Re: [Dev] Confidential Applications in OAuth2 Flow

2018-01-04 Thread Tharindu Edirisinghe 
What would be the default values of client authentication? We need to look
into IS-KM scenario as well where the SP is generated upon key generation.

Also, would there be options to support this with dynamic client
registration as well ?

Regards,
TharinduE

On Fri, Jan 5, 2018 at 9:53 AM, Isura Karunaratne  wrote:

> Hi Hasintha,
>
> On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee 
> wrote:
>
>> A confidential application in OAuth2 flow is an application which
>> requires client authentication before retrieving an access token.
>>
>> According to current implementation we can define confidential
>> applications just per grant type. ie we can define all applications which
>> use authorization code grant should be confidential. We do not have the
>> flexibility to decide whether a specific application should be confidential
>> or not.
>>
>> As a solution we can bring this config to UI and have a per application
>> configuration in UI. If we bring this option to UI level / per application,
>> we can define confidentiality of an application, but in contrast we will
>> miss the ability to define whether a specific type of grant should be
>> confidential or not for a specific application.
>>
>> In order to cater both application and grant type level confidentiality
>> we may need to have configurations per grant type. WDYT ?
>>
>
> IMO, It is enough to have the configuration in SP level.
>
> We can cater the grant type wise confidentiality by creating Service
> Providers per grant type.
>
> Thanks
> Isura.
>
>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Confidential Applications in OAuth2 Flow

2018-01-04 Thread Isura Karunaratne 
Hi Hasintha,

On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee  wrote:

> A confidential application in OAuth2 flow is an application which requires
> client authentication before retrieving an access token.
>
> According to current implementation we can define confidential
> applications just per grant type. ie we can define all applications which
> use authorization code grant should be confidential. We do not have the
> flexibility to decide whether a specific application should be confidential
> or not.
>
> As a solution we can bring this config to UI and have a per application
> configuration in UI. If we bring this option to UI level / per application,
> we can define confidentiality of an application, but in contrast we will
> miss the ability to define whether a specific type of grant should be
> confidential or not for a specific application.
>
> In order to cater both application and grant type level confidentiality we
> may need to have configurations per grant type. WDYT ?
>

IMO, It is enough to have the configuration in SP level.

We can cater the grant type wise confidentiality by creating Service
Providers per grant type.

Thanks
Isura.


>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>


-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Confidential Applications in OAuth2 Flow

2018-01-04 Thread Hasintha Indrajee 
On Thu, Jan 4, 2018 at 2:38 PM, Rushmin Fernando  wrote:

> IMO, a UI looks like below would solve the problem.
>
> *State 1*
>
> ☑ All
>  ☑ Authorization Code
>  ☑ Implicit
>
> *State 2*
>
> ☐ All
> ☑ Authorization Code
> ☐ Implicit
>
>
> And we don't need to globally make a grant type confidential right? IMO we
> can get rid of it since it makes thing bit complex. Do we have a real use
> case for that?
>
>
>
>
> On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee 
> wrote:
>
>> A confidential application in OAuth2 flow is an application which
>> requires client authentication before retrieving an access token.
>>
>> According to current implementation we can define confidential
>> applications just per grant type. ie we can define all applications which
>> use authorization code grant should be confidential. We do not have the
>> flexibility to decide whether a specific application should be confidential
>> or not.
>>
>> As a solution we can bring this config to UI and have a per application
>> configuration in UI. If we bring this option to UI level / per application,
>> we can define confidentiality of an application, but in contrast we will
>> miss the ability to define whether a specific type of grant should be
>> confidential or not for a specific application.
>>
>> In order to cater both application and grant type level confidentiality
>> we may need to have configurations per grant type. WDYT ?
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Best Regards*
>
> *Rushmin Fernando*
> *Technical Lead*
>
> WSO2 Inc.  - Lean . Enterprise . Middleware
>
> mobile : +94775615183
>
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Confidential Applications in OAuth2 Flow

2018-01-04 Thread Rushmin Fernando 
IMO, a UI looks like below would solve the problem.

*State 1*

☑ All
 ☑ Authorization Code
 ☑ Implicit

*State 2*

☐ All
☑ Authorization Code
☐ Implicit


And we don't need to globally make a grant type confidential right? IMO we
can get rid of it since it makes thing bit complex. Do we have a real use
case for that?




On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee  wrote:

> A confidential application in OAuth2 flow is an application which requires
> client authentication before retrieving an access token.
>
> According to current implementation we can define confidential
> applications just per grant type. ie we can define all applications which
> use authorization code grant should be confidential. We do not have the
> flexibility to decide whether a specific application should be confidential
> or not.
>
> As a solution we can bring this config to UI and have a per application
> configuration in UI. If we bring this option to UI level / per application,
> we can define confidentiality of an application, but in contrast we will
> miss the ability to define whether a specific type of grant should be
> confidential or not for a specific application.
>
> In order to cater both application and grant type level confidentiality we
> may need to have configurations per grant type. WDYT ?
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
*Best Regards*

*Rushmin Fernando*
*Technical Lead*

WSO2 Inc.  - Lean . Enterprise . Middleware

mobile : +94775615183
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Confidential Applications in OAuth2 Flow

2018-01-04 Thread Hasintha Indrajee 
A confidential application in OAuth2 flow is an application which requires
client authentication before retrieving an access token.

According to current implementation we can define confidential applications
just per grant type. ie we can define all applications which use
authorization code grant should be confidential. We do not have the
flexibility to decide whether a specific application should be confidential
or not.

As a solution we can bring this config to UI and have a per application
configuration in UI. If we bring this option to UI level / per application,
we can define confidentiality of an application, but in contrast we will
miss the ability to define whether a specific type of grant should be
confidential or not for a specific application.

In order to cater both application and grant type level confidentiality we
may need to have configurations per grant type. WDYT ?


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev