Re: [Dev] Handling required claims in ID Token

2017-07-06 Thread KasunG Gajasinghe 
Hi Gayan,

As I see, Denuwanthi is talking about the scenario where the grant type
does generate an ID token. In that case, we need to validate that generated
id token where we need to make sure the mandatory fields are there.

On Thu, Jul 6, 2017 at 9:55 AM, Gayan Gunawardana  wrote:

> Hi Sagara, Denuwanthi,
>
> There are many ways to write custom grant type. Even ClientCredentials
> grant type can be extended to custom grant type where do not need to think
> about ID token. If can you point to exact example and explain the problem,
> it would be great.
>
> Thanks,
> Gayan
>
> On Tue, Jul 4, 2017 at 9:37 PM, Denuwanthi De Silva 
> wrote:
>
>> Thank you Sagara for the response.
>> Yes, as you mentioned it means logical to use the server error response.
>> will proceed with that.
>>
>>
>> Thanks,
>>
>> On Tue, Jul 4, 2017 at 7:08 PM, Sagara Gunathunga 
>> wrote:
>>
>>>
>>>
>>> On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva >> > wrote:
>>>
 Hi,

 In OIDC spec,following claims are mentioned as mandatory.
 -iss
 -sub
 -aud
 -exp
 -iat

 Currently as mentioned in jira [1], it is possible to write custom
 OAuth2 grant type which returns IDToken without "sub" claim.

 When we handle this scenario, there is a small concern
  that need to be clarified.

 -When analyze the spec we could  not find any instance where it
 mentioned the error message to display in such a scenario.
 In that case, shall we come up with *new error message*?
 {"error_description":"custom description.","error":"custom_error"}

 - or throw a server exception and send the standard *server error*
 message ?
 ex:
 {"error_description":"Internal Server Error.","error":"server_error"}

>>>
>>> IMO what happen here is, server can not generate valid IDToken.
>>>  "Internal Server Error " can properly describe this behavior  so better to
>>> use that code, returning custom code may cause  interoperability  issues as
>>> well.
>>>
>>> Thanks !
>>>


 Appreciate any input on how to proceed with this.

 [1]https://wso2.org/jira/browse/IDENTITY-6088
 [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken

 Thanks,
 --
 Denuwanthi De Silva
 Senior Software Engineer;
 WSO2 Inc.; http://wso2.com,
 Email: denuwan...@wso2.com
 Blog: https://denuwanthi.wordpress.com/

>>>
>>>
>>>
>>> --
>>> Sagara Gunathunga
>>>
>>> Associate Director / Architect; WSO2, Inc.;  http://wso2.com
>>> V.P Apache Web Services;http://ws.apache.org/
>>> Linkedin; http://www.linkedin.com/in/ssagara
>>> Blog ;  http://ssagara.blogspot.com
>>>
>>>
>>
>>
>> --
>> Denuwanthi De Silva
>> Senior Software Engineer;
>> WSO2 Inc.; http://wso2.com,
>> Email: denuwan...@wso2.com
>> Blog: https://denuwanthi.wordpress.com/
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

*Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
email: kasung AT spamfree wso2.com
linked-in: http://lk.linkedin.com/in/gajasinghe
blog: http://kasunbg.org
phone: +1 650-745-4499, 77 678 0813
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Handling required claims in ID Token

2017-07-05 Thread Sagara Gunathunga 
On Thu, Jul 6, 2017 at 9:55 AM, Gayan Gunawardana  wrote:

> Hi Sagara, Denuwanthi,
>
> There are many ways to write custom grant type. Even ClientCredentials
> grant type can be extended to custom grant type where do not need to think
> about ID token. If can you point to exact example and explain the problem,
> it would be great.
>

You can try default sample mentioned  in our docs[1]

[1] -
https://docs.wso2.com/display/IS530/Writing+a+Custom+OAuth+2.0+Grant+Type

Thanks !

>
> Thanks,
> Gayan
>
> On Tue, Jul 4, 2017 at 9:37 PM, Denuwanthi De Silva 
> wrote:
>
>> Thank you Sagara for the response.
>> Yes, as you mentioned it means logical to use the server error response.
>> will proceed with that.
>>
>>
>> Thanks,
>>
>> On Tue, Jul 4, 2017 at 7:08 PM, Sagara Gunathunga 
>> wrote:
>>
>>>
>>>
>>> On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva >> > wrote:
>>>
 Hi,

 In OIDC spec,following claims are mentioned as mandatory.
 -iss
 -sub
 -aud
 -exp
 -iat

 Currently as mentioned in jira [1], it is possible to write custom
 OAuth2 grant type which returns IDToken without "sub" claim.

