[Dev] How to retrieve additional query parameters from Authentication request in Adaptive Authentication Script

[gayan gunawardana]

Hi Devs,

I am sending additional query parameter with SAML request as below

https://localhost:9443/samlsso?SAMLRequest=&
*test_param=test_param*

I need to retrieve test_param from the authentication script. As per [1] I
was trying with below script but it didn't work

var testParam = context.request.params["test_param"];
Log.info("Test Param:" + testParam );

Could you be able to help ?

[1]
https://is.docs.wso2.com/en/latest/references/adaptive-authentication-js-api-reference/#request-object


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How to disable SCIM in IS 5.10.0

[gayan gunawardana]

Thanks Ashen, Isura. Yes it is understandable.

On Sat, May 30, 2020 at 11:39 AM Isura Karunaratne  wrote:

> Hi Gayan,
>
> We are in the process of supporting all the Identity Server operations
> through REST APIs. SCIM APIs are used for user management and it will be
> available for all the user stores by default.  As Ashen mentioned, we have
> removed the capability of disabling the SCIM support per user stores.
>
> Cheers,
> Isura.
>
> On Thu, May 28, 2020 at 9:55 PM Ashen Weerathunga  wrote:
>
>> Hi Gayan,
>>
>> From IS 5.10.0 onwards we have enabled SCIM2 by default in the product
>> with the new unique ID based userstore managers. We have removed the
>> disabling option as we will be using the user ID concept moving forward in
>> the product and new portals also using the SCIM API for user management.
>>
>> Thanks,
>> Ashen
>>
>> On Thu, May 28, 2020 at 9:06 PM gayan gunawardana <
>> gmgunaward...@gmail.com> wrote:
>>
>>> Hi Team,
>>>
>>> I was trying to disable SCIM for primary user store in IS 5.10.0.
>>> However I couldn't find necessary property from documentation [1]. Is there
>>> a way to disable SCIM in IS 5.10.0 ?
>>>
>>> [1]
>>> https://is.docs.wso2.com/en/latest/setup/configuring-a-read-write-ldap-user-store/#configuring-a-read-write-ldap-user-store
>>>
>>>
>>> Thanks,
>>> Gayan
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>
>>
>> --
>> Ashen Weerathunga | Senior Software Engineer | WSO2 Inc.
>> (m) +94716042995 | (w) +94112145345 | Email: as...@wso2.com
>> <http://wso2.com/signature>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Technical Lead | WSO2 <http://wso2.com/>
> *lean.enterprise.middleware*
> Email: is...@wso2.com
> Mob : +94 772 254 810
> Blog : https://medium.com/@isurakarunaratne
>
>
>
>

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] How to disable SCIM in IS 5.10.0

[gayan gunawardana]

Hi Team,

I was trying to disable SCIM for primary user store in IS 5.10.0. However I
couldn't find necessary property from documentation [1]. Is there a way to
disable SCIM in IS 5.10.0 ?

[1]
https://is.docs.wso2.com/en/latest/setup/configuring-a-read-write-ldap-user-store/#configuring-a-read-write-ldap-user-store


Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Iam-dev] Cross Protocol SLO

[gayan gunawardana]

Thanks Janak!

On Thu, May 14, 2020 at 10:51 PM Janak Amarasena  wrote:

> Hi Gayan,
>
> There is no specific configuration needed.
>
> Best Regards,
> Janak
>
>
> On Wed, May 13, 2020 at 9:18 AM gayan gunawardana 
> wrote:
>
>> Hi IAM team,
>> Referring to cross protocol single logout [1], what are the
>> configurations need to be changed in order to enable cross protocol single
>> logout (version 5.10.0) ?
>> Use case like I have SAML based web application and user portal
>> (oauth/oidc) and need to enable SLO among two applications.
>>
>> [1]
>> https://is.docs.wso2.com/en/latest/get-started/cross-protocol-single-logout/#cross-protocol-single-logout
>> --
>> Gayan
>>
> ___
>> Iam-dev mailing list
>> iam-...@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/iam-dev
>
>
>>
>
> --
> *Janak Amarasena* | Senior Software Engineer | WSO2 Inc.
> (m) +9464144 | (w) +94112145345 | (e) ja...@wso2.com
>
>
> <https://wso2.com/signature>
>
-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Is it possible to use existing different table structured database as secondary user stores?

[gayan gunawardana]

Hi Shiva,
There are two possibilities.
1. Under JDBC user store configuration you can configure advance properties
to change SQL queries.
2. Write custom jdbc user store manager
Correct approach need to be evaluated against exact use case.

On Thu, May 14, 2020 at 9:00 PM Shiva Kumar K R 
wrote:

> Hi All,
> I am working on configuring a secondary user store with an existing
> employee database with different table definitions and authenticating the
> users against that database. As far as I understand, the sql queries for
> the JDBCUserStoreManager look tightly coupled with the WSO2 user management
> table. Is there any guide on this?
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Identity Server User Portal customization

[gayan gunawardana]

Thanks a Lot Maduranga. I will refer to the link.

On Wed, May 13, 2020 at 10:14 AM Maduranga Siriwardena 
wrote:

> Hi Gayan,
>
> You can follow this blog post [1] to achieve your requirement.
>
> [1]
> https://medium.com/@brionmario/how-to-customize-the-user-portal-in-wso2-identity-server-5-10-0-51a9ffdbefc4
>
> Regards,
>
> On Wed, May 13, 2020 at 8:21 AM gayan gunawardana 
> wrote:
>
>> Hi IAM Team,
>>
>> What is the recommended way to customize new user portal [1]? For login
>> pages we can refer to web application shipped inside the product but I
>> suppose for user portal we have to refer to source code [1]. In case if we
>> refer to source code, is there a way to get new updates/patches ?
>>
>> [1] https://github.com/wso2/identity-apps/tree/master/apps/user-portal
>>
>> --
>> Gayan
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
> *Maduranga Siriwardena* | Technical Lead | WSO2 Inc.
> (m) +94718990591 | madura...@wso2.com
>
> <http://wso2.com/signature>
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Cross Protocol SLO

[gayan gunawardana]

Hi IAM team,
Referring to cross protocol single logout [1], what are the configurations
need to be changed in order to enable cross protocol single logout (version
5.10.0) ?
Use case like I have SAML based web application and user portal
(oauth/oidc) and need to enable SLO among two applications.

[1]
https://is.docs.wso2.com/en/latest/get-started/cross-protocol-single-logout/#cross-protocol-single-logout
-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Identity Server User Portal customization

[gayan gunawardana]

Hi IAM Team,

What is the recommended way to customize new user portal [1]? For login
pages we can refer to web application shipped inside the product but I
suppose for user portal we have to refer to source code [1]. In case if we
refer to source code, is there a way to get new updates/patches ?

[1] https://github.com/wso2/identity-apps/tree/master/apps/user-portal

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Telnet Inbound protocol support for APIM

[gayan gunawardana]

Hi Harsha,

Thanks a lot for the clarification. In my case set of mobile clients
strictly follow Telnet as application layer protocol and they need to
consume Apis securely.

Thanks,
Gayan

On Wed, May 6, 2020 at 9:21 AM Harsha Kumara  wrote:

> Hi Gayan,
>
> I won't be possible to achieve via extensions through API Manager and it's
> not recommended. I believe you are looking for TCP protocol support which
> you may look at Enterprise Integrator.
>
> Thanks,
> Harsha
>
> On Tue, May 5, 2020 at 6:31 PM gayan gunawardana 
> wrote:
>
>> Hi APIM team,
>>
>> In order to securely expose APIs to some telnet clients, is there a way
>> to create APIs with telnet inbound protocol support ? If it is not
>> supported is there any extension point to support such a scenario ?
>>
>>
>> --
>> Gayan
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
> *Harsha Kumara*
> *PhD Student*
> *LaTrobe University*
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Telnet Inbound protocol support for APIM

[gayan gunawardana]

Hi APIM team,

In order to securely expose APIs to some telnet clients, is there a way to
create APIs with telnet inbound protocol support ? If it is not supported
is there any extension point to support such a scenario ?


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] IS 5.10.0 Unique user identifier across the system

[gayan gunawardana]

Hi Ashen,

Thanks a lot for comprehensive answer which is very clear and
understandable. However I am wondering if there is any extension point
available to build custom REST service by consuming new user core
implementation.

Thanks,
Gayan

On Thu, Apr 9, 2020 at 2:49 PM Ashen Weerathunga  wrote:

> Hi Gayan,
>
> From 5.10.0 onwards we have introduced a new unique user identifier in the
> user core level with a new set of APIs. Therefore the username is not
> immutable at the user core level now. But we have not implemented username
> renaming capability yet as we still consuming old user core APIs and use
> the username as the user identifier in the other components such as
> OAuth/identity framework etc.
>
> Therefore we need to migrate other components and use the uniqueID as the
> user identifier everywhere in the system. Then only we can provide the
> username renaming capability. So we will provide these capabilities in
> future releases.
>
> Thanks,
> Ashen
>
> On Tue, Apr 7, 2020 at 9:46 PM gayan gunawardana 
> wrote:
>
>> Hi Team,
>>
>> As per [1] it looks like username attribute is not immutable any more
>> with new unique user identifier implementation.
>> Are there any SCIM or RemoteUserStoreManagerServce Apis available to
>> alter username ?
>>
>> [1] https://github.com/wso2/product-is/releases/tag/v5.10.0-rc2
>>
>> --
>> Gayan
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
> Ashen Weerathunga | Senior Software Engineer | WSO2 Inc.
> (m) +94716042995 | (w) +94112145345 | Email: as...@wso2.com
> <http://wso2.com/signature>
>
>
>

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] IS 5.10.0 Unique user identifier across the system

[gayan gunawardana]

Hi Team,

As per [1] it looks like username attribute is not immutable any more with
new unique user identifier implementation.
Are there any SCIM or RemoteUserStoreManagerServce Apis available to alter
username ?

[1] https://github.com/wso2/product-is/releases/tag/v5.10.0-rc2

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.10.0 RC1

[gayan gunawardana]

Hi Janak,

Could you be able to provide documentation links against each new feature ?

Thanks,
Gayan

On Thu, Mar 5, 2020 at 5:06 AM Janak Amarasena  wrote:

> Hi all,
>
> We are pleased to announce the first release candidate of WSO2 Identity
> Server 5.10.0.
>
>
> *New Features:*
>
>1. Passwordless authentication support
>2. An improved User Portal
>3. New RESTful APIs for user self-services and server management
>4. Scope based authorization for internal REST APIs
>5. Unique User ID support
>6. Tenant wise email-sender configuration
>
>
>
> *Fixes:*
> This release includes the following issue fixes and improvements:
>
>- 5.10.0-M1 
>- 5.10.0-M2 
>- 5.10.0-M3 
>- 5.10.0-M4 
>- 5.10.0-M5 
>- 5.10.0-M6 
>- 5.10.0-M7 
>- 5.10.0-M8 
>- 5.10.0-M9 
>- 5.10.0-Alpha
>
>- 5.10.0-Alpha2
>
>- 5.10.0-Alpha3
>
>- 5.10.0-Beta
>
>- 5.10.0-Beta2
>
>- 5.10.0-Beta3
>
>- 5.10.0-GA 
>
>
> *Source and Distribution*
> The source and distribution
> 
> are available at
> https://github.com/wso2/product-is/releases/tag/v5.10.0-rc1
>
>
> Please download the product, test it, and vote using the following
> convention.
> [+] Stable - go ahead and release
> [-] Broken - do not release (explain why)
>
> Thank you,
> WSO2 Identity and Access Management Team
>
> --
> *Janak Amarasena* | Senior Software Engineer | WSO2 Inc.
> (m) +9464144 | (w) +94112145345 | (e) ja...@wso2.com
>
>
> 
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Using default user attributes provided by Active Directory for SCIM operations

[gayan gunawardana]

Hi Gayashan,

This would be a very valuable addition to the product.

On Wed, Dec 4, 2019 at 12:20 AM Gayashan Bombuwala 
wrote:

> Hi all,
>
> Currently when managing users in Active Directory user store with SCIM, we
> have mapped the SCIM core attributes to different attributes[1, 2]
> supported by SCIM.
>
> e.g. urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)->
> http://wso2.org/claims/userid (local claim) -> homePostalAddress (Active
> Directory attribute)
>
> However, there are a set of attributes maintained by Active Directory
> which we can use to map some of core SCIM attributes. We have considered
> the following attributes for the moment.
>
>1. objectGuid (AD maintained attribute) ->
>urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)
>2. whenCreated (AD maintained attribute) ->
>urn:ietf:params:scim:schemas:core:2.0:created (SCIM attribute)
>3. whenModified (AD maintained attribute)- ->
>urn:ietf:params:scim:schemas:core:2.0:lastModified (SCIM attribute)
>
> We need to handle the mapping of these attributes in two scenarios.
>
>1. When reading values from the user store.
>2. When writing values to the user store.
>
>
> When reading from the user store we can introduce a hook to handle the
> mapping of these special attributes. We can implement the hook in
> AbstractUserStoreManager since local claim to user store property mapping
> is done in that[3] level. When the attributes are mapped we may need to do
> a conversion between data types for some attributes (e.g. objectGuid
> property is stored in AD as an octetSting [3]). This hook will be a method
> with the following signature.
>
> protected void processRetrievedSpecialClaims (Map
> specialClaims)
>
I suppose this will transform user store level values to SCIM required
format. User store level value (format) can differ based on underlying user
store so what would be the default implementation ?

>
> However, when writing values to the user store, we need to handle the
> special claims in the user store level [5]. We can do data type conversion
> for special claim values here as well if required.
>
Can we just ignore them since AD handle special attributes itself ?

> We will introduce an abstract hook in the AbstractUserStoreManager level
> but will provide separate implementations in the user store level. This
> hook will be a method with the following signature.
>
> protected void processSpecialClaimsForUpdating (Map
> specialClaims)
>
> Note that the above mentioned new  behaviour will only be executed if a
> specific user store property is enabled.
>  Please let us know if you have any concerns regarding this approach.
>
> Best Regards,
> Gayashan
>
> [1]
> https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning
> [2] http://www.kouti.com/tables/userattributes.htm
> [3] https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet
> [4]
> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388
> [5]
> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java#L616
>
> --
> *Gayashan Bombuwala*
> Software Engineer | WSO2
>
> Email: gayash...@wso2.com
> Phone: +94770548334
>
> [image: https://wso2.com/signature] 
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] APIM Import/Export tool in fully distributed setup

[gayan gunawardana]

Hi APIM team,

Looks like [1] "Adding environment" section referring to single node setup.
Could you be able to mention endpoints by referring to fully distributed
setup.

EX:
apimcli add-env -n production \
*  --registration
https:///client-registration/v0.14/register \*



[1]
https://docs.wso2.com/display/AM260/Migrating+the+APIs+and+Applications+to+a+Different+Environment#Example-AddEnv

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [APIM] Mutual SSL

[gayan gunawardana]

Hi APIM team,
Since [1] logger initialization has been done from wrong class, logs are
not printed for Mutual SSL authenticator in wso2carbon.log. I suppose same
issue should be exist with WUM as well. It would be great If you can
correct it next immediate WUM.

[1]
https://github.com/wso2/carbon-apimgt/blob/master/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/authenticator/MutualSSLAuthenticator.java#L53

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] How to bundle WSO2 Java Library project as CAR in EI tooling

[gayan gunawardana]

Hi Devs,

I was following steps in [1] however after creating WSO2 Java Library
project, I couldn't bundle it as Composite Application Project because I
couldn't see *HelloWorldServiceTask_Artifact* as a dependency.  Problem
looks same to [2]. Did I miss something or is there any alternate solution ?

[1] https://docs.wso2.com/display/EI611/Creating+a+BPMN+Process
[2]
https://stackoverflow.com/questions/42906384/wso2-composite-application-project-doesnt-show-any-dependency
-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Filtering Internal roles through SCIM API

[gayan gunawardana]

On Thu, Jul 25, 2019 at 12:39 PM Denuwanthi De Silva 
wrote:

> Hi,
>
> 1. In WSO2 Identity Server, when filtering roles/groups through SCIM API,
> internal roles are not filtered.
> Ex: internal roles
>   -*Internal*/system
>   -*Application*/myapp
>
> Sample filter request:
> *curl -v -k --user admin:admin
> 'https://localhost:9443/scim2/Groups?filter=displayName+sw+Application
> '*
>
> We need to support for above type of filtering.
>
I suppose for SCIM specification there is no speciality with Internal
roles. Hence +1 to support above feature.

>
> 2.
> When considering role types in WSO2 Identity Server. There are mainly 2
> types.
> 1.userstore domain based roles ex: PRIMARY/myrole
> 2. internal/hybrid roles ex:Application/myapp
>
> We have introduced a new parameter to filter users and roles using a
> 'domain' parameter recently.
>
> *Ex: curl -v -k --user admin:admin
> 'https://localhost:9443/scim2/Groups?filter=displayName+sw+myrole;
> domain=Primary'*
>

> Here users and roles can be filtered according to the userstore domain.
>
> *So, my question is do we have to support this new domain based filter for
> internal roles as well?*
> *ex: curl -v -k --user admin:admin
> 'https://localhost:9443/scim2/Groups?filter=displayName+sw+app;
> domain=Application'*
>
> one concern I have is,
> 1.Application domain is not necessarily a userstore domain. Therefore
> whether it is correct to mix those domains.
>
I think better approach is having two type of parameters for user store
domains (domain) and for internal roles (say type). But type parameter
should be able to support multiple values such as Internal, Application.

>
>
> Please provide your thoughts on this.
>
> Thanks,
> --
> Denuwanthi De Silva
> Associate Technical Lead;
> WSO2 Inc.; http://wso2.com,
> Email: denuwan...@wso2.com
> Blog: https://denuwanthi.wordpress.com/
>   https://medium.com/@denuwanthi.hasanthika
> Contact No: 0771391097
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] How to set authenticated subject identifier with local account mapping

[gayan gunawardana]

Hi Team,

As per code[1] its look like* Assert identity using mapped local subject
identifier *is effective for federated authentication only. Can we provide
same functionality when associating local accounts ?

EX: Local account A associated with another local account B. Once I
authenticated with local account A, I want to send user account B as
authenticated subject identifier to service provider.

[1]
https://github.com/wso2/carbon-identity-framework/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/PostAuthAssociationHandler.java#L113

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Swagger Doc for SCIM 2.0

[gayan gunawardana]

found it in the source [3] better to link with the doc.

[3]
https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/1.2.x/scim2.yaml

On Mon, Feb 11, 2019 at 9:33 AM gayan gunawardana 
wrote:

> Hi Devs,
>
> In the doc [1] it says "SCIM 2.0 endpoints It is written with swagger 2
> <http://swagger.io/>." but unable to find swagger definition. [2] was
> written by Isuranga for SCIM 2.0 outbound provisioning connector to
> generate client side artifacts.
> Is there any difficulty to provide swagger definition for SCIM 2.0 inbound
> provisioning ?
>
> [1] https://docs.wso2.com/display/IS570/apidocs/SCIM2-endpoints/
> [2]
> https://github.com/wso2-extensions/identity-client-scim2/blob/v1.0.0/swagger-definitions/
>
> --
> Gayan
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Swagger Doc for SCIM 2.0

[gayan gunawardana]

Hi Devs,

In the doc [1] it says "SCIM 2.0 endpoints It is written with swagger 2
." but unable to find swagger definition. [2] was
written by Isuranga for SCIM 2.0 outbound provisioning connector to
generate client side artifacts.
Is there any difficulty to provide swagger definition for SCIM 2.0 inbound
provisioning ?

[1] https://docs.wso2.com/display/IS570/apidocs/SCIM2-endpoints/
[2]
https://github.com/wso2-extensions/identity-client-scim2/blob/v1.0.0/swagger-definitions/

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] XSLT 2.0 tokenize function

[gayan gunawardana]

On Thu, Nov 22, 2018 at 6:58 AM Sashika Wijesinghe  wrote:

> Hi Gayan,
>
> The issue is because of the xalan library used in EI 6.1.1, but this is
> fixed in the latest EI versions. Since this is not mentioned in the
> document, we can add the workaround to EI 6.1.1 documentation. Created [1]
> to track this issue.
>
Thanks a lot.

>
> [1] https://github.com/wso2/product-ei/issues/2879
>
> Thanks
> Sashika
>
>
> On Wed, Nov 21, 2018 at 10:09 PM gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>> Hi Sashika,
>>
>> What I mentioned is enabling that property is not enough. I had to follow
>> additional steps in [1] to get it work. Where can I find those additional
>> steps in the documentation ?
>>
>> [1] http://nipun101.blogspot.com/
>>
>> Thanks,
>> Gayan
>>
>> On Wed, Nov 21, 2018 at 9:21 PM Sashika Wijesinghe 
>> wrote:
>>
>>> Hi Gayan,
>>>
>>> This is documented in [1] and it is required to enable this property to
>>> work with xpath 2.0 functions.
>>>
>>> [1] https://docs.wso2.com/display/EI611/Configuring+synapse.properties
>>>
>>> Regards,
>>> Sashika
>>>
>>> On Mon, Nov 19, 2018 at 2:53 PM gayan gunawardana <
>>> gmgunaward...@gmail.com> wrote:
>>>
>>>> Hi Devs,
>>>>
>>>> [2] is not enough and I had to follow all the steps in [1] to get XSLT
>>>> 2.0 tokenize function working in EI 6.1.1. I couldn't find these steps in
>>>> official documentation (EI 6.1.1).
>>>>
>>>> Is there a place to get these information from official documentation ?
>>>>
>>>> [1] http://nipun101.blogspot.com/
>>>> [2]
>>>> http://wso2-oxygen-tank.10903.n7.nabble.com/Enable-XSLT-2-0-on-WSO2-EI-6-1-1-td156111.html
>>>> <https://www.google.com/url?q=http://wso2-oxygen-tank.10903.n7.nabble.com/Enable-XSLT-2-0-on-WSO2-EI-6-1-1-td156111.html=D=hangouts=1542684783128000=AFQjCNFM2us6QBkp3Pt7TLTMkszvff89tg>
>>>>
>>>> Thanks,
>>>> Gayan
>>>>
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>
>>>
>>> --
>>>
>>> *Sashika WijesingheSoftware Engineer - QA Team*
>>> Mobile : +94 (0) 774537487
>>> sash...@wso2.com
>>>
>>
>>
>> --
>> Gayan
>>
>
>
> --
>
> *Sashika WijesingheSoftware Engineer - QA Team*
> Mobile : +94 (0) 774537487
> sash...@wso2.com
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] XSLT 2.0 tokenize function

[gayan gunawardana]

Hi Sashika,

What I mentioned is enabling that property is not enough. I had to follow
additional steps in [1] to get it work. Where can I find those additional
steps in the documentation ?

[1] http://nipun101.blogspot.com/

Thanks,
Gayan

On Wed, Nov 21, 2018 at 9:21 PM Sashika Wijesinghe  wrote:

> Hi Gayan,
>
> This is documented in [1] and it is required to enable this property to
> work with xpath 2.0 functions.
>
> [1] https://docs.wso2.com/display/EI611/Configuring+synapse.properties
>
> Regards,
> Sashika
>
> On Mon, Nov 19, 2018 at 2:53 PM gayan gunawardana 
> wrote:
>
>> Hi Devs,
>>
>> [2] is not enough and I had to follow all the steps in [1] to get XSLT
>> 2.0 tokenize function working in EI 6.1.1. I couldn't find these steps in
>> official documentation (EI 6.1.1).
>>
>> Is there a place to get these information from official documentation ?
>>
>> [1] http://nipun101.blogspot.com/
>> [2]
>> http://wso2-oxygen-tank.10903.n7.nabble.com/Enable-XSLT-2-0-on-WSO2-EI-6-1-1-td156111.html
>> <https://www.google.com/url?q=http://wso2-oxygen-tank.10903.n7.nabble.com/Enable-XSLT-2-0-on-WSO2-EI-6-1-1-td156111.html=D=hangouts=1542684783128000=AFQjCNFM2us6QBkp3Pt7TLTMkszvff89tg>
>>
>> Thanks,
>> Gayan
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
>
> *Sashika WijesingheSoftware Engineer - QA Team*
> Mobile : +94 (0) 774537487
> sash...@wso2.com
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] XSLT 2.0 tokenize function

[gayan gunawardana]

Hi Devs,

[2] is not enough and I had to follow all the steps in [1] to get XSLT 2.0
tokenize function working in EI 6.1.1. I couldn't find these steps in
official documentation (EI 6.1.1).

Is there a place to get these information from official documentation ?

[1] http://nipun101.blogspot.com/
[2]
http://wso2-oxygen-tank.10903.n7.nabble.com/Enable-XSLT-2-0-on-WSO2-EI-6-1-1-td156111.html


Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] In correct redirection of SMS OTP outbound authenticator

[gayan gunawardana]

Hi Team,

I tried SMS OTP authenticator latest version (2.0.16) in both IS 5.3.0/
5.4.1. However it does not redirect to correct authenticator URL for below
authorize request

https://localhost:9443/oauth2/authorize?response_type=code_id=pfDJ_gLyviwF7pCg1lbwtGb6UX8a_uri=http://localhost:8080/playground2/oauth2client

If I send the above request, flow will be ended with below URL

https://localhost:9443/*oauth2*
/smsotpauthenticationendpoint/smsotp.jsp?client_id=Mp9YoeDmOEOxONYal6pBM9qiYUwa=%2Foauth2%2Fauthorize=false=false_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client_type=code=carbon.super=f1bee7de-1889-4b69-aee0-628fd231fd2e=Mp9YoeDmOEOxONYal6pBM9qiYUwa=oauth2=sss=false=SMSOTP

As you can see context path *oauth2* is the unnecessary part.

It works fine if I send authorize request with scope=openid

https://localhost:9443/oauth2/authorize?response_type=code_id=pfDJ_gLyviwF7pCg1lbwtGb6UX8a_uri=http://localhost:8080/playground2/oauth2client;
*scope=openid*

https://localhost:9443/smsotpauthenticationendpoint/smsotp.jsp?client_id=Mp9YoeDmOEOxONYal6pBM9qiYUwa=%2Foauth2%2Fauthorize=false=false_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client_type=code=openid=carbon.super=3064f03d-31ce-48f7-9720-a7b83e9d69d3=Mp9YoeDmOEOxONYal6pBM9qiYUwa=oidc=sss=false=SMSOTP

Any justification for above behavior ?

Please note I have configured application-authentication.xml as below

 
smsotpauthenticationendpoint/smsotp.jsp
smsotpauthenticationendpoint/smsotpError.jsp
smsotpauthenticationendpoint/mobile.jsp
true
true
true
true
false
true
false
false


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Validity of access token after OIDC SLO

[gayan gunawardana]

Hi Fara,

On Mon, Nov 5, 2018 at 12:24 PM Farasath Ahamed  wrote:

> Hi,
>
> The OIDC spec only specifies how to deal with the authenticated session of
> the user (although access token is a part of the response). So in the OIDC
> logout, we simply deal with terminating the authenticated session of the
> user.
>
> Revoking the token obtained along with OIDC login goes beyond the spec.
> Even in our current implementation, this is not something straightforward
> since we do not maintain a correlation between the id_token and the issued
> access token.
>
Agreed. access token is self contained entity probably nothing have to done
with end user session.

>
> However, we have an extension point introduced with [1] that can be used
> for a similar requirement during OIDC logout flow. Something to note is
> that even with this extension the correlation between id_token and access
> token needs to be handled by the extension developer.
>
it's a good idea to have extension point. Thanks Fara for the help.

>
>
> [1] https://github.com/wso2/product-is/issues/3227
>
>
> Thanks,
> Farasath
>
> On Thu, Nov 1, 2018 at 1:58 PM gayan gunawardana 
> wrote:
>
>> Hi Devs,
>>
>> I followed exact instructions in IS 5.7.0 and got logout working. However
>> issued access token is valid even after logout (I have checked with token
>> introspection). Is that the correct behavior or any justification ?
>>
>> [1]
>> https://docs.wso2.com/display/IS570/Session+Management+with+Playground
>>
>> Thanks,
>> Gayan
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
> Farasath Ahamed
> Senior Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 <https://twitter.com/farazath619>
> <http://wso2.com/signature>
>
>
>
>

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Validity of access token after OIDC SLO

[gayan gunawardana]

Hi Devs,

I followed exact instructions in IS 5.7.0 and got logout working. However
issued access token is valid even after logout (I have checked with token
introspection). Is that the correct behavior or any justification ?

[1] https://docs.wso2.com/display/IS570/Session+Management+with+Playground

Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Delay in sending SMS from ESB SMPP connector

[gayan gunawardana]

Hi Devs,

I went through SMPP specification [1]. Under *4.2.1 submit_sm* *Operation*
its mention that
scheduled delivery time -> The short message is to be scheduled by the MC
for delivery. Set to NULL for immediate message delivery.
I suppose connector should provide a facility to set scheduled delivery
time to NULL.

[1] http://opensmpp.org/specs/smppv50.pdf

Thanks,
Gayan

On Thu, Oct 25, 2018 at 7:36 PM gayan gunawardana 
wrote:

> Hi Biruntha,
>
> On Thu, Oct 25, 2018 at 5:45 PM Biruntha Gnaneswaran 
> wrote:
>
>> Hi Gayan,
>>
>> No we can't specify scheduled delivery time as null. Here in [1], we
>> specify delivery time as current time (new Date()) for immediate deliver of
>> the SMS.
>>
>  Thank you very much. Is there any alternate way to deliver messages
> immediately when there is time zone gap between ESB instance and SMS
> gateway ?
>
>>
>> [1]
>> https://github.com/wso2-extensions/esb-connector-smpp/blob/master/src/main/java/org/wso2/carbon/esb/connector/SendSMS.java#L127
>> <https://github.com/wso2-extensions/esb-connector-smpp/blob/master/src/main/java/org/wso2/carbon/esb/connector/SendSMS.java#L127>
>>
>> On Thu, Oct 25, 2018 at 2:29 PM, gayan gunawardana <
>> gmgunaward...@gmail.com> wrote:
>>
>>> Hi Team,
>>>
>>> Can we set scheduled delivery time to *null* in [1] to immediately
>>> deliver the SMS ? Currently I'm observing some delay due to time zone gap
>>> between SMS gatway and ESB.
>>>
>>> [1]
>>> https://github.com/wso2-extensions/esb-connector-smpp/blob/master/src/main/java/org/wso2/carbon/esb/connector/SendSMS.java#L127
>>> <https://github.com/wso2-extensions/esb-connector-smpp/blob/master/src/main/java/org/wso2/carbon/esb/connector/SendSMS.java#L127>
>>>
>>> --
>>> Gayan
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Biruntha
>>
>> Software Engineer
>> WSO2
>> Email: birun...@wso2.com
>> LinkedIn: https://lk.linkedin.com/in/biruntha
>> Mobile : +94773718986
>>
>
>
> --
> Gayan
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Delay in sending SMS from ESB SMPP connector

[gayan gunawardana]

Hi Biruntha,

On Thu, Oct 25, 2018 at 5:45 PM Biruntha Gnaneswaran 
wrote:

> Hi Gayan,
>
> No we can't specify scheduled delivery time as null. Here in [1], we
> specify delivery time as current time (new Date()) for immediate deliver of
> the SMS.
>
 Thank you very much. Is there any alternate way to deliver messages
immediately when there is time zone gap between ESB instance and SMS
gateway ?

>
> [1]
> https://github.com/wso2-extensions/esb-connector-smpp/blob/master/src/main/java/org/wso2/carbon/esb/connector/SendSMS.java#L127
> <https://github.com/wso2-extensions/esb-connector-smpp/blob/master/src/main/java/org/wso2/carbon/esb/connector/SendSMS.java#L127>
>
> On Thu, Oct 25, 2018 at 2:29 PM, gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>> Hi Team,
>>
>> Can we set scheduled delivery time to *null* in [1] to immediately
>> deliver the SMS ? Currently I'm observing some delay due to time zone gap
>> between SMS gatway and ESB.
>>
>> [1]
>> https://github.com/wso2-extensions/esb-connector-smpp/blob/master/src/main/java/org/wso2/carbon/esb/connector/SendSMS.java#L127
>> <https://github.com/wso2-extensions/esb-connector-smpp/blob/master/src/main/java/org/wso2/carbon/esb/connector/SendSMS.java#L127>
>>
>> --
>> Gayan
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Biruntha
>
> Software Engineer
> WSO2
> Email: birun...@wso2.com
> LinkedIn: https://lk.linkedin.com/in/biruntha
> Mobile : +94773718986
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Delay in sending SMS from ESB SMPP connector

[gayan gunawardana]

Hi Team,

Can we set scheduled delivery time to *null* in [1] to immediately deliver
the SMS ? Currently I'm observing some delay due to time zone gap between
SMS gatway and ESB.

[1]
https://github.com/wso2-extensions/esb-connector-smpp/blob/master/src/main/java/org/wso2/carbon/esb/connector/SendSMS.java#L127


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] JDBC interceptors for WSO2 products

[gayan gunawardana]

On Sat, Aug 18, 2018 at 7:28 AM Rushmin Fernando  wrote:

> I think Carbon reads the interceptor configs when creating tomcat pools.
>
> Can you please backtrack [1] and check.
>
Thanks Rushmin. I suppose it is better to have in documents.

>
>
> [1] -
> https://github.com/wso2/carbon-datasources/blob/1.0.x/components/org.wso2.carbon.datasource.core/src/main/java/org/wso2/carbon/datasource/rdbms/tomcat/TomcatDataSource.java#L69
>
> On Fri, Aug 17, 2018 at 3:52 PM gayan gunawardana 
> wrote:
>
>> Hi Devs,
>>
>> Is it possible to configure *queryTimeout* as per [1] in
>> master-datasources.xml. it comes with
>> org.apache.tomcat.jdbc.pool.interceptor.QueryTimeoutInterceptor. Is there a
>> way to configure JDBC interceptors ?
>>
>> [1] https://tomcat.apache.org/tomcat-7.0-doc/jdbc-pool.html
>>
>> Thanks,
>> Gayan
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
> *Best Regards*
>
> *Rushmin Fernando*
> *Technical Lead*
>
> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>
> mobile : +94775615183
>
>
>

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] JIT provisioning with conditional authentication

[gayan gunawardana]

Hi Ruwan,
On Wed, Aug 29, 2018 at 11:48 AM Ruwan Abeykoon  wrote:

> Hi Gayan,
> This looks to be a bug. Thanks for reporting.
> Can you create a github issue for this please.
>
 Thanks for the explanation. I will create a github issue if there is no
already reported one.
As a side note, adoptive authentication is the most powerful feature I have
ever seen from WSO2 Identity Server. Architecture, sample templates,
documentation and extension points all are perfect. Thanks a lot for Ruwan
and team for getting the feature up to this level :)

>
> Cheers,
> Ruwan
>
>
> On Wed, Aug 29, 2018 at 11:02 AM gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>> Hi Devs,
>>
>> Is there any reason to stop JIT provisioning [1] in case of
>> GraphBasedSequenceHandler ?  I couldn't do JIT provisioning with script
>> based configuration. Am I missing something ?
>> Please note the query based on IS 5.7.0-beta and highly appreciate your
>> guidance.
>>
>> [1]
>> https://github.com/wso2/carbon-identity-framework/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/JITProvisioningPostAuthenticationHandler.java#L124
>>
>> Thanks,
>> Gayan
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
>

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] JIT provisioning with conditional authentication

[gayan gunawardana]

Hi Devs,

Is there any reason to stop JIT provisioning [1] in case of
GraphBasedSequenceHandler ?  I couldn't do JIT provisioning with script
based configuration. Am I missing something ?
Please note the query based on IS 5.7.0-beta and highly appreciate your
guidance.

[1]
https://github.com/wso2/carbon-identity-framework/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/JITProvisioningPostAuthenticationHandler.java#L124

Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] JDBC interceptors for WSO2 products

[gayan gunawardana]

Hi Devs,

Is it possible to configure *queryTimeout* as per [1] in
master-datasources.xml. it comes with
org.apache.tomcat.jdbc.pool.interceptor.QueryTimeoutInterceptor. Is there a
way to configure JDBC interceptors ?

[1] https://tomcat.apache.org/tomcat-7.0-doc/jdbc-pool.html

Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Is there a way to log product name to wso2carbon.log ?

[gayan gunawardana]

On Tue, Aug 7, 2018 at 4:18 PM, Rushmin Fernando  wrote:

> Hi Gayan,
>
> I think the best way is to do it from the logstash level if
> possible (filtering etc .. )
>
> If you really need the product name in each log line, you can simply
> modify the log appender in log4j.porperties.
>
> log4j.appender.CARBON_LOGFILE.File=${carbon.home}/
> repository/logs/${instance.log}/wso2carbon${instance.log}.log
> log4j.appender.CARBON_LOGFILE.Append=true
> log4j.appender.CARBON_LOGFILE.layout=org.wso2.carbon.utils.logging.
> TenantAwarePatternLayout
> # ConversionPattern will be overridden by the configuration setting in the
> DB
> log4j.appender.CARBON_LOGFILE.layout.ConversionPattern=*[WSO2-IS]* TID:
> [%T] [%S] [%d] %P%5p {%c} - %x %m %n
>
Thanks Rushmin.

>
>
>
>
> On Tue, Aug 7, 2018 at 6:44 PM gayan gunawardana 
> wrote:
>
>> Thanks All,
>>
>> I need something like below to print product name with each line of log
>> so that It would be easy to separate logs by product in logstash.
>>
>> TID: [-1] [ESB] [2018-07-12 15:38:22,463] DEBUG
>> {org.wso2.carbon.mediation.ntask.internal.NtaskService} -  Un-setting
>> the Realm Service. {org.wso2.carbon.mediation.
>> ntask.internal.NtaskService}
>>
>> On Mon, Aug 6, 2018 at 9:18 PM, Godwin Shrimal  wrote:
>>
>>>
>>>
>>> On Mon, Aug 6, 2018 at 4:42 PM Prakhash Sivakumar 
>>> wrote:
>>>
>>>>
>>>> On Mon, Aug 6, 2018 at 9:02 PM Godwin Shrimal  wrote:
>>>>
>>>>>
>>>>>
>>>>> On Mon, Aug 6, 2018 at 2:22 PM Prakhash Sivakumar 
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Aug 6, 2018 at 2:19 PM Godwin Shrimal 
>>>>>> wrote:
>>>>>>
>>>>>>> I don't see any value in printing product name for every logline. We
>>>>>>> already printing product name once server started. Please see the 
>>>>>>> example
>>>>>>> below.
>>>>>>>
>>>>>>> [2018-08-06 09:48:08,391]  INFO {org.wso2.carbon.core.internal.
>>>>>>> StartupFinalizerServiceComponent} -  Server   :  WSO2
>>>>>>> Identity Server-5.1.0
>>>>>>>
>>>>>>
>>>>>> I think there might be situations like identifying log files when we
>>>>>> are doing the log file rotation, as those log files won't be having the
>>>>>> startup logs, it might be difficult to identify the files if we are not
>>>>>> properly handling it.
>>>>>>
>>>>>> In that case I think printing product names in the new log file when
>>>>>> starting the log file rotation would help.
>>>>>>
>>>>>
>>>>> I am not clear how printing productname in each line help for log
>>>>> rotation. Can you explain using an example ?
>>>>>
>>>> What I was suggesting is printing the product name when creating a new
>>>> file every time during the rotation. It will appear only once in the log
>>>> file.(not in each line)
>>>>
>>>
>>> Ok, I understand wht you are telling now, once log rotated, we cannot
>>> have any log entry identify product name.
>>>
>>>>
>>>> I think Gayan's requirement also should be something similar. @Gayan
>>>> can you please elaborate if you have any other requirements
>>>>
>>> Yes. Can you explain what you are trying to acheive here ?
>>>
>>> Thanks
>>> Godwin
>>>
>>>
>>>
>>>>
>>>> Thanks.
>>>>
>>>>>
>>>>> Thanks
>>>>> Godwin
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>> Godwin
>>>>>>>
>>>>>>> On Mon, Aug 6, 2018 at 5:50 AM Rushmin Fernando 
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Gayan,
>>>>>>>>
>>>>>>>> What's the requirement behind this? And are you expecting a one
>>>>>>>> time log or the product name for every logline?
>>>>>>>>
>>>>>>>> On Mon, Aug 6, 2018 at 12:43 PM gayan gunawardana <
>>>>>>>> gmgunaward..

Re: [Dev] Is there a way to log product name to wso2carbon.log ?

[gayan gunawardana]

Thanks All,

I need something like below to print product name with each line of log so
that It would be easy to separate logs by product in logstash.

