Re: [Architecture] Decoupling Client Authentication from OAuth2 Flow

On Mon, Jan 8, 2018 at 4:49 PM, Hasintha Indrajee wrote: > The idea behind this is to decouple the authentication mechanism used by > OAuth2 clients from the rest of the OAuth2 logic, so that different types > of client authenticators can be plugged. For an example according

Re: [Architecture] Decoupling Client Authentication from OAuth2 Flow

Hi Hasintha, On Tue, Jan 9, 2018 at 5:53 PM, Hasintha Indrajee wrote: > We have had several discussions with the objective of making these logics > more reusable. One of the ideas was to use our carbon-auth-rest valve to > authenticate client. Since it has below concerns and

Re: [Architecture] OIDC request object support

On Tuesday, January 23, 2018, Johann Nallathamby wrote: > Hi Hasanthi, > > On Tue, Jan 23, 2018 at 9:31 AM, Hasanthi Purnima Dissanayake < > hasan...@wso2.com> wrote: > >> Hi Johann, >> >> Is there any instance in which IS will throw error to client because it >>> cannot send

Re: [Architecture] Password Rotation Policy Authenticator

Hi All, I agree with Johann, i.e. a) to publish as connector for current version of the product. b) to include this in next viable release in product itself. On a different but related note, IMO connectors are really features, technically. Hence we need to look a way to be publish htme as

Re: [Architecture] Password Rotation Policy Authenticator

On Tue, Jan 23, 2018 at 11:06 AM, Nadun De Silva wrote: > Hi, > > I have been working on *publishing events to IS Analytics* for the > notification system for the expired passwords. > > In the existing implementation to publish events to IS Analytics, a stream > and a publisher

Re: [Architecture] Password Rotation Policy Authenticator

Hi, I have been working on *publishing events to IS Analytics* for the notification system for the expired passwords. In the existing implementation to publish events to IS Analytics, a stream and a publisher for each event type had been bundled together with IS. (The artifacts are installed by

Re: [Architecture] OIDC request object support

Hi Hasanthi, On Tue, Jan 23, 2018 at 9:31 AM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi Johann, > > Is there any instance in which IS will throw error to client because it >> cannot send the claim? >> >> Because in the spec it says the following. >> >> Note that even if the

Re: [Architecture] [IAM] [IS 5.5.0] Request Object persistance

Hi Hasanthi, On Tue, Jan 23, 2018 at 9:53 AM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi Johann, >> >> Hi All, >>> >>> >>> In this effort we are storing the processed claims from the request >>> object [1] against the code or the access token. The persistence of JWT >>> will

Re: [Architecture] [DAS][Feature] Display the Spark script execution time in the admin console

> > Sorry, I have a typo. What I meant to tell is "last execution duration" > (how long it took to run a spark script last time). Averages are important > to observe any latency introduced, with time. +1. Sometimes script take longer time to execute the script due to hardware limitation. So it is

Re: [Architecture] [Dev] Personal information export API

On Tue, Jan 23, 2018 at 10:35 AM, Omindu Rathnaweera wrote: > > Hi Maduranga, > > On Tue, Jan 23, 2018 at 10:23 AM, Maduranga Siriwardena < > madura...@wso2.com> wrote: > >> Hi all, >> >> Web app name we have come up for this endpoint is api#identity#user#v1.0 >> and the path

Re: [Architecture] [RRT] XACML based scope validator (during OAuth2 token validation)

On Tue, Jan 23, 2018 at 9:49 AM, Senthalan Kanagalingam wrote: > Hi all, > > I have completed the scope validation implementation. But in this > implementation, the entitlement engine has to run for every token > validation request even there is no policy defined by the user

Re: [Architecture] [Dev] Personal information export API

Hi Maduranga, On Tue, Jan 23, 2018 at 10:23 AM, Maduranga Siriwardena wrote: > Hi all, > > Web app name we have come up for this endpoint is api#identity#user#v1.0 > and the path for the endpoint is /pi/users/{userId}. So the whole endpoint > would be > >- for super

Re: [Architecture] [Dev] Personal information export API

Hi all, Web app name we have come up for this endpoint is api#identity#user#v1.0 and the path for the endpoint is /pi/users/{userId}. So the whole endpoint would be - for super tenant, /api/identity/user/v1.0/pi/users/{userId} - for tenant,

Re: [Architecture] [IAM] [IS 5.5.0] Request Object persistance

Hi Johann, > > Hi All, >> >> >> In this effort we are storing the processed claims from the request >> object [1] against the code or the access token. The persistence of JWT >> will happen when the response comes to the authorization endpoint. >> >>1. >> >>Authorization request is sent to

Re: [Architecture] [RRT] XACML based scope validator (during OAuth2 token validation)

Hi all, I have completed the scope validation implementation. But in this implementation, the entitlement engine has to run for every token validation request even there is no policy defined by the user for a particular service provider. PDP have to go through all existing policies to select the

Re: [Architecture] OIDC request object support

Hi Johann, Is there any instance in which IS will throw error to client because it > cannot send the claim? > > Because in the spec it says the following. > > Note that even if the Claims are not available because the End-User did > not authorize their release or they are not present, the

Re: [Architecture] [IAM] [IS 5.5.0] Request Object persistance

Hi Hasanthi, On Fri, Jan 12, 2018 at 2:48 PM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi All, > > > In this effort we are storing the processed claims from the request object > [1] against the code or the access token. The persistence of JWT will > happen when the response

Re: [Architecture] OIDC request object support

Hi Hasanthi, On Wed, Oct 11, 2017 at 4:35 PM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi All, > > In order to support 'Request Object' we need to support two parameters. > 1. request parameter > 2. request_uri parameter > > > > *1. request_parameter* > The purpose of this