 When we handle this scenario, there is a small concern
  that need to be clarified.

 -When analyze the spec we could  not find any instance where it
 mentioned the error message to display in such a scenario.
 In that case, shall we come up with *new error message*?
 {"error_description":"custom description.","error":"custom_error"}

 - or throw a server exception and send the standard *server error*
 message ?
 ex:
 {"error_description":"Internal Server Error.","error":"server_error"}

>>>
>>> IMO what happen here is, server can not generate valid IDToken.
>>>  "Internal Server Error " can properly describe this behavior  so better to
>>> use that code, returning custom code may cause  interoperability  issues as
>>> well.
>>>
>>> Thanks !
>>>


 Appreciate any input on how to proceed with this.

 [1]https://wso2.org/jira/browse/IDENTITY-6088
 [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken

 Thanks,
 --
 Denuwanthi De Silva
 Senior Software Engineer;
 WSO2 Inc.; http://wso2.com,
 Email: denuwan...@wso2.com
 Blog: https://denuwanthi.wordpress.com/

>>>
>>>
>>>
>>> --
>>> Sagara Gunathunga
>>>
>>> Associate Director / Architect; WSO2, Inc.;  http://wso2.com
>>> V.P Apache Web Services;http://ws.apache.org/
>>> Linkedin; http://www.linkedin.com/in/ssagara
>>> Blog ;  http://ssagara.blogspot.com
>>>
>>>
>>
>>
>> --
>> Denuwanthi De Silva
>> Senior Software Engineer;
>> WSO2 Inc.; http://wso2.com,
>> Email: denuwan...@wso2.com
>> Blog: https://denuwanthi.wordpress.com/
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>



-- 
Sagara Gunathunga

Associate Director / Architect; WSO2, Inc.;  http://wso2.com
V.P Apache Web Services;http://ws.apache.org/
Linkedin; http://www.linkedin.com/in/ssagara
Blog ;  http://ssagara.blogspot.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Handling required claims in ID Token

2017-07-05 Thread Gayan Gunawardana 
Hi Sagara, Denuwanthi,

There are many ways to write custom grant type. Even ClientCredentials
grant type can be extended to custom grant type where do not need to think
about ID token. If can you point to exact example and explain the problem,
it would be great.

Thanks,
Gayan

On Tue, Jul 4, 2017 at 9:37 PM, Denuwanthi De Silva 
wrote:

> Thank you Sagara for the response.
> Yes, as you mentioned it means logical to use the server error response.
> will proceed with that.
>
>
> Thanks,
>
> On Tue, Jul 4, 2017 at 7:08 PM, Sagara Gunathunga  wrote:
>
>>
>>
>> On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva 
>> wrote:
>>
>>> Hi,
>>>
>>> In OIDC spec,following claims are mentioned as mandatory.
>>> -iss
>>> -sub
>>> -aud
>>> -exp
>>> -iat
>>>
>>> Currently as mentioned in jira [1], it is possible to write custom
>>> OAuth2 grant type which returns IDToken without "sub" claim.
>>>
>>> When we handle this scenario, there is a small concern
>>>  that need to be clarified.
>>>
>>> -When analyze the spec we could  not find any instance where it
>>> mentioned the error message to display in such a scenario.
>>> In that case, shall we come up with *new error message*?
>>> {"error_description":"custom description.","error":"custom_error"}
>>>
>>> - or throw a server exception and send the standard *server error*
>>> message ?
>>> ex:
>>> {"error_description":"Internal Server Error.","error":"server_error"}
>>>
>>
>> IMO what happen here is, server can not generate valid IDToken.
>>  "Internal Server Error " can properly describe this behavior  so better to
>> use that code, returning custom code may cause  interoperability  issues as
>> well.
>>
>> Thanks !
>>
>>>
>>>
>>> Appreciate any input on how to proceed with this.
>>>
>>> [1]https://wso2.org/jira/browse/IDENTITY-6088
>>> [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken
>>>
>>> Thanks,
>>> --
>>> Denuwanthi De Silva
>>> Senior Software Engineer;
>>> WSO2 Inc.; http://wso2.com,
>>> Email: denuwan...@wso2.com
>>> Blog: https://denuwanthi.wordpress.com/
>>>
>>
>>
>>
>> --
>> Sagara Gunathunga
>>
>> Associate Director / Architect; WSO2, Inc.;  http://wso2.com
>> V.P Apache Web Services;http://ws.apache.org/
>> Linkedin; http://www.linkedin.com/in/ssagara
>> Blog ;  http://ssagara.blogspot.com
>>
>>
>
>
> --
> Denuwanthi De Silva
> Senior Software Engineer;
> WSO2 Inc.; http://wso2.com,
> Email: denuwan...@wso2.com
> Blog: https://denuwanthi.wordpress.com/
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Handling required claims in ID Token

2017-07-04 Thread Denuwanthi De Silva 
Thank you Sagara for the response.
Yes, as you mentioned it means logical to use the server error response.
will proceed with that.


Thanks,

On Tue, Jul 4, 2017 at 7:08 PM, Sagara Gunathunga  wrote:

>
>
> On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva 
> wrote:
>
>> Hi,
>>
>> In OIDC spec,following claims are mentioned as mandatory.
>> -iss
>> -sub
>> -aud
>> -exp
>> -iat
>>
>> Currently as mentioned in jira [1], it is possible to write custom OAuth2
>> grant type which returns IDToken without "sub" claim.
>>
>> When we handle this scenario, there is a small concern
>>  that need to be clarified.
>>
>> -When analyze the spec we could  not find any instance where it mentioned
>> the error message to display in such a scenario.
>> In that case, shall we come up with *new error message*?
>> {"error_description":"custom description.","error":"custom_error"}
>>
>> - or throw a server exception and send the standard *server error*
>> message ?
>> ex:
>> {"error_description":"Internal Server Error.","error":"server_error"}
>>
>
> IMO what happen here is, server can not generate valid IDToken.  "Internal
> Server Error " can properly describe this behavior  so better to use that
> code, returning custom code may cause  interoperability  issues as well.
>
> Thanks !
>
>>
>>
>> Appreciate any input on how to proceed with this.
>>
>> [1]https://wso2.org/jira/browse/IDENTITY-6088
>> [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken
>>
>> Thanks,
>> --
>> Denuwanthi De Silva
>> Senior Software Engineer;
>> WSO2 Inc.; http://wso2.com,
>> Email: denuwan...@wso2.com
>> Blog: https://denuwanthi.wordpress.com/
>>
>
>
>
> --
> Sagara Gunathunga
>
> Associate Director / Architect; WSO2, Inc.;  http://wso2.com
> V.P Apache Web Services;http://ws.apache.org/
> Linkedin; http://www.linkedin.com/in/ssagara
> Blog ;  http://ssagara.blogspot.com
>
>


-- 
Denuwanthi De Silva
Senior Software Engineer;
WSO2 Inc.; http://wso2.com,
Email: denuwan...@wso2.com
Blog: https://denuwanthi.wordpress.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Handling required claims in ID Token

2017-07-04 Thread Sagara Gunathunga 
On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva 
wrote:

> Hi,
>
> In OIDC spec,following claims are mentioned as mandatory.
> -iss
> -sub
> -aud
> -exp
> -iat
>
> Currently as mentioned in jira [1], it is possible to write custom OAuth2
> grant type which returns IDToken without "sub" claim.
>
> When we handle this scenario, there is a small concern
>  that need to be clarified.
>
> -When analyze the spec we could  not find any instance where it mentioned
> the error message to display in such a scenario.
> In that case, shall we come up with *new error message*?
> {"error_description":"custom description.","error":"custom_error"}
>
> - or throw a server exception and send the standard *server error*
> message ?
> ex:
> {"error_description":"Internal Server Error.","error":"server_error"}
>

IMO what happen here is, server can not generate valid IDToken.  "Internal
Server Error " can properly describe this behavior  so better to use that
code, returning custom code may cause  interoperability  issues as well.

Thanks !

>
>
> Appreciate any input on how to proceed with this.
>
> [1]https://wso2.org/jira/browse/IDENTITY-6088
> [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken
>
> Thanks,
> --
> Denuwanthi De Silva
> Senior Software Engineer;
> WSO2 Inc.; http://wso2.com,
> Email: denuwan...@wso2.com
> Blog: https://denuwanthi.wordpress.com/
>



-- 
Sagara Gunathunga

Associate Director / Architect; WSO2, Inc.;  http://wso2.com
V.P Apache Web Services;http://ws.apache.org/
Linkedin; http://www.linkedin.com/in/ssagara
Blog ;  http://ssagara.blogspot.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev