Hi Sarubi,
As Asela pointed out there are use cases for differentiating the access
token not just based on client or user or registered scopes but based on
other environmental attributes. The easiest way of representing these
environmental attributes in OAuth2 and getting unique access tokens in
Hi Malithi, Hi Ajanthan,
OK. So if we think like that, how do you propose we do 2FA for security
question update? Are you implying that we initiate a SSO flow with higher
requested assurance level, so that in IS a step-up authentication is
performed and returned back to the service provider, to
Hi Tharindu,
Currently we have the capability where an admin can link federated accounts
to local accounts using an admin services [1]. Does this mean that we are
going to not support this in the Rest APIs?
Recently we did a POC for a prospect where we had to load the account
mappings to the
Hi Malithi,
I still think Isura has a valid requirement which is not captured in your
response above. What Isura is explaining is not a notification flow; rather
a 2FV flow.
For example, consider the following use case.
If I have to update my challenge question answers, I have to first do a 2FV
Hi Darshana,
On Sat, Sep 28, 2019 at 8:29 PM Darshana Gunawardana
wrote:
> Hi Johann,
>
> On Sat, Sep 21, 2019 at 10:43 AM Johann Nallathamby
> wrote:
>
>> Hi Thanuja,
>>
>> Did we consider sending the access token itself as a secure, http-only
>> c
Hi Prakhash,
On Mon, Sep 23, 2019 at 4:34 PM Prakhash Sivakumar
wrote:
> Hi Johann,
>
> On Sat, Sep 21, 2019 at 7:13 AM Johann Nallathamby
> wrote:
>
>> Hi Thanuja,
>>
>> Did we consider sending the access token itself as a secure, http-only
>> c
> 3.x.x store/publisher.
>>
>> I'm a bit unclear on what do you mean by *"other APIs". *
>>
>> On Wed, Sep 4, 2019 at 10:47 AM Johann Nallathamby
>> wrote:
>>
>>> Hi APIM Team,
>>>
>>> Protecting access tokens in SPAs has been a c
Jaggery layer for the Store/Publisher Rest APIs. Those
also can be proxied through the API Gateway and get the same protection
mechanism.
Thanks & Regards,
Johann.
> On Wed, Sep 4, 2019 at 10:47 AM Johann Nallathamby
> wrote:
>
>> Hi APIM Team,
>>
>> Protecting a
Hi APIM Team,
Protecting access tokens in SPAs has been a complicated affair. Though
there hasn't been a standard solution pattern for this problem, a cookie
based protection approach is what most vendors follow.
With APIM 3.x.x we are supporting cookie based access tokens to protect the
API
Just a suggestion to think about:
As we are introducing a completely new aspect to IS which is to handle
logout requests from federated IdP, isn't it much more cleaner in the code
level to have this as a completely new endpoint instead of mixing it up
with the existing /commonauth endpoint? I am
alan Kanagalingam Please correct me if I'm
> wrong.
>
> Regards,
> Vihanga.
>
> On Mon, Jul 22, 2019 at 12:10 PM Johann Nallathamby
> wrote:
>
>> I think we are confusing on the terms here.
>> 1. "Retrying" is about allowing the user to retry authenti
APIM Team,
We have some additional OAuth2 service provider configurations that are
seen in management console, but not in API Store. When do we plan to
support these in the API Store?
1. PKCE - This is a de facto standard now for mobile app security.
2. Access/refresh/id token expiry times.
3.
t;>>
>> Yes, the requirement is to force to execute the step even though the step
>> is successfully authenticated.
>>
>>
>> Thanks,
>> Senthalan
>>
>>>
>>> Regards,
>>>
>>> On Sun, Jul 21, 2019, 8:14 AM Isha
and still have configurations along with artifacts?
Sorry if I am asking too many questions, but just want to be able to
convince myself that we are doing the right thing here once and for all :)
Thanks & Regards,
Johann.
>
> Hence +1 to treat
>
>- Persist data as a blob (marshalled to
Hi Janak,
Thanks for brining this up. I also noticed this recently when I was doing
some demo for a customer and was planning to send a mail on this.
When we did the OIDC scopes management feature we should have addressed the
OAuth2 scopes management as well. I searched back to see if there has
Hi Isuranga,
Was this resolved?
There are two such tables I can think of. SessionDataStore which has a BLOB
field and IDN_RECOVERY_DATA (names don't suit in both cases). Also I found
a table called IDN_IDENTITY_USER_DATA which I am not sure what it does.
One of these tables should satisfy your
Ignore the question Isura, I think Ruwan's reply contains the answer.
Regards,
Johann.
On Thu, Jul 4, 2019 at 8:48 AM Johann Nallathamby wrote:
> Hi Isura,
>
> On Fri, Jun 7, 2019 at 9:16 AM Isura Karunaratne wrote:
>
>>
>>
>> On Wed, Jun 5, 2019 at 9:34 AM Ru
uot;environment variable" binding
>> logic, to get proper support for environment to environment promotion of
>> artifacts. yet, it can be done with a separate effort than this IMO.
>>
>> Hence +1 to treat
>>
>>- Persist data as a blob (marshalled t
Hi Chamod,
How about supporting 3rd party Key Manager generated JWT access tokens?
Will that work? 'jti' is an optional field as I remember. How would caching
be impacted in that case?
On Fri, Jun 28, 2019 at 10:47 AM Harsha Kumara wrote:
>
>
> On Fri, Jun 28, 2019 at 10:43 AM Harsha Kumara
*Meeting Notes - 30/5/2019*
During the meeting for [1], we also identified some federated account
linking improvements that are currently not supported in WSO2 IS.
A single physical user may have a set of linked local accounts in WSO2
Identity Server. The same physical user may have one or more
it.
Thanks & Regards,
Johann.
On Fri, Apr 19, 2019 at 6:06 PM Johann Nallathamby wrote:
>
>
> On Thu, Apr 18, 2019 at 6:51 PM Ruwan Abeykoon wrote:
>
>> Hi Johann,
>> +1 for implementing the use-case.
>> We need to have a white-board session to capture all
+1 to get rid of the artifacts for user stores. I think this was a wrong
decision we made early on.
On Tue, Jun 4, 2019 at 1:19 PM Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:
> Hi All,
>
> *Problem *
> Currently, some artifacts like userstores , tenants' data, etc are stored
> in
On Mon, Jun 3, 2019 at 6:25 PM Johann Nallathamby wrote:
>
>
> On Mon, Jun 3, 2019 at 5:29 PM Asela Pathberiya wrote:
>
>>
>>
>> On Mon, Jun 3, 2019 at 12:22 PM Johann Nallathamby
>> wrote:
>>
>>> Hi Asela,
>>>
>>>
On Mon, Jun 3, 2019 at 5:29 PM Asela Pathberiya wrote:
>
>
> On Mon, Jun 3, 2019 at 12:22 PM Johann Nallathamby
> wrote:
>
>> Hi Asela,
>>
>> As of now I see 2 potential use cases for scope mappings.
>>
>> 1. There are two different RPs in an or
On Mon, Jun 3, 2019 at 1:05 PM Asela Pathberiya wrote:
>
>
> On Thu, May 23, 2019 at 3:48 PM Asela Pathberiya wrote:
>
>>
>>
>> On Thu, May 23, 2019 at 3:00 PM Johann Nallathamby
>> wrote:
>>
>>> *Problem*
>>>
>>
s mapped to the requested scopes. If we have a
> scope mapping between IS and OP, then we can restrict requesting only the
> mapped scopes from the external IDP.
>
> @Johann Nallathamby Do you have see any other concerns?
>
> So we can overcome that limitation with the
The OAuth2 scopes implementation in IS doesn't support providing a human
readable description that can be shown in to the end-user when providing
consent. Just showing the scope names doesn't help the end-user to decide
whether to grant the scope or not.
The description should also support
of scopes.
Thanks & Regards,
Johann.
On Fri, May 31, 2019 at 9:43 AM Asela Pathberiya wrote:
>
>
> On Fri, May 31, 2019 at 7:58 AM Johann Nallathamby
> wrote:
>
>> *Problem*
>>
>> When we federate to other OpenID Connect Providers, we can send scope
>>
Hi Godwin,
I think the consent management framework in IS is only meant to manage
consent receipts and not the data related to the consent transaction. So I
have an alternative proposal which combines solution 1 and 3 above.
What if we manage the remember device consents through the consent
*Problem*
When we federate to other OpenID Connect Providers, we can send scope
values. However, currently the scope values are fixed per OP we define in
IS. This works fine if the service provider is not a OpenID Connect RP or
an RP not requesting scopes. If we are to support different scope
basic authentication and pass that token to
>> the subsequent handlers?
>>
>> Thanks,
>> Chanaka
>>
>> On Wed, Mar 27, 2019 at 1:33 PM Johann Nallathamby
>> wrote:
>>
>>> [+Roberto Monteiro ,+Fabio Gonçalves
>>> ,+Joao
>>&g
IMO this is the most practical way in
>users perspective.
>
> This can be solved with user claim as described earlier.
Regards,
Johann.
> Thanks,
> Hasanthi
>
>
>>
>>
>>
>>> On Thu, May 23, 2019 at 3:48 PM Asela Pathberiya wrote:
IAM Team,
Lately I've been thinking of a way to support dynamic roles in WSO2 IS.
What triggered me was, we already have a tool to author dynamic role
policies with XACML, albeit its shortcomings. Moreover the limitations in
the tool is an orthogonal problem to this use case I believe. What is
*Problem*
IS currently supports different types of communication channels in the
products with the use of output event adaptor such as Email, SMS, HTTP,
etc. However currently there can be only one channel selected for a given
deployment based on the configuration.
We have a customer requirement
Thanks for the clarification Pulasthi.
Just to add a bit more explanation to Pulasthi's answers,
On Wed, Apr 24, 2019 at 12:56 AM Pulasthi Mahawithana
wrote:
> Hi Johann,
>
> On Fri, Apr 19, 2019 at 6:26 PM Johann Nallathamby
> wrote:
>
>> *[+architecture]*
>>
&
*[+architecture]*
Hi Ruwan,
As mentioned in my original mail, I am calling them "untrusted", because
they are 3rd parties to IS, and we can't guarantee that they will send
authentication requests in a way we want them to send under a particular
scenario.
For example, one of the SCA
*[+architecture]*
Hi Pulasthi,
On Fri, Apr 19, 2019 at 1:36 AM Pulasthi Mahawithana
wrote:
> Hi Johann,
>
> I think if there is an existing session we don't even go into the
>> authentication phase for the adaptive authentication script to be executed.
>>
>
> This is not really the case. The
quirements. However, we can
propose an option how we plan to support it, either via extension or WUM.
Probably this will be on IS 5.8.0.
What I am more keen on deciding is, how we can support this OOTB beyond IS
5.8.0.
Regards,
Johann.
>
> Cheers,
> Ruwan A
>
>
> On Thu, Apr 18
dules to be touched.
>>
>> Can we do this once the release pressure is over? For the prospect, can
>> we say this is in our roadmap.
>>
>> Cheers,
>> Ruwan A
>>
>>
>> On Thu, Apr 18, 2019 at 4:45 PM Johann Nallathamby
>> wrote:
>>
>&
+Pulasthi Mahawithana for his input.
On Thu, Apr 18, 2019 at 5:56 AM Johann Nallathamby wrote:
> In fact the requirement is not only for step-up authentication but also
> just to force username/password authentication authentication based on
> policy in IS.
>
> Thanks &
IAM Team,
I know we just have a facility to store and manage linked local accounts.
However we don't use it anywhere. There have been many customers and/or
leads in the past who have requested for this capability for different
kinds of requirements and mostly we've provided extensions but never
In fact the requirement is not only for step-up authentication but also
just to force username/password authentication authentication based on
policy in IS.
Thanks & Regards,
Johann.
On Thu, Apr 18, 2019 at 5:32 AM Johann Nallathamby wrote:
> IAM Team,
>
> The requirement is
IAM Team,
The requirement is to do step-up authentication using adaptive
authentication script on IS side for an untrusted 3rd party service
provider.
What I mean by untrusted is that, we can't rely on the service provider to
send LOA values or force authentication requests. It should be
Did this implementation continue after this? I also think Ruwan's question
is a valid one.
Thanks & Regards,
Johann.
On Fri, Jan 18, 2019 at 1:30 PM Ruwan Abeykoon wrote:
> Hi Folks,
> I am OK to support Auth0 as federated IdP and supporting WSO2 as federated
> IdP to Auth0.
> I am
lop some
> mediator/handler or even extended keymanager.
>
> Is it possible to get access to the code through some repository ?
>
> Cheers
> Cyril
>
> Le ven. 5 avr. 2019 à 19:27, Johann Nallathamby a
> écrit :
>
>> Hi All,
>>
>> We'v
Hi All,
We've been working on an implementation to support Kerberos constrained and
unconstrained delegation on WSO2 Gateway. We've now successfully integrated
Java and .NET Kerberos clients, with a Kerberos protected .NET service
running on IIS, through WSO2 API Gateway, using constrained and
Hi All,
Please find the Github issues created as below.
On Mon, Mar 25, 2019 at 1:17 PM Johann Nallathamby wrote:
> IAM Team,
>
> I recently had to do a presentation/demo to a customer on GDPR support in
> WSO2 IS. Following are the usability problems I've come across in the
>
, Mar 8, 2019 at 3:20 AM Harsha Kumara wrote:
>>>>>
>>>>>> Is your requirement is to provide basic authentication via clientId
>>>>>> and clientSecret? For the microgateway, it will required to validate the
>>>>>> this by connecting to
IAM Team,
I recently had to do a presentation/demo to a customer on GDPR support in
WSO2 IS. Following are the usability problems I've come across in the
latest version. Would like to get your feedback on this.
1. In all the webinars we've done on GDPR, we talk about IS as a consent
repository
he microgateway, it will required to validate the this
>> by connecting to the key manager and bring the throttling information and
>> etc which will require another API. Else at micro gateway it will required
>> to generate a token using clientd and secret and resume the flow.
>
Key Manager profile. The only downside of this approach is
>> that you would need to run the gateway in the default profile. Which I
>> think is a good trade off rather than complicating the product than it
>> already is.
>>
>> Thanks,
>> NuwanD.
>>
>>
all to the key
manager in option 1 above. We can also add scope validation to our
guideline of when to propose key manager extension.
Thanks & Regards,
Johann.
>
> On Thu, Mar 7, 2019 at 12:54 AM Johann Nallathamby
> wrote:
>
>> APIM Team,
>>
>> I would like to under
*[sending this mail again because previous one wasn't copied to
architecture@wso2.org ]*
Hi Nuwan, Hi Harsha, Hi Chamod,
An additional thought here. Most of the times customers who ask for basic
authentication support are the customers who need to support legacy
external applications I believe;
APIM Team,
I would like to understand what was the original reason we went with a 3rd
party key manager extension in our key manager component, rather than
giving the extensibility to integrate a 3rd party key manager at the
gateway itself.
What are the problems in supporting 3rd party Key
IAM Team,
We've implemented XACML based scope authorization during access token
validation phase. However, it is also important to do this authorization
during authorization_code, access_token, refresh_token and id_token,
issuing phase IMO. Especially for self-contained token use cases, we need
cture] OAuth clients based on a trusted CA" in
architecture@wso2.org
Thanks & Regards,
Johann.
On Tue, Mar 5, 2019 at 3:26 PM Johann Nallathamby wrote:
> APIM Team,
>
> In API Manager it seems like if we check the option to secure APIs using
> Mutual TLS security AND OAu
APIM Team,
In API Manager it seems like if we check the option to secure APIs using
Mutual TLS security AND OAuth2 security for APIs, API Manager checks if
either of the mechanisms are in place. There is no way to enforce both on
an API. There are good number of customers who want to enforce both
IAM Team,
I don't intend to talk about the importance of the claim transformations
during provisioning use cases. Currently to support such cases, we propose
to write custom provisioning connectors or JIT provisioning handlers.
However, I was thinking it would be slick to have a scripting editor
IAM Team,
What do you think of the $subject? Basically if its a Non-SaaS service
provider, the login is restricted to users of the same tenant domain. In
some cases the users are not even aware of their tenancy. In such cases it
may not be practical to ask for the tenant from the user. The tenant
Created https://github.com/wso2/product-is/issues/3897
Regards,
Johann.
On Thu, Nov 1, 2018 at 3:01 PM Prabath Siriwardena wrote:
> +1
>
> Can you please create a new feature request - so we will not miss this
>
> Thanks & regards
> -Prabath
>
> On Thu, N
*Status Quo*
Let's say there are two legitimate service providers A and B. Both A and B
are registered in IdP X as SAML2 service providers. The only difference is
A is enabled to exchange SAML2 assertion with WSO2 IS using SAML2 Bearer
Assertion grant flow. To do this, WSO2 IS's token endpoint is
API Manager Team,
I was thinking about $subject and it seems this is something we've never
discussed extensively in architecture. However I know some customers who
have asked for this. But I don't think we have consensus on what the proper
user experience should be in API Manager. At least I am
the Google Groups
> "WSO2 Engineering Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to engineering-group+unsubscr...@wso2.com.
> For more options, visit https://groups.google.com/a/wso2.com/d/optout.
>
--
*Johann Dilanth
>>>>>>>>>>>>>> - currentPassword
>>>>>>>>>>>>>>> - newPassword
>>>>>>>>>>>>>>> properties:
>>>>>>>>>>>>>>>
ingam*
>> *Software Engineer - WSO2 Inc.*
>> *Mobile : +94 (0) 77 18 77 466*
>> <http://wso2.com/signature>
>>
>
>
> --
> Maduranga Siriwardena
> Senior Software Engineer
> WSO2 Inc; http://wso2.com/
>
> Email: madura...@wso2.com
> Mobi
;>> https://github.com/dilee/carbon-identity-framework/tree/feature-oauth-public-client
>>>
>>> Regards.
>>> --
>>> *Dileesha Rajapakse*
>>> Software Engineer | WSO2 Inc.
>>> Mobile: +94 72555933
>>> http://www.dil
On Wed, Jul 18, 2018 at 12:07 PM Farasath Ahamed wrote:
>
>
> On Wed, Jul 18, 2018 at 7:27 AM, Johann Nallathamby
> wrote:
>
>> Hi Dinali,
>>
>> *"IdP initiated SSO"* is something we already support between WSO2 IS
>> and service providers reg
Ltd.
> Web: http://wso2.com/
> Email : gdrdabar...@gmail.com
> LinkedIn <https://lk.linkedin.com/in/dinalidabarera>
> Mobile: +94770198933
>
>
>
>
> <https://lk.linkedin.com/in/dinalidabarera>
>
>
>
>
>
>
>
>
>
>
>
>
>
&
ntha Nallathamby*
Senior Lead Solutions Engineer
WSO2, Inc.
lean.enterprise.middleware
Mobile: *+94 77 7776950*
LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
<http://www.linkedin.com/in/johann-nallathamby>*
Medium: *https://medium.com/@johann_nallathamby
<https://medium.com/@johan
hamby*
Senior Lead Solutions Engineer
WSO2, Inc.
lean.enterprise.middleware
Mobile: *+94 77 7776950*
LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
<http://www.linkedin.com/in/johann-nallathamby>*
Medium: *https://medium.com/@johann_nallathamby
<https://medium.com/@johann_
.
Others: Thoughts? What are your opinions on the two options?