Re: [Architecture] [IAM] [IS 5.5.0] Request Object persistance

Hi All, The flow is implemented as follows. Request Object persistance/ clean up task: 1. Request Object comes with the OIDC authorization request asa query param. 2. Store the processes Request Object along with the session data key in a table. 3. When issuing a code or an access token some

Re: [Architecture] GDPR - Pseudonyms For Username

Hi Maduranga, Idea of this user id is to decouple the username from where it is used inside the system. So in an event of user removal, user id will not give an actual meaning. So this user id is internal to the system and we are not going to use it out side the system. Thanks! *Jayanga

Re: [Architecture] [Dev] Personal information export API

In a federated user scenario, we neither have user information nor email address of the user in a case if the user is not JIT. Hence we won't be able to share consents with user in an offline method. But still for federated users we need to maintain consents which we give out to SPs. We can

Re: [Architecture] [Dev] Personal information export API

Hi Hasintha, We do not need to export anything we do not keep in our databases. Could you please explain further if we need to do anything extra for Federated case. Cheers, Ruwan On Mon, Jan 22, 2018 at 5:33 PM, Hasintha Indrajee wrote: > Just a quick question. How are we

Re: [Architecture] GDPR - Pseudonyms For Username

Hi Jayanga, Now as we are maintaining a userId in our system, shall we use the same as the id in the SCIM requests/responses also, rather than maintaining a separate identifier for SCIM? Thanks, Maduranga. On Thu, Jan 18, 2018 at 7:59 PM, Jayanga Kaushalya wrote: > On Tue,

Re: [Architecture] Personal information export API

Just a quick question. How are we going to cater consents for federated user ? Having consent from 3rd party IDP to IS will not be enough AFAIU. If we are sharing those information through an SP we need to maintain those consents as well. WDYT ? In that case how can federated users download their

Re: [Architecture] Personal information export API

On Mon, Jan 22, 2018 at 5:25 PM, Omindu Rathnaweera wrote: > Hi Maduranga, > > In the consent API we do not have the option to get multiple receipts, the > API only returns a list of receipt IDs for a given search criteria. If you > need to include receipt data of all the

Re: [Architecture] Proposal to Use a Single Set of WSO2 Docker Images for All Container Platforms

On Mon, Jan 22, 2018 at 2:46 PM, Pubudu Gunatilaka wrote: > Hi Imesh, > > It is very convenient if we can reuse the docker image. AFAIU if we follow > the above approach we can use a single docker image in all the container > platforms. > > One of the drawbacks I see with this

Re: [Architecture] Personal information export API

Hi Maduranga, In the consent API we do not have the option to get multiple receipts, the API only returns a list of receipt IDs for a given search criteria. If you need to include receipt data of all the consent entries, you will have to iterate through all the consent IDs and fetch the

[Architecture] Personal information export API

Hi all, We are creating a REST API to export user information for IS 5.5.0. Swagger at [1] is the initial design of the API. In the initial phase we are allowing the data to be exported only by the owner of the profile. At the moment we are planing to export basic user profile information and

Re: [Architecture] Federated IdP Initiated Logout

Hi All, We had the discussion regarding the POC for this feature among the team (Thanuja, Malithi) and please find the call details : 1. Checked the session id (commonAuth id ) is stored against the SAML session index in the map. 2. Checked the SSO tracer whether it has the session id

Re: [Architecture] [DAS][Feature] Display the Spark script execution time in the admin console

Sorry, I have a typo. What I meant to tell is "last execution duration" (how long it took to run a spark script last time). Averages are important to observe any latency introduced, with time. On Mon, Jan 22, 2018 at 3:37 PM, Damith Wickramasinghe wrote: > Hi Nirmal, > > +1

[Architecture] [DAS][Feature] Display the Spark script execution time in the admin console

Hi All, Currently, there's no way to see the last execution time against scheduled spark scripts of DAS. I think it'll be a useful feature for DAS administrators. Wdyt? Further, if we can calculate the average execution times of a spark script during last hour, past day that'll be useful as

Re: [Architecture] Proposal to Use a Single Set of WSO2 Docker Images for All Container Platforms

In API Manager K8s artifacts, what we have followed is not having an image-per-profile method. With the introduction of Config Maps, it has become only two base images - for APIM and Analytics. Its extremely helpful from the maintenance PoV that we have a single set of Dockerfiles, but has a

Re: [Architecture] Proposal to Use a Single Set of WSO2 Docker Images for All Container Platforms

Hi Imesh, It is very convenient if we can reuse the docker image. AFAIU if we follow the above approach we can use a single docker image in all the container platforms. One of the drawbacks I see with this approach is that the user has to update the volume mounts with the necessary jar files,

Re: [Architecture] [IS 5.5.0] Conditional steps based on HTTP context

Hi Sathya, We can use the following way when we address cookies. [1] instead of (which is cumbersome in developer PoV) context.response.headers["Set-Cookie"] = "testcookie=1FD36B269C61; Path=/; Secure; HttpOnly; Expires=Wed, 21 Jan 2018 07:28:00 GMT" e.g. cookies // set a regular cookie

[Architecture] Proposal to Use a Single Set of WSO2 Docker Images for All Container Platforms

Hi All, Currently, we build Docker images for each platform (Docker, Kubernetes, DC/OS, etc) for each WSO2 product profile (EI: Integrator, MB, BPS; API-M: Gateway, Key Manager, Pub/Store, etc). AFAIU, the main reason to do this was bundling platform specific JAR files (membership scheme JAR file