Re: [Dev] Handling required claims in ID Token
Hi Gayan, As I see, Denuwanthi is talking about the scenario where the grant type does generate an ID token. In that case, we need to validate that generated id token where we need to make sure the mandatory fields are there. On Thu, Jul 6, 2017 at 9:55 AM, Gayan Gunawardanawrote: > Hi Sagara, Denuwanthi, > > There are many ways to write custom grant type. Even ClientCredentials > grant type can be extended to custom grant type where do not need to think > about ID token. If can you point to exact example and explain the problem, > it would be great. > > Thanks, > Gayan > > On Tue, Jul 4, 2017 at 9:37 PM, Denuwanthi De Silva > wrote: > >> Thank you Sagara for the response. >> Yes, as you mentioned it means logical to use the server error response. >> will proceed with that. >> >> >> Thanks, >> >> On Tue, Jul 4, 2017 at 7:08 PM, Sagara Gunathunga >> wrote: >> >>> >>> >>> On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva >> > wrote: >>> Hi, In OIDC spec,following claims are mentioned as mandatory. -iss -sub -aud -exp -iat Currently as mentioned in jira [1], it is possible to write custom OAuth2 grant type which returns IDToken without "sub" claim. When we handle this scenario, there is a small concern that need to be clarified. -When analyze the spec we could not find any instance where it mentioned the error message to display in such a scenario. In that case, shall we come up with *new error message*? {"error_description":"custom description.","error":"custom_error"} - or throw a server exception and send the standard *server error* message ? ex: {"error_description":"Internal Server Error.","error":"server_error"} >>> >>> IMO what happen here is, server can not generate valid IDToken. >>> "Internal Server Error " can properly describe this behavior so better to >>> use that code, returning custom code may cause interoperability issues as >>> well. >>> >>> Thanks ! >>> Appreciate any input on how to proceed with this. [1]https://wso2.org/jira/browse/IDENTITY-6088 [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken Thanks, -- Denuwanthi De Silva Senior Software Engineer; WSO2 Inc.; http://wso2.com, Email: denuwan...@wso2.com Blog: https://denuwanthi.wordpress.com/ >>> >>> >>> >>> -- >>> Sagara Gunathunga >>> >>> Associate Director / Architect; WSO2, Inc.; http://wso2.com >>> V.P Apache Web Services;http://ws.apache.org/ >>> Linkedin; http://www.linkedin.com/in/ssagara >>> Blog ; http://ssagara.blogspot.com >>> >>> >> >> >> -- >> Denuwanthi De Silva >> Senior Software Engineer; >> WSO2 Inc.; http://wso2.com, >> Email: denuwan...@wso2.com >> Blog: https://denuwanthi.wordpress.com/ >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Gayan Gunawardana > Senior Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: ga...@wso2.com > Mobile: +94 (71) 8020933 > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. email: kasung AT spamfree wso2.com linked-in: http://lk.linkedin.com/in/gajasinghe blog: http://kasunbg.org phone: +1 650-745-4499, 77 678 0813 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Handling required claims in ID Token
On Thu, Jul 6, 2017 at 9:55 AM, Gayan Gunawardanawrote: > Hi Sagara, Denuwanthi, > > There are many ways to write custom grant type. Even ClientCredentials > grant type can be extended to custom grant type where do not need to think > about ID token. If can you point to exact example and explain the problem, > it would be great. > You can try default sample mentioned in our docs[1] [1] - https://docs.wso2.com/display/IS530/Writing+a+Custom+OAuth+2.0+Grant+Type Thanks ! > > Thanks, > Gayan > > On Tue, Jul 4, 2017 at 9:37 PM, Denuwanthi De Silva > wrote: > >> Thank you Sagara for the response. >> Yes, as you mentioned it means logical to use the server error response. >> will proceed with that. >> >> >> Thanks, >> >> On Tue, Jul 4, 2017 at 7:08 PM, Sagara Gunathunga >> wrote: >> >>> >>> >>> On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva >> > wrote: >>> Hi, In OIDC spec,following claims are mentioned as mandatory. -iss -sub -aud -exp -iat Currently as mentioned in jira [1], it is possible to write custom OAuth2 grant type which returns IDToken without "sub" claim. When we handle this scenario, there is a small concern that need to be clarified. -When analyze the spec we could not find any instance where it mentioned the error message to display in such a scenario. In that case, shall we come up with *new error message*? {"error_description":"custom description.","error":"custom_error"} - or throw a server exception and send the standard *server error* message ? ex: {"error_description":"Internal Server Error.","error":"server_error"} >>> >>> IMO what happen here is, server can not generate valid IDToken. >>> "Internal Server Error " can properly describe this behavior so better to >>> use that code, returning custom code may cause interoperability issues as >>> well. >>> >>> Thanks ! >>> Appreciate any input on how to proceed with this. [1]https://wso2.org/jira/browse/IDENTITY-6088 [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken Thanks, -- Denuwanthi De Silva Senior Software Engineer; WSO2 Inc.; http://wso2.com, Email: denuwan...@wso2.com Blog: https://denuwanthi.wordpress.com/ >>> >>> >>> >>> -- >>> Sagara Gunathunga >>> >>> Associate Director / Architect; WSO2, Inc.; http://wso2.com >>> V.P Apache Web Services;http://ws.apache.org/ >>> Linkedin; http://www.linkedin.com/in/ssagara >>> Blog ; http://ssagara.blogspot.com >>> >>> >> >> >> -- >> Denuwanthi De Silva >> Senior Software Engineer; >> WSO2 Inc.; http://wso2.com, >> Email: denuwan...@wso2.com >> Blog: https://denuwanthi.wordpress.com/ >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Gayan Gunawardana > Senior Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: ga...@wso2.com > Mobile: +94 (71) 8020933 > -- Sagara Gunathunga Associate Director / Architect; WSO2, Inc.; http://wso2.com V.P Apache Web Services;http://ws.apache.org/ Linkedin; http://www.linkedin.com/in/ssagara Blog ; http://ssagara.blogspot.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Handling required claims in ID Token
Hi Sagara, Denuwanthi, There are many ways to write custom grant type. Even ClientCredentials grant type can be extended to custom grant type where do not need to think about ID token. If can you point to exact example and explain the problem, it would be great. Thanks, Gayan On Tue, Jul 4, 2017 at 9:37 PM, Denuwanthi De Silvawrote: > Thank you Sagara for the response. > Yes, as you mentioned it means logical to use the server error response. > will proceed with that. > > > Thanks, > > On Tue, Jul 4, 2017 at 7:08 PM, Sagara Gunathunga wrote: > >> >> >> On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva >> wrote: >> >>> Hi, >>> >>> In OIDC spec,following claims are mentioned as mandatory. >>> -iss >>> -sub >>> -aud >>> -exp >>> -iat >>> >>> Currently as mentioned in jira [1], it is possible to write custom >>> OAuth2 grant type which returns IDToken without "sub" claim. >>> >>> When we handle this scenario, there is a small concern >>> that need to be clarified. >>> >>> -When analyze the spec we could not find any instance where it >>> mentioned the error message to display in such a scenario. >>> In that case, shall we come up with *new error message*? >>> {"error_description":"custom description.","error":"custom_error"} >>> >>> - or throw a server exception and send the standard *server error* >>> message ? >>> ex: >>> {"error_description":"Internal Server Error.","error":"server_error"} >>> >> >> IMO what happen here is, server can not generate valid IDToken. >> "Internal Server Error " can properly describe this behavior so better to >> use that code, returning custom code may cause interoperability issues as >> well. >> >> Thanks ! >> >>> >>> >>> Appreciate any input on how to proceed with this. >>> >>> [1]https://wso2.org/jira/browse/IDENTITY-6088 >>> [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken >>> >>> Thanks, >>> -- >>> Denuwanthi De Silva >>> Senior Software Engineer; >>> WSO2 Inc.; http://wso2.com, >>> Email: denuwan...@wso2.com >>> Blog: https://denuwanthi.wordpress.com/ >>> >> >> >> >> -- >> Sagara Gunathunga >> >> Associate Director / Architect; WSO2, Inc.; http://wso2.com >> V.P Apache Web Services;http://ws.apache.org/ >> Linkedin; http://www.linkedin.com/in/ssagara >> Blog ; http://ssagara.blogspot.com >> >> > > > -- > Denuwanthi De Silva > Senior Software Engineer; > WSO2 Inc.; http://wso2.com, > Email: denuwan...@wso2.com > Blog: https://denuwanthi.wordpress.com/ > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Gayan Gunawardana Senior Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Handling required claims in ID Token
Thank you Sagara for the response. Yes, as you mentioned it means logical to use the server error response. will proceed with that. Thanks, On Tue, Jul 4, 2017 at 7:08 PM, Sagara Gunathungawrote: > > > On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva > wrote: > >> Hi, >> >> In OIDC spec,following claims are mentioned as mandatory. >> -iss >> -sub >> -aud >> -exp >> -iat >> >> Currently as mentioned in jira [1], it is possible to write custom OAuth2 >> grant type which returns IDToken without "sub" claim. >> >> When we handle this scenario, there is a small concern >> that need to be clarified. >> >> -When analyze the spec we could not find any instance where it mentioned >> the error message to display in such a scenario. >> In that case, shall we come up with *new error message*? >> {"error_description":"custom description.","error":"custom_error"} >> >> - or throw a server exception and send the standard *server error* >> message ? >> ex: >> {"error_description":"Internal Server Error.","error":"server_error"} >> > > IMO what happen here is, server can not generate valid IDToken. "Internal > Server Error " can properly describe this behavior so better to use that > code, returning custom code may cause interoperability issues as well. > > Thanks ! > >> >> >> Appreciate any input on how to proceed with this. >> >> [1]https://wso2.org/jira/browse/IDENTITY-6088 >> [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken >> >> Thanks, >> -- >> Denuwanthi De Silva >> Senior Software Engineer; >> WSO2 Inc.; http://wso2.com, >> Email: denuwan...@wso2.com >> Blog: https://denuwanthi.wordpress.com/ >> > > > > -- > Sagara Gunathunga > > Associate Director / Architect; WSO2, Inc.; http://wso2.com > V.P Apache Web Services;http://ws.apache.org/ > Linkedin; http://www.linkedin.com/in/ssagara > Blog ; http://ssagara.blogspot.com > > -- Denuwanthi De Silva Senior Software Engineer; WSO2 Inc.; http://wso2.com, Email: denuwan...@wso2.com Blog: https://denuwanthi.wordpress.com/ ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Handling required claims in ID Token
On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silvawrote: > Hi, > > In OIDC spec,following claims are mentioned as mandatory. > -iss > -sub > -aud > -exp > -iat > > Currently as mentioned in jira [1], it is possible to write custom OAuth2 > grant type which returns IDToken without "sub" claim. > > When we handle this scenario, there is a small concern > that need to be clarified. > > -When analyze the spec we could not find any instance where it mentioned > the error message to display in such a scenario. > In that case, shall we come up with *new error message*? > {"error_description":"custom description.","error":"custom_error"} > > - or throw a server exception and send the standard *server error* > message ? > ex: > {"error_description":"Internal Server Error.","error":"server_error"} > IMO what happen here is, server can not generate valid IDToken. "Internal Server Error " can properly describe this behavior so better to use that code, returning custom code may cause interoperability issues as well. Thanks ! > > > Appreciate any input on how to proceed with this. > > [1]https://wso2.org/jira/browse/IDENTITY-6088 > [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken > > Thanks, > -- > Denuwanthi De Silva > Senior Software Engineer; > WSO2 Inc.; http://wso2.com, > Email: denuwan...@wso2.com > Blog: https://denuwanthi.wordpress.com/ > -- Sagara Gunathunga Associate Director / Architect; WSO2, Inc.; http://wso2.com V.P Apache Web Services;http://ws.apache.org/ Linkedin; http://www.linkedin.com/in/ssagara Blog ; http://ssagara.blogspot.com ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev