/tag/v4.4.17-rc4
> <https://github.com/wso2/carbon-kernel/releases/tag/v4.4.17-rc4>*
>
> [ ] Broken - Do not release (explain why)
> [ ] Stable  - Go ahead and release
>
> --
> Thank you,
> Platform Team.
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Two critical issues in IS 5.3.0 SCIM 1.1 implementation

2017-08-16 Thread Sathya Bandara

Hi Johann,

When we send data within double quotations since the quotations are dropped
by curl, we get the payload as follows.

*{schemas: [urn:scim:schemas:core:1.0], name : {familyName:
Tester},userName: hasinitg,meta: {attributes: []}}*

So when we try to parse the schemas array in payload, JSON decoder expects
a comma or a square closing bracket after urn:scim and not another colon.
This is the reason for JSON parsing exception when using double quotes.

Thanks,
Sathya

On Wed, Aug 16, 2017 at 12:57 PM, Pulasthi Mahawithana <pulast...@wso2.com>
wrote:

> Hi Johann,
>
> I also experienced this same problem with double quote sometime back. Yes,
> it's because the way curl works. When double quotes are used, curl was
> dropping the quotes. However, due to the way we parse the payload, it still
> worked as long as we don't have any character troubling the json structure.
> So, here I assume the ':' characters in "urn:scim:schemas:core:1.0" were
> causing the issue (when double quote is used).
>
> On Wed, Aug 16, 2017 at 12:42 PM, Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>>
>>
>> On Wed, Aug 16, 2017 at 12:33 PM, Sathya Bandara <sat...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> The issue [1] occurs due to invalid data format. It is not identified as
>>> a bug since as mentioned in the doc, similar to user create requests, we
>>> need to include json data within single quotations and not double
>>> quotations to avoid json parsing exceptions.With the correct format it is
>>> possible to include non-empty schema attributes with the request.
>>>
>>> eg:
>>>
>>> *request:*
>>> curl -v -k --user admin:admin -X PATCH -d '{"schemas":
>>> ["urn:scim:schemas:core:1.0"],"name":{"familyName": "Tester"}
>>> ,"userName": "hasinitg","meta": {"attributes": []}}' --header
>>> "Content-Type:application/json" https://localhost:9443/wso2/sc
>>> im/Users/15722a71-3bd1-4864-8460-1e63a2dace65
>>>
>>> *response:*
>>>
>>> {"emails":[{"type":"home","value":"hasini_home.com"},{"type"
>>> :"work","value":"hasini_work.com"}],"meta":{"created":"2017-
>>> 08-16T10:07:36","location":"https://localhost:9443/wso2/
>>> scim/Users/15722a71-3bd1-4864-8460-1e63a2dace65","lastModifi
>>> ed":"2017-08-16T12:17:11"},"schemas":["urn:scim:schemas:core:1.0"]
>>> ,"name":{"familyName":"Tester","givenName":"hasini
>>> tg"},"id":"15722a71-3bd1-4864-8460-1e63a2dace65","userName":"hasinitg"}
>>>
>>
>> This seems a bit weird to me. If it's a JSON parsing problem then double
>> quotes should not work for any kind of data JSON data. How come it is
>> working for empty array?
>>
>> Is this double quote problem something related to how curl works? If we
>> use a HTTP client don't we have this issue? If it's a curl problem then we
>> shouldn't worry I suppose.
>>
>> Regards,
>> Johann.
>>
>>
>>> [1] https://wso2.org/jira/browse/IDENTITY-6271
>>>
>>> Thanks,
>>> Sathya
>>>
>>> On Wed, Aug 16, 2017 at 11:37 AM, Gayan Gunawardana <ga...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Aug 15, 2017 at 10:44 PM, Johann Nallathamby <joh...@wso2.com>
>>>> wrote:
>>>>
>>>>> IAM Team,
>>>>>
>>>>> I found below two critical issues in IS 5.3.0 SCIM 1.1 implementation.
>>>>>
>>>>> 1. Users/{id} PATCH operation expects the "schemas" attribute to be
>>>>> empty. If the core schema value is given it throws an error [1].
>>>>>
>>>>> 2. "userName" attribute is mandatory in Users/{id} PATCH operation.
>>>>> This is not the case according to the spec [2].
>>>>>
>>>>> I think the first issue is a MUST fix. Because all the users who will
>>>>> try our SCIM patch implementation will face this issue and discontinue
>>>>> trying/using WSO2 IS 5.3.0. So I think this must be fixed.
>>>>>
>>>> Yes we have to look at fixing this issue in backward-compatible manner.
>>>>
>>>>>
>>>>> The secon

Re: [Dev] Two critical issues in IS 5.3.0 SCIM 1.1 implementation

2017-08-16 Thread Sathya Bandara

Hi,

The issue [1] occurs due to invalid data format. It is not identified as a
bug since as mentioned in the doc, similar to user create requests, we need
to include json data within single quotations and not double quotations to
avoid json parsing exceptions.With the correct format it is possible to
include non-empty schema attributes with the request.

eg:

*request:*
curl -v -k --user admin:admin -X PATCH -d '{"schemas":
["urn:scim:schemas:core:1.0"],"name":{"familyName": "Tester"} ,"userName":
"hasinitg","meta": {"attributes": []}}' --header
"Content-Type:application/json"
https://localhost:9443/wso2/scim/Users/15722a71-3bd1-4864-8460-1e63a2dace65

*response:*

{"emails":[{"type":"home","value":"hasini_home.com
"},{"type":"work","value":"hasini_work.com
"}],"meta":{"created":"2017-08-16T10:07:36","location":"
https://localhost:9443/wso2/scim/Users/15722a71-3bd1-4864-8460-1e63a2dace65
","lastModified":"2017-08-16T12:17:11"},"schemas":
["urn:scim:schemas:core:1.0"]
,"name":{"familyName":"Tester","givenName":"hasinitg"},"id":"15722a71-3bd1-4864-8460-1e63a2dace65","userName":"hasinitg"}

[1] https://wso2.org/jira/browse/IDENTITY-6271

Thanks,
Sathya

On Wed, Aug 16, 2017 at 11:37 AM, Gayan Gunawardana <ga...@wso2.com> wrote:

>
>
> On Tue, Aug 15, 2017 at 10:44 PM, Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>> IAM Team,
>>
>> I found below two critical issues in IS 5.3.0 SCIM 1.1 implementation.
>>
>> 1. Users/{id} PATCH operation expects the "schemas" attribute to be
>> empty. If the core schema value is given it throws an error [1].
>>
>> 2. "userName" attribute is mandatory in Users/{id} PATCH operation. This
>> is not the case according to the spec [2].
>>
>> I think the first issue is a MUST fix. Because all the users who will try
>> our SCIM patch implementation will face this issue and discontinue
>> trying/using WSO2 IS 5.3.0. So I think this must be fixed.
>>
> Yes we have to look at fixing this issue in backward-compatible manner.
>
>>
>> The second issue seems to be a problem with our implementation design. I
>> don't know if this could be easily fixed. May be it can be fixed at the
>> cost of performance. Someone has to check on this. But if that is the case
>> what is going to be our stance here? Compliance vs. Performance. Which side
>> do we take? I would say compliance is more important. What are your
>> thoughts?
>>
> We can fix this issue as well but need to check for API changes.
>
>>
>> [1] https://wso2.org/jira/browse/IDENTITY-6271
>> [2] https://wso2.org/jira/browse/IDENTITY-6272
>>
>> Thanks & Regards,
>> Johann.
>>
>> --
>>
>> *Johann Dilantha Nallathamby*
>> Senior Lead Solutions Engineer
>> WSO2, Inc.
>> lean.enterprise.middleware
>>
>> Mobile - *+9476950*
>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>
>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] Issue with prioritizing session time out period configuration

2017-07-26 Thread Sathya Bandara

Hi all,

In the current implementation we can configure the session time out for the
Identity Server via the resident realm configuration (Idle Session Time
Out). In addition, with the following configuration in identity.xml we can
specify a maxAge parameter on cookies in order to configure the session
time out periods (cookie expiration time).



**

If this parameter value is specified, in our implementation we give
priority to max age value configured through the identity.xml over session
time out value configured in the resident IDP [1].

But for the scenario where in a tenant mode, if the session time out period
needs to be customized(reduced) for security reasons, if max age value is
specified in the configuration file priority will be given to that rather
than the customized session idle time out for that tenant. is this a valid
use case?

Highly appreciate your thoughts on this.


[1]
https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/5.3.x/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java#L854

Thanks,
Sathya

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Admin/Tenant Admin Users cannot be filtered to get the SCIM ID

2017-07-21 Thread Sathya Bandara

;>>>>>>>>
>>>>>>>>>> I am not sure about we are not getting SCIM ID just because of
>>>>>>>>>> admin user is a special user or kind of implementation we have right 
>>>>>>>>>> now.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Chamila checked with me on this and he meant admin user is special
>>>>>>>>> due to the same reason you explained above. Basically admin user is 
>>>>>>>>> created
>>>>>>>>> through special flow compared to normal users.
>>>>>>>>>
>>>>>>>> If we generate SCIM ID even in that special flaw. Is that correct
>>>>>>>> ?
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Adding Johann.
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Nov 4, 2015 at 6:20 PM, Nadeesha Meegoda <
>>>>>>>>>>>>> nadees...@wso2.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi IS Team,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I was trying to filter and get admin users SCIM ID and
>>>>>>>>>>>>>> failed, even tried for tenant admin and still I couldn't filter 
>>>>>>>>>>>>>> and get the
>>>>>>>>>>>>>> SCIM ID
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Command used :
>>>>>>>>>>>>>> curl -v -k --user admin:admin https://localhost:9443/wso2/sc
>>>>>>>>>>>>>> im/Users?filter=userNameEqadmin
>>>>>>>>>>>>>> curl -v -k --user admin:admin https://localhost:9443/wso2/sc
>>>>>>>>>>>>>> im/Users?filter=usernameeqten...@hello.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Searching through the jira found out that in the past,
>>>>>>>>>>>>>> listing admin users as scim users were removed as per [1]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> How can we filter and get the admin/tenant admin SCIM ID?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [1] - https://wso2.org/jira/browse/IDENTITY-503
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> *Nadeesha Meegoda*
>>>>>>>>>>>>>> Software Engineer - QA
>>>>>>>>>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>>>>>>>>> lean.enterprise.middleware
>>>>>>>>>>>>>> email : nadees...@wso2.com
>>>>>>>>>>>>>> mobile: +94783639540
>>>>>>>>>>>>>> <%2B94%2077%202273555>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ___
>>>>>>>>>>>>>> Dev mailing list
>>>>>>>>>>>>>> Dev@wso2.org
>>>>>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> *Chamila Dilshan Wijayarathna,*
>>>>>>>>>>>>> Software Engineer
>>>>>>>>>>>>> Mobile:(+94)788193620
>>>>>>>>>>>>> WSO2 Inc., http://wso2.com/
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> *Nadeesha Meegoda*
>>>>>>>>>>>> Software Engineer - QA
>>>>>>>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>>>>>>> lean.enterprise.middleware
>>>>>>>>>>>> email : nadees...@wso2.com
>>>>>>>>>>>> mobile: +94783639540
>>>>>>>>>>>> <%2B94%2077%202273555>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> *Chamila Dilshan Wijayarathna,*
>>>>>>>>>>> Software Engineer
>>>>>>>>>>> Mobile:(+94)788193620
>>>>>>>>>>> WSO2 Inc., http://wso2.com/
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Gayan Gunawardana
>>>>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>>>>>>>>> Email: ga...@wso2.com
>>>>>>>>>> Mobile: +94 (71) 8020933
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Darshana Gunawardana*Senior Software Engineer
>>>>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>>>>
>>>>>>>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
>>>>>>>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise .
>>>>>>>>> Middleware
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Gayan Gunawardana
>>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>>>>>>> Email: ga...@wso2.com
>>>>>>>> Mobile: +94 (71) 8020933
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Nadeesha Meegoda*
>>>>>>> Software Engineer - QA
>>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>> lean.enterprise.middleware
>>>>>>> email : nadees...@wso2.com
>>>>>>> mobile: +94783639540
>>>>>>> <%2B94%2077%202273555>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Chamila Dilshan Wijayarathna,*
>>>>>> Software Engineer
>>>>>> Mobile:(+94)788193620
>>>>>> WSO2 Inc., http://wso2.com/
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Nadeesha Meegoda*
>>>>> Software Engineer - QA
>>>>> WSO2 Inc.; http://wso2.com
>>>>> lean.enterprise.middleware
>>>>> email : nadees...@wso2.com
>>>>> mobile: +94783639540
>>>>> <%2B94%2077%202273555>
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Indunil Upeksha Rathnayake
>>>> Software Engineer | WSO2 Inc
>>>> Emailindu...@wso2.com
>>>> Mobile   0772182255
>>>>
>>>
>>>
>>>
>>> --
>>> Gayan Gunawardana
>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: ga...@wso2.com
>>> Mobile: +94 (71) 8020933
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>



-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API 2.1.0 + Identity Server 5.3.0

2017-06-06 Thread Sathya Bandara

Hi Javier,

This option will attach the user store domain (eg: PRIMARY/admin) with the
SAML authentication response. For more information you can refer to the
documentation [1].

[1] https://docs.wso2.com/display/IS530/Configuring+Local+and+Outbound+
Authentication+for+a+Service+Provider

Best regards,
Sathya

On Jun 5, 2017 6:59 PM, "Vazquez-Hidalgo, Javier" <
javier.vazquez-hida...@tdsecurities.com> wrote:

> That works!!!
>
>
>
> Is it possible for you to explain what does 'Use user store domain in
> local subject identifier*'* option do?
>
>
>
> Thanks,
>
> Javier
>
>
>
> *From:* Omindu Rathnaweera [mailto:omi...@wso2.com]
> *Sent:* Saturday, June 03, 2017 3:21 AM
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* Isura Karunaratne; dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> Hi Javier,
>
>
>
> In the Identity Server SP configs, under the 'Local & Outbound
> Authentication Configuration*'* section, there's a checkbox 'Use user
> store domain in local subject identifier*'*. Can you tick that checkbox
> and see whether the issue is getting resolved.
>
>
>
> Regards,
>
> Omindu.
>
>
>
>
>
>
>
> On Thu, Jun 1, 2017 at 6:28 PM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hi Isura,
>
>
>
> Thanks for your response, I added the secondary user store to the API
> manager and the problem goes away ONLY if I disable SSO on the store. With
> SSO enabled I can only login with users from the primary store.
>
>
>
> Any ideas on how to get it working with SSO?
>
>
>
> Thanks,
>
> Javier
>
>
>
> *From:* Isura Karunaratne [mailto:is...@wso2.com]
> *Sent:* Wednesday, May 31, 2017 6:26 AM
>
>
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> HI Javier,
>
>
>
> It looks like you have not configured secondary user store in API Manager
> instance. You can get rid of the authorization issue by configuring the
> read-only secondary user store in APIM as well.
>
>
>
> Since the Authorization handles in APIM instance, user store should be
> shared with APIM as well.
>
>
>
> Thanks
>
> Isura.
>
>
>
> On Tue, May 30, 2017 at 7:18 PM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hi Isura,
>
>
>
> In the log files, please search for “vazquj2”. That is the user who fails
> to login. I’ll send the conf files shortly. After more research it seems
> that APIM is looking user roles in UM_ROLES instead of UM_HYBRID_ROLES.
>
>
>
> Thanks,
>
> Javier
>
>
>
> *From:* Isura Karunaratne [mailto:is...@wso2.com]
> *Sent:* Monday, May 29, 2017 1:24 AM
>
>
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> Hi Javier,
>
>
>
> According to the apim-wso2carbon.log file, only admin user tried login to
> the APIM instance and it was a success login.  Please attach the log, once
> the store login failure occurs. Also, attach the conf folders in each
> products.
>
>
>
> Thanks
>
> Isura.
>
>
>
> On Fri, May 26, 2017 at 8:56 PM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hi Isura,
>
>
>
> Thanks for your help!
>
>
>
> Attached to the email are both logs with “log4j.logger.org.wso2.carbon.
> user.core=DEBUG” enabled.
>
>
>
> Regards,
>
> Javier
>
>
>
> *From:* Isura Karunaratne [mailto:is...@wso2.com]
> *Sent:* Friday, May 26, 2017 3:10 AM
> *To:* Vazquez-Hidalgo, Javier
> *Cc:* dev@wso2.org
> *Subject:* Re: [Dev] API 2.1.0 + Identity Server 5.3.0
>
>
>
> Hi Javier,
>
>
>
> We need additional information to analyze the issue. Attach the
> wso2carbon.log file after enabling the debug logs for
> org.wso2.carbon.user.core package as follows.
>
>
>
> Add following entry to /repository/conf/log4j.properties file
>
>
>
> log4j.logger.org.wso2.carbon.user.core=DEBUG
>
>
>
>
>
> Thanks
>
> Isura.
>
>
>
> On Fri, May 26, 2017 at 12:50 AM, Vazquez-Hidalgo, Javier <
> javier.vazquez-hida...@tdsecurities.com> wrote:
>
> Hello,
>
>
>
> I’m trying to setup APIM 2.1.0 + Identity Server 5.3.0 on separate boxes,
> at this point I have all configurations in place with shared databases and
> I added a secondary User Store (Read-Only LDAP) on the Identity Server and
> I’m able to assign permissions, etc..
>
>
>
> The problem I’m having is that when I try to login to the API Store using
> a user from the secondary user store I get the following error in the login
> screen:
>
>
>
> “Error! Login failed. Insufficient Privileges.”
>
>
>
> APIM Logs:
>
> -
>
>
>
> [2017-05-25 14:49:52,812] ERROR - JDBCAuthorizationManager Error occurred
> while accessing Java Security Manager Privilege Block
>
> [2017-05-25 14:49:52,812] ERROR - APIStoreHostObject Login failed.
> Insufficient Privileges.
>
>
>
> IS Log:
>
> ---
>
> [2017-05-25 14:49:52,498]  INFO 
> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
> -  'DOMAIN/xxx@carbon.super [-1234]' logged in at [2017-05-25
> 14:49:52,497-0400]
>
>
>

Re: [Dev] [IS] Providing UI based configuration support for JWT audiences

2017-06-06 Thread Sathya Bandara

Hi,

With the offline discussions we had we have decided to introduce a new
table to store JWT audiences and any OIDC related properties which will be
introduced in future. The table has the following structure.

Table: IDP_OIDC_PROPERTY

Columns:
IDint(11) AI PK
TENANT_IDint(11)
CONSUMER_KEYvarchar(255)
PROPERTY_KEYvarchar(255)
PROPERTY_VALUEvarchar(2047)

Best regards,
Sathya


On Mon, Jun 5, 2017 at 12:05 PM, Danushka Fernando <danush...@wso2.com>
wrote:

> I think its something related to OAuth only. So saving in SP properties
> table isn't the most correct solution. AFAIR for the SAML case we have
> saved properties separately with the registry resource. But rather than
> saving this in registry +1 to save in DB.
> And +1 for Option 2. But beware about the data migration as well. So your
> code should handle null or empty values. Probably use the global value in
> that case.
>
> Thanks & Regards
> Danushka Fernando
> Associate Tech Lead
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729 <+94%2071%20633%202729>
>
> On Mon, Jun 5, 2017 at 11:50 AM, Sathya Bandara <sat...@wso2.com> wrote:
>
>> Hi,
>>
>> Currently new audience values to JWT id_tokens should be added via
>> identity.xml file and server needs to be restarted. With this approach we
>> cannot control the id_token audience at SP level since it gets applied
>> globally through identity.xml based configuration. In this case, we are not
>> able to override the audience values at SP level if the id_token is to be
>> used as a JWT grant in a specific IDP. As a solution to this we are
>> providing the audience configuration option in UI via SP Oauth config UI
>> [1].
>>
>> The SP Oauth configuration values obtained from the UI are persisted into
>> the DB via *OauthAdminService* using *registerOAuthApplicationData*
>> method. IDN_OAUTH_CONSUMER_APPS table is used to populate Oauth consumer
>> app related data. For storing the audience values we can add another column
>> into this table to keep them as either space or comma separated values as
>> done for the grant_types. However since there can be multiple audience
>> values for a particular id_token we cannot specify a limitation on the
>> column size.
>>
>> I have also considered the following approach.
>> Adding audience values as key-value pairs in SP_INBOUND_AUTH table
>> identified by the oauth app ID.
>> eg: PROP_NAME = 'audience' -> PROP_VALUE = 'https://localhost:9443/oauth2
>> /token'
>>
>> However with application update these values are being deleted by
>> *IdentityApplicationManagementService*'s *updateApplication* method.
>>
>> As a solution to this we could identify following two options:
>>
>> 1. Create a new table to store audience values identified by oauth
>> application's consumer key.
>>
>> 2. Store them as space separated values in IDN_OAUTH_CONSUMER_APPS table
>> by introducing a new column for audiences with above mentioned limitation
>> on adding multiple audiences.
>>
>> Highly appreciate your suggestions on this.
>>
>> [1] https://wso2.org/jira/browse/IDENTITY-5877
>>
>> Best regards,
>> Sathya
>>
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] Providing UI based configuration support for JWT audiences

2017-06-05 Thread Sathya Bandara

Hi,

Currently new audience values to JWT id_tokens should be added via
identity.xml file and server needs to be restarted. With this approach we
cannot control the id_token audience at SP level since it gets applied
globally through identity.xml based configuration. In this case, we are not
able to override the audience values at SP level if the id_token is to be
used as a JWT grant in a specific IDP. As a solution to this we are
providing the audience configuration option in UI via SP Oauth config UI
[1].

The SP Oauth configuration values obtained from the UI are persisted into
the DB via *OauthAdminService* using *registerOAuthApplicationData* method.
IDN_OAUTH_CONSUMER_APPS table is used to populate Oauth consumer app
related data. For storing the audience values we can add another column
into this table to keep them as either space or comma separated values as
done for the grant_types. However since there can be multiple audience
values for a particular id_token we cannot specify a limitation on the
column size.

I have also considered the following approach.
Adding audience values as key-value pairs in SP_INBOUND_AUTH table
identified by the oauth app ID.
eg: PROP_NAME = 'audience' -> PROP_VALUE = '
https://localhost:9443/oauth2/token'

However with application update these values are being deleted by
*IdentityApplicationManagementService*'s *updateApplication* method.

As a solution to this we could identify following two options:

1. Create a new table to store audience values identified by oauth
application's consumer key.

2. Store them as space separated values in IDN_OAUTH_CONSUMER_APPS table by
introducing a new column for audiences with above mentioned limitation on
adding multiple audiences.

Highly appreciate your suggestions on this.

[1] https://wso2.org/jira/browse/IDENTITY-5877

Best regards,
Sathya

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Integrity constraint violation when revoking multiple entries from access token table

2017-05-23 Thread Sathya Bandara

Hi,

This issue occurred since I was using the same TOKEN_STATE_ID and
TOKEN_STATE in the batch update operation of access tokens which creates
duplicate entries violating the unique constraint on CON_APP_KEY index.

This was resolved with the following approach;

UPDATE IDN_OAUTH2_ACCESS_TOKEN SET TOKEN_STATE= "REVOKED", TOKEN_STATE_ID=
"78c4e5cc-382a-4af0-8bb1-bef58a7c824a" WHERE TOKEN_STATE="ACTIVE" AND
CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE
CONSUMER_KEY = "OazCSjIjOw2wHp9uhf7x2wJbfxga" ) AND TENANT_ID != -1234

Through this way I'm only revoking the tokens in active state(only a single
entry is updated to 'revoked' state) which avoids setting duplicate entries
of access tokens in revoked state with the same state ID.


Best regards,
Sathya

On Tue, May 23, 2017 at 1:24 PM, Danushka Fernando <danush...@wso2.com>
wrote:

> Hi Sathya
>
> Please find my comments inline.
>
> On Tue, May 23, 2017 at 12:29 PM, Sathya Bandara <sat...@wso2.com> wrote:
>
>> Hi all,
>>
>> It is required to alter the state of  access tokens from 'active' to
>> 'revoked' of multiple entries in the IDN_OAUTH2_ACCESS_TOKEN table for the
>> scenario where access tokens issued to other tenants by a saas application,
>> need to be revoked when saas is disabled. I used the following query to
>> achieve this;
>>
>> "UPDATE IDN_OAUTH2_ACCESS_TOKEN SET TOKEN_STATE=?, TOKEN_STATE_ID=? WHERE
>> CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE
>> CONSUMER_KEY = ? ) AND TENANT_ID != ? "
>>
>> Have you tested this query directly in some sql console? So is it giving
> the same error when you do that?
>
>>
>>- Parameter 1(Access token state): REVOKED
>>- Parameter 2(Token state id): if access token is in active state the
>>state id should be 'NONE' if in revoked state it should be updated with a
>>unique string
>>- Parameter 3(consumer key): client ID of oauth application
>>- Parameter 4(tenant id): application tenant ID
>>
>>
>> This gives 
>> com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
>> Duplicate entry '1-admin-1-PRIMARY-APPLICATION
>> _USER-369db21a386ae433e65c0ff34d357' for key 'CON_APP_KEY' exception
>> which occurs because of the unique constraint violation on CON_APP_KEY
>> index;
>>
> Here it says duplicate entry. So did you check whether your database
> contains any values similar to what you are trying to update?
>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *Index: CON_APP_KEYDefinition:TypeBTREEUniqueYesColumns
>> CONSUMER_KEY_ID AUTHZ_USERTENANT_IDUSER_DOMAINUSER_TYPE
>> TOKEN_SCOPE_HASHTOKEN_STATETOKEN_STATE_ID*
>>
>> Is it possible to perform multiple entry update operations without having
>> to update a single entry at a time in Access token table? Appreciate your
>> help on this.
>>
>> Best regards,
>> Sathya
>>
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>> Thanks & Regards
> Danushka Fernando
> Associate Tech Lead
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729 <+94%2071%20633%202729>
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] Integrity constraint violation when revoking multiple entries from access token table

2017-05-23 Thread Sathya Bandara

Hi all,

It is required to alter the state of  access tokens from 'active' to
'revoked' of multiple entries in the IDN_OAUTH2_ACCESS_TOKEN table for the
scenario where access tokens issued to other tenants by a saas application,
need to be revoked when saas is disabled. I used the following query to
achieve this;

"UPDATE IDN_OAUTH2_ACCESS_TOKEN SET TOKEN_STATE=?, TOKEN_STATE_ID=? WHERE
CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE
CONSUMER_KEY = ? ) AND TENANT_ID != ? "


   - Parameter 1(Access token state): REVOKED
   - Parameter 2(Token state id): if access token is in active state the
   state id should be 'NONE' if in revoked state it should be updated with a
   unique string
   - Parameter 3(consumer key): client ID of oauth application
   - Parameter 4(tenant id): application tenant ID


This gives
com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
Duplicate entry
'1-admin-1-PRIMARY-APPLICATION_USER-369db21a386ae433e65c0ff34d357' for key
'CON_APP_KEY' exception which occurs because of the unique constraint
violation on CON_APP_KEY index;













*Index: CON_APP_KEYDefinition:TypeBTREEUniqueYesColumns
CONSUMER_KEY_ID AUTHZ_USERTENANT_IDUSER_DOMAINUSER_TYPE
TOKEN_SCOPE_HASHTOKEN_STATETOKEN_STATE_ID*

Is it possible to perform multiple entry update operations without having
to update a single entry at a time in Access token table? Appreciate your
help on this.

Best regards,
Sathya

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

2017-05-08 Thread Sathya Bandara

Hi Hasanthi,

On Tue, May 9, 2017 at 8:41 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Sathya,
>
> Does the spec [1] contains any detail about access token revocation?
>
> According to the Oauth 2 spec, revocation of a refresh token should also
> invalidate all access tokens based on the same authorization grant. If the
> token passed to the revocation request is an access token the server may or
> may not revoke the respective refresh token depending on the authorization
> server's revocation policy. Independent of the revocation mechanisms, the
> authorization server may invalidate tokens in order to mitigate security
> threats.
>
> It is evident that we should revoke the refresh token such that user is
>> not permitted to obtain further access tokens for the application.
>
>
> yes it is obvious that we should not allow to generate access tokens using
> refresh tokens when SaaS is disabled.
>
> In addition to this is it required to invalidate the already-issued access
>> token?
>
>
> IMO the authorization server should revoke even already issued access
> tokens when it disabled SaaS. From disabling Saas it conveys that this
> application is no longer shared among other tenants. WDYT?
>
> [1] https://tools.ietf.org/html/rfc7009
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>
> On Mon, May 8, 2017 at 11:20 PM, Farasath Ahamed <farasa...@wso2.com>
> wrote:
>
>>
>>
>> On Monday, May 8, 2017, Pulasthi Mahawithana <pulast...@wso2.com> wrote:
>>
>>> Hi Sathya,
>>>
>>> I think it would be better to do this with a application mgt listener
>>> rather than doing this at the validation time. We can use a
>>> "ApplicationMgtListener.doPostUpdateApplication()"[1] implementation
>>> and invalidate all the tokens issued to users from other tenants when the
>>> application is updated.
>>>
>>
>> I think we need to be careful if we go down the listener path and use
>> ApplicationMgtListener.doPostUpdateApplication() method. The reason is
>> that this method gets triggered even if you simply press the update button
>> in the Service Provider UI without doing any change. Also what is passed to
>> the method as arguments is the updated Service Provider object.
>> Therefore, it is a bit tricky to figure out whether a change happened at
>> all.
>>
>> Say, if we wrote the token revocation logic when SaaS option changes
>> within this method. So whenever someone presses the Service Provider UI
>> after doing a change(or not). It will be a tricky situation to figure out
>> what the change was basically. (Did someone disable Saas or was it already
>> off?). This method will also be called for unrelated changes like an update
>> to description etc.
>>
>> And as of now we only remove cache entries for any update in SP triggered
>> in [1]. That is safe even no change happened to SP at all. What we lose is
>> the cached entries which we can retrieve from DB. But what we are proposing
>> here is to revoke tokens upon an update in SP, therefore, we need to be
>> careful.
>>
>> IMO considering that we don't have a straightforward way to identify the
>> change in the update SP passed to [1] it would be better to have a SaaS
>> check required places whenever the user tenant domain and SP tenant domain
>> are different.
>>
>> or else we need to figure out a way to pass that SaaS option was changed
>> explicitly.
>>
>>
>> [1] https://github.com/wso2/carbon-identity-framework/blob/m
>> aster/components/application-mgt/org.wso2.carbon.identity.ap
>> plication.mgt/src/main/java/org/wso2/carbon/identity/applica
>> tion/mgt/listener/AbstractApplicationMgtListener.java#L43
>>
>>
>>
>>>
>>> On Mon, May 8, 2017 at 7:03 PM, Sathya Bandara <sat...@wso2.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> This is in relation to issue [1] which happens when using a valid
>>>> access token issued to a SaaS enabled application (application in a
>>>> separate domain. User from another tenant domain). After disabling SaaS, it
>>>> is still possible to use the same access token to access the UserInfo
>>>> endpoint for this user from another tenant. Also it is possible to obtain a
>>>> new access token for the saas-disabled application by using the issued
>>>> refresh token for a different tenant user.
>>>>
>>>> For

[Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

2017-05-08 Thread Sathya Bandara

Hi All,

This is in relation to issue [1] which happens when using a valid access
token issued to a SaaS enabled application (application in a separate
domain. User from another tenant domain). After disabling SaaS, it is still
possible to use the same access token to access the UserInfo endpoint for
this user from another tenant. Also it is possible to obtain a new access
token for the saas-disabled application by using the issued refresh token
for a different tenant user.

For this I have added functionality to validate tenant domain and to check
if the SP is SaaS enabled before granting access to the userInfo endpoint.
It is evident that we should revoke the refresh token such that user is not
permitted to obtain further access tokens for the application. In addition
to this is it required to invalidate the already-issued access token?

Appreciate your help on this.

[1] https://wso2.org/jira/browse/IDENTITY-4981

Best regards,
Sathya

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [PC] Issue with content based search using multiple mediatypes

2016-04-19 Thread Sathya Bandara

Hi All,

I'm currently working on improving the Advanced Search functionality in
WSO2 Process-Center by introducing a content based search on Process Center
assets(PDF, Documents and Process-Text). For this I'm using the registry
service: AttributeSearchService to search the indexed assets by specifying
the mediatype.

 For performing the content based search using multiple mediatypes, I tried
passing the mediatype value as *"mediatype1 OR mediatype2"* (eg:
"application/pdf OR text/html"). But this only searches and retrieves the
resource data for the first mediatype in the string that I pass as the
mediatype value. Is this the correct way to pass multiple mediatypes to the
search service? Any help would be highly appreciated.

Best regards,
Sathya


*Sathya Bandara*
Software Engineering Intern
Email: sat...@wso2.com
Mobile: +94 715 360 421
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [DEV][ES][PC] Adding a new API as an app extension to Process Center

2016-04-04 Thread Sathya Bandara

Hi Sameera,

I was able to resolve the issue by following your suggestions.

Thanks and regards,
Sathya


*Sathya Bandara*
Software Engineering Intern
Email: sat...@wso2.com
Mobile: +94 715 360 421

On Mon, Apr 4, 2016 at 12:29 PM, Sameera Medagammaddegedara <
samee...@wso2.com> wrote:

> Hi Sathya,
>
> The publisher-apis directory is already present in the
> publisher/extensions/app directory.Thus your new extension may not be
> loading.
>
> Please rename the extension and remove the following line from your app.js:
>
> app.dependencies=['publisher-common'];
>
> I have attached a sample app extension containing a "foo" API.Can you
> please try accessing this API by making a request to /apis/foo .
>
> Thank You,
> Sameera
>
> On Mon, Apr 4, 2016 at 11:59 AM, Sathya Bandara <sat...@wso2.com> wrote:
>
>> Hi,
>>
>> I'm in the process of creating an app extension to Process Center -
>> Publisher in order to add a new API. I have created publisher-apis
>> directory structure in extensions/app/ directory path. This is my app.js
>> file where search.jag is the controller to serve the new API.
>>
>> app.dependencies=['publisher-common'];
>>
>> app.server = function(ctx) {
>> return {
>> endpoints: {
>> apis: [{
>> url:'search',
>> path:'search.jag',
>> secured:true
>> }]
>> }
>> }
>> };
>>
>> app.apiHandlers = function(ctx) {
>> return {
>> onApiLoad: function() {
>> if ((ctx.isAnonContext) && (ctx.endpoint.secured)) {
>>
>> //ctx.res.status='401';//sendRedirect(ctx.appContext+'/login');
>> print('{ error:"Authentication error" }'); //TODO: Fix
>> this to return a proper status code
>> return false;
>> }
>> return true;
>> }
>> };
>> };
>>
>> And this is my JS function from where the new endpoint is called.
>>
>> if($("#content").val()){
>>
>> var search_url = caramel.tenantedUrl('/apis/search') ;
>> $.ajax({
>> url: search_url,
>> method: 'POST',
>> data: 'search-query:'+ $("#content").val(),
>> success:function(data){
>> if(data){
>> console.log("success");
>> }
>>     },error:function(xhr, status, error){
>> console.log(error);
>> doPagination = false;
>> $('.loading-animation-big').remove();
>> }
>> });
>> }
>>
>> But it gives me the error: "Unable to locate a suitable endpoint for
>> search". Any help would be highly appreciated.
>>
>> Thanks,
>> Sathya
>>
>>
>> *Sathya Bandara*
>> Software Engineering Intern
>> Email: sat...@wso2.com
>> Mobile: +94 715 360 421
>>
>
>
>
> --
> Sameera Medagammaddegedara
> Software Engineer
>
> Contact:
> Email: samee...@wso2.com
> Mobile: + 94 077 255 3005
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [DEV][ES][PC] Adding a new API as an app extension to Process Center

2016-04-04 Thread Sathya Bandara

Hi,

I'm in the process of creating an app extension to Process Center -
Publisher in order to add a new API. I have created publisher-apis
directory structure in extensions/app/ directory path. This is my app.js
file where search.jag is the controller to serve the new API.

app.dependencies=['publisher-common'];

app.server = function(ctx) {
return {
endpoints: {
apis: [{
url:'search',
path:'search.jag',
secured:true
}]
}
}
};

app.apiHandlers = function(ctx) {
return {
onApiLoad: function() {
if ((ctx.isAnonContext) && (ctx.endpoint.secured)) {

//ctx.res.status='401';//sendRedirect(ctx.appContext+'/login');
print('{ error:"Authentication error" }'); //TODO: Fix this
to return a proper status code
return false;
}
return true;
}
};
};

And this is my JS function from where the new endpoint is called.

if($("#content").val()){

var search_url = caramel.tenantedUrl('/apis/search') ;
$.ajax({
url: search_url,
method: 'POST',
data: 'search-query:'+ $("#content").val(),
success:function(data){
if(data){
console.log("success");
}
},error:function(xhr, status, error){
console.log(error);
doPagination = false;
$('.loading-animation-big').remove();
}
});
}

But it gives me the error: "Unable to locate a suitable endpoint for
search". Any help would be highly appreciated.

Thanks,
Sathya


*Sathya Bandara*
Software Engineering Intern
Email: sat...@wso2.com
Mobile: +94 715 360 421
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Dev] [VOTE] Release WSO2 Business Process Server 3.5.1 RC2

2016-01-29 Thread Sathya Bandara

Hi all,

I have tested the bpel samples. No issues found.
[x] Stable - go ahead and release

Thanks and regards,

*Sathya Bandara*
Software Engineering Intern
Email: sat...@wso2.com
Mobile: +94 715 360 421

On Fri, Jan 29, 2016 at 12:04 PM, Natasha Wijesekara <nata...@wso2.com>
wrote:

> Hi All,
>
> I've tested the functionalities of the following components using h2 and
> mysql as the databases :
>
> 1) BPMN-Explorer
> 2) Human-Task Explorer
> 3) Core functionalities of the BPMN REST API
> 4) BPMN and BPEL instance cleanup scripts
> 5) BPEL Process cleanup tool
> 6) BPMN Samples
>
> No issues found.
> [x] Stable - go ahead and release
>
> Thanks and Regards,
> Natasha
>
> On Fri, Jan 29, 2016 at 10:40 AM, Isuru Wijesinghe <isur...@wso2.com>
> wrote:
>
>> Hi All,
>>
>> I've tested the following features for h2 and postgreSQL.
>>
>> 1.) BPMN-Explorer
>> 2.) HumanTask-Explorer
>> 3.) BPMN Data Publisher
>>
>> No issues found.
>> [x] Stable - go ahead and release
>>
>> Thanks and Regards,
>>
>>
>> On Thu, Jan 28, 2016 at 8:00 PM, Firzhan Naqash <firz...@wso2.com> wrote:
>>
>>> Hi Devs,
>>>
>>> This is the second release candidate of WSO2 Business Process Server
>>> 3.5.1
>>>
>>> The vote will be open for 72 hours or as needed. Please download, test
>>> the product and vote.
>>>
>>> This release fixes the following issues:
>>>
>>> https://wso2.org/jira/secure/IssueNavigator.jspa?mode=hide=12625
>>>
>>> Binary distribution is available here:
>>>
>>> https://github.com/wso2/product-bps/releases/download/v3.5.1-RC2/wso2bps-3.5.1.zip
>>>
>>> Source is available here:
>>> https://github.com/wso2/product-bps/archive/v3.5.1-RC2.zip
>>>
>>> Maven staging repo:
>>> http://maven.wso2.org/nexus/content/repositories/orgwso2bps-312/
>>>
>>> The tag to be voted upon:
>>> https://github.com/wso2/product-bps/releases/tag/v3.5.1-RC2
>>>
>>>
>>> [ ] Broken - do not release (explain why)
>>> [ ] Stable - go ahead and release
>>>
>>>
>>> Thanks,
>>> WSO2 BPS Team,
>>>
>>> Regards,
>>> Firzhan
>>>
>>>
>>> --
>>> *Firzhan Naqash*
>>> Senior Software Engineer - Integration Platform Team
>>> WSO2 Inc. http://wso2.com
>>>
>>> email: firz...@wso2.com
>>> mobile: (+94) 77 9785674 <%28%2B94%29%2071%205247551>*|
>>> blog: http://firzhanblogger.blogspot.com/
>>> <http://firzhanblogger.blogspot.com/>  <http://suhothayan.blogspot.com/>*
>>> *twitter: https://twitter.com/firzhan007
>>> <https://twitter.com/firzhan007> | linked-in: 
>>> **https://www.linkedin.com/in/firzhan
>>> <https://www.linkedin.com/in/firzhan>*
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Isuru Wijesinghe
>> *Software Engineer*
>> WSO2 inc : http://wso2.com
>> lean.enterprise.middleware
>> Mobile: 0710933706
>> isur...@wso2.com
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Natasha Wijesekare*
>
> *Software Engineering Intern, WSO2  Inc:  http://wso2.com
> <http://wso2.com/>*
> *email  : nata...@wso2.com <nata...@wso2.com>*
> *mobile: +94 771358651 <%2B94%20771358651>*
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] WSO2 Committers += Isuru Wijesinghe

2016-01-14 Thread Sathya Bandara

Congratulations Isuru !!

*Sathya Bandara*
Software Engineering Intern
Email: sat...@wso2.com
Mobile: +94 715 360 421

On Thu, Jan 14, 2016 at 1:37 PM, Natasha Wijesekara <nata...@wso2.com>
wrote:

> Congratulations Isuru !
>
> On Thu, Jan 14, 2016 at 1:33 PM, Menaka Jayawardena <men...@wso2.com>
> wrote:
>
>> Congratulations Isuru
>>
>>
>> On Thu, Jan 14, 2016 at 1:19 PM, Samitha Chathuranga <sami...@wso2.com>
>> wrote:
>>
>>> Congrats Isuru..!
>>>
>>> On Thu, Jan 14, 2016 at 12:16 PM, Heshitha Hettihewa <heshit...@wso2.com
>>> > wrote:
>>>
>>>> Congrats Isuru..!!!
>>>>
>>>> On Thu, Jan 14, 2016 at 11:53 AM, Nandika Jayawardana <nand...@wso2.com
>>>> > wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> It's my pleasure to announce Isuru Wijesinghe as a WSO2 Committer. He
>>>>> has been a key contributor to the WSO2 Business Process Server and WSO2
>>>>> Process Center Products and in recognition of his work, he had been voted
>>>>> as a WSO2 Committer.
>>>>>
>>>>> Congratulations Isuru and keep up the good work!
>>>>>
>>>>> Regards
>>>>> Nandika
>>>>>
>>>>> --
>>>>> Nandika Jayawardana
>>>>> WSO2 Inc ; http://wso2.com
>>>>> lean.enterprise.middleware
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Heshitha Hettihewa
>>>> *Software Engineer*
>>>> Mobile : +94716866386
>>>> <%2B94%20%280%29%20773%20451194>
>>>> heshit...@wso2.com
>>>>
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Samitha Chathuranga
>>> Software Engineer, WSO2 Inc.
>>> lean.enterprise.middleware
>>> Mobile: +94715123761
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Menaka Madushanka Jayawardena
>> Software Engineering Intern
>> men...@wso2.com
>> Mobile:- +94 71 8851183/ +94 71 3505470
>> LinkedIn - Menaka Jayawardena
>> <https://lk.linkedin.com/in/menakajayawardena>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Natasha Wijesekare*
>
> *Software Engineering Intern, WSO2  Inc:  http://wso2.com
> <http://wso2.com/>*
> *email  : nata...@wso2.com <nata...@wso2.com>*
> *mobile: +94 771358651 <%2B94%20771358651>*
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

77 matches

Mail list logo