Thanks & Regards,
Johann.
--
*Johann Dilantha Nallathamby*
Senior Lead Solutions Engineer
WSO2, Inc.
lean.enterprise.middleware
Mobile: *+94 77 7776950*
LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
<http://www.linke
aka Jayawardena*
>> Software Engineer
>> WSO2 Inc.
>>
>> Phone: +94 71 350 5470
>> LinkedIn : https://lk.linkedin.com/in/menakajayawardena
>> Blog : https://menakamadushanka.wordpress.com/
>>
>>
>
>
> --
>>>> mobile : +94774078049 <%2B94772207163>
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Uvindra
>>>
>>> Mobile: 33962
>>>
>>
>>
>>
>> --
>> Regards,
>>
o2.com>
>> wrote:
>>
>>> If extensions are coming in the SAML AuthnRequest from the SP, then,
>>> IIRC, that *same extension* will be copied to the AuthnRequest going to
>>> the Federated IdP. Is that behaviour acceptable for this scenario? Please
>>&
iki/display/CEFDIGITAL/How+
> does+it+work+-+eIDAS+solution
> [2] https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/
> 2016/12/16/eIDAS+Technical+Specifications+v.+1.1
> [3] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
>
> Thanks and Regards
&g
idating
> certificate since it happens in the container level AFAIK. But we may need
> to call to CRL and OCSP endpoints and validate the certificate. Again this
> is an improvement and should be optional.
>
> On Wed, Feb 21, 2018 at 11:25 AM, Johann Nallathamby <joh...@wso2.com>
-ietf-oauth-mtls-07#section-2.1
> [3] https://tools.ietf.org/html/rfc6749#section-2.2
>
> Thanks,
> Sathya
>
> --
> Sathya Bandara
> Software Engineer
> WSO2 Inc. http://wso2.com
> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>
>
--
*Johann
On Wed, Feb 7, 2018 at 2:33 PM, Malithi Edirisinghe <malit...@wso2.com>
wrote:
>
>
> On Wed, Feb 7, 2018 at 2:32 AM, Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>> It is in fact an inbound connector. So +1 to use the inbound framework
>> and write a I
Hi Hasanthi,
On Thu, Jan 25, 2018 at 11:30 AM, Johann Nallathamby <joh...@wso2.com>
wrote:
> Hi Hasanthi,
>
> On Wed, Jan 24, 2018 at 11:14 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Johann,
>>
>> First of all apolo
nd if the specific requested OIDC claim, is defined in the
>> OIDC dialect, the user has a value for that claim and s/he has approved
>> that claim for the RP, then we can send them to the RP, regardless of
>> whether it is defined in scope or not. Otherwise we are contradicting
On Wed, Jan 24, 2018 at 2:12 PM, Farasath Ahamed <farasa...@wso2.com> wrote:
>
>
> On Tuesday, January 23, 2018, Johann Nallathamby <joh...@wso2.com> wrote:
>
>> Hi Farasath,
>>
>> On Tue, Jan 23, 2018 at 12:13 PM, Farasath Ahamed <farasa...@wso2.com&
Hi Hasanthi,
On Tue, Jan 23, 2018 at 10:59 AM, Johann Nallathamby <joh...@wso2.com>
wrote:
> Hi Hasanthi,
>
> On Tue, Jan 23, 2018 at 9:31 AM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Johann,
>>
>> Is there any instance i
will be
>> validated using JDBCScopeValidator and XACMLScopeValidator.
>> The JDBCScopeValidator was already implemented. The XACMLScopeValidator
>> will create an XACML request from access token and validate using
>> EntitlementService.
>>
>>
>> Thanks an
sers, not by WSO2.
>
> But there are problems in our WUM model when we do feature installation.
> We need to work on this too.
>
> Cheers,
> Ruwan
>
> On Tue, Jan 23, 2018 at 11:21 AM, Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>>
>>
>>
Hi Farasath,
On Tue, Jan 23, 2018 at 12:13 PM, Farasath Ahamed <farasa...@wso2.com>
wrote:
>
>
> On Tuesday, January 23, 2018, Johann Nallathamby <joh...@wso2.com> wrote:
>
>> Hi Hasanthi,
>>
>> On Tue, Jan 23, 2018 at 9:31 AM, Hasanthi Purnima
..@wso2.com> wrote:
>
>> Hi,
>>
>> *@Johann* Thank you for the information. I was able to extend the
>> handler and listen to password change events.
>>
>> Now I am working on publishing data to IS Analytics using the
>> EventStreamService.
>>
>
service provider configuration
must have at least 1 claim. Otherwise what will happen is for every service
provider we need to add all the OIDC claims if they are going to request
claims dynamically, using scopes or requested claims in the request. Do I
make sense or am I missing something?
Regards,
Jo
;redirect_uri": "https://client.example.org/cb;,
>"scope": "openid",
>"state": "af0ifjsldkj",
>"nonce": "n-0S6_WzA2Mj",
>"max_age": 86400,
>"claims":
> {
> "u
>
>
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
bove in the
> request parameter.
>
> As we are planning to provide the implementation as a 5.3.0 WUM update the
> 'acr' implementation will be not available there. So if 'acr' value is
> requested as an essential claim a pre-def
che.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>>>>>>>> (NioEndpoint.java:1775)
>>>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N
>>>>>>>> ioEndpoint.java:1734)
>>>>>>>>
On Wed, Jan 17, 2018 at 12:43 PM, Nadun De Silva <nad...@wso2.com> wrote:
> Hi Johann,
>
> On Tue, Jan 16, 2018 at 9:30 PM, Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>> Hi Nadun,
>>
>> On Tue, Jan 16, 2018 at 11:16 AM, Nadun De Silva <nad...@w
gt;>>
>>>> <http://wso2.com/signature>
>>>>
>>>
>>>
>>>
>>> --
>>> Dimuthu Leelarathne
>>> Director, Solutions Architecture
>>>
>>> WSO2, Inc. (http://wso2.com)
>>> email: dimut...@wso
>>>>>>> 502efeb1-cc59-4b62-a197-8c612797933c
>>>>>>>> [2] https://docs.wso2.com/display/IS530/Password+History+Validation
>>>>>>>>
>>>>>>>> Thank you!
>>>>>>>>
>>>>>
e role based policy you are talking and
the role based scope validation we implemented in IS 5.4.0?
Time based policies can be one of the additional policy templates we ship.
Regards,
Johann.
>
> [1] - https://github.com/wso2-extensions/identity-application-authz-xacml
>
> Regards,
*[-IAM, RRT]*
On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby <joh...@wso2.com> wrote:
> Hi Senthalan,
>
> Did you check [1]? In this feature *@Isuranga* implement XACML policy to
> evaluate the permission tree. For this he had to come up with a policy,
> that defi
gineer - WSO2 Inc.*
>> *Mobile : +94 (0) 77 18 77 466*
>> <http://wso2.com/signature>
>>
>
>
>
> --
>
> *Senthalan Kanagalingam*
> *Software Engineer - WSO2 Inc.*
> *Mobile : +94 (0) 77 18 77 466*
> <http://wso2.com/signat
Hi Indunil,
On Fri, Dec 15, 2017 at 7:32 AM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:
> Hi,
>
> At the time, a certificate is issued by a Certificate Authority (CA), it
> is expected to be in use for its entire validity period. However, various
> circumstances may cause a
Hi Indunil,
On Fri, Dec 15, 2017 at 9:02 AM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:
> Hi,
>
> At the time, a certificate is issued by a Certificate Authority (CA), it
> is expected to be in use for its entire validity period. However, various
> circumstances may cause a
062
>
> Thanks and Regards
>
> On Tue, Dec 5, 2017 at 10:56 AM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> On Tue, Dec 5, 2017 at 9:03 AM, Johann Nallathamby <joh...@wso2.com>
>> wrote:
>>
>>> Hi Induni
1 - 100 of 257 matches
Mail list logo