TID: [-1] [ESB] [2018-07-12 15:38:22,463] DEBUG
{org.wso2.carbon.mediation.ntask.internal.NtaskService} -  Un-setting the
Realm Service. {org.wso2.carbon.mediation.ntask.internal.NtaskService}

On Mon, Aug 6, 2018 at 9:18 PM, Godwin Shrimal  wrote:

>
>
> On Mon, Aug 6, 2018 at 4:42 PM Prakhash Sivakumar 
> wrote:
>
>>
>> On Mon, Aug 6, 2018 at 9:02 PM Godwin Shrimal  wrote:
>>
>>>
>>>
>>> On Mon, Aug 6, 2018 at 2:22 PM Prakhash Sivakumar 
>>> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Aug 6, 2018 at 2:19 PM Godwin Shrimal  wrote:
>>>>
>>>>> I don't see any value in printing product name for every logline. We
>>>>> already printing product name once server started. Please see the example
>>>>> below.
>>>>>
>>>>> [2018-08-06 09:48:08,391]  INFO {org.wso2.carbon.core.internal.
>>>>> StartupFinalizerServiceComponent} -  Server   :  WSO2
>>>>> Identity Server-5.1.0
>>>>>
>>>>
>>>> I think there might be situations like identifying log files when we
>>>> are doing the log file rotation, as those log files won't be having the
>>>> startup logs, it might be difficult to identify the files if we are not
>>>> properly handling it.
>>>>
>>>> In that case I think printing product names in the new log file when
>>>> starting the log file rotation would help.
>>>>
>>>
>>> I am not clear how printing productname in each line help for log
>>> rotation. Can you explain using an example ?
>>>
>> What I was suggesting is printing the product name when creating a new
>> file every time during the rotation. It will appear only once in the log
>> file.(not in each line)
>>
>
> Ok, I understand wht you are telling now, once log rotated, we cannot have
> any log entry identify product name.
>
>>
>> I think Gayan's requirement also should be something similar. @Gayan can
>> you please elaborate if you have any other requirements
>>
> Yes. Can you explain what you are trying to acheive here ?
>
> Thanks
> Godwin
>
>
>
>>
>> Thanks.
>>
>>>
>>> Thanks
>>> Godwin
>>>
>>>
>>>
>>>>
>>>>>
>>>>> Thanks
>>>>> Godwin
>>>>>
>>>>> On Mon, Aug 6, 2018 at 5:50 AM Rushmin Fernando 
>>>>> wrote:
>>>>>
>>>>>> Hi Gayan,
>>>>>>
>>>>>> What's the requirement behind this? And are you expecting a one time
>>>>>> log or the product name for every logline?
>>>>>>
>>>>>> On Mon, Aug 6, 2018 at 12:43 PM gayan gunawardana <
>>>>>> gmgunaward...@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Devs,
>>>>>>>
>>>>>>> Appreciate your input regarding $subject.
>>>>>>>
>>>>>>> --
>>>>>>> Gayan
>>>>>>> ___
>>>>>>> Dev mailing list
>>>>>>> Dev@wso2.org
>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Best Regards*
>>>>>>
>>>>>> *Rushmin Fernando*
>>>>>> *Technical Lead*
>>>>>>
>>>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>>>>>>
>>>>>> mobile : +94775615183
>>>>>>
>>>>>>
>>>>>> ___
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Godwin Amila Shrimal*
>>>>> Associate Technical Lead
>>>>> WSO2 Inc.; http://wso2.com
>>>>> lean.enterprise.middleware
>>>>>
>>>>> mobile: *+94772264165*
>>>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
>>>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>*
>>>>> twitter: https://twitter.com/godwinamila
>>>>> <http://wso2.com/signature>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>
>>>>
>>>> --
>>>> Prakhash Sivakumar
>>>> Senior Software Engineer | WSO2 Inc
>>>> Platform Security Team
>>>> Mobile : +94771510080
>>>> Blog : https://medium.com/@PrakhashS
>>>>
>>>
>>>
>>> --
>>> *Godwin Amila Shrimal*
>>> Associate Technical Lead
>>> WSO2 Inc.; http://wso2.com
>>> lean.enterprise.middleware
>>>
>>> mobile: *+94772264165*
>>> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
>>> <https://www.linkedin.com/in/godwin-amila-2ba26844/>*
>>> twitter: https://twitter.com/godwinamila
>>> <http://wso2.com/signature>
>>>
>>
>>
>> --
>> Prakhash Sivakumar
>> Senior Software Engineer | WSO2 Inc
>> Platform Security Team
>> Mobile : +94771510080
>> Blog : https://medium.com/@PrakhashS
>>
>
>
> --
> *Godwin Amila Shrimal*
> Associate Technical Lead
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>
> mobile: *+94772264165*
> linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/
> <https://www.linkedin.com/in/godwin-amila-2ba26844/>*
> twitter: https://twitter.com/godwinamila
> <http://wso2.com/signature>
>



-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Is there a way to log product name to wso2carbon.log ?

[gayan gunawardana]

Hi Devs,

Appreciate your input regarding $subject.

-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How to add transport headers to JWT

[gayan gunawardana]

Hi Bhathiya,

On Tue, Jul 3, 2018 at 1:58 PM, Bhathiya Jayasekara 
wrote:

> Hi Gay an,
>
> The JWT is generated and signed by the KM and gateway can't modify it. And
> the transport headers are not sent to KM by the GW either. Therefore there
> is no way to add HTTP headers to the JWT. However, you can send the headers
> as headers themselves to the backend.
>
Thanks a lot for clarification.

>
> Thanks,
> Bhathiya
>
> On Tue, Jul 3, 2018 at 12:12 PM gayan gunawardana 
> wrote:
>
>> Hi APIM team,
>>
>> Is there a way to put transport headers coming from incoming request into
>> JWT [1] generated for backend service ?
>>
>> [1] https://docs.wso2.com/display/AM220/Passing+Enduser+
>> Attributes+to+the+Backend+Using+JWT
>>
>> Thanks,
>> Gayan
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>
>
> --
> *Bhathiya Jayasekara*
> *Associate Technical Lead,*
> *WSO2 inc., http://wso2.com <http://wso2.com>*
>
> *Phone: +94715478185*
> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
> <http://www.linkedin.com/in/bhathiyaj>*
> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>*
> *Blog: http://movingaheadblog.blogspot.com
> <http://movingaheadblog.blogspot.com/>*
>



-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] How to add transport headers to JWT

[gayan gunawardana]

Hi APIM team,

Is there a way to put transport headers coming from incoming request into
JWT [1] generated for backend service ?

[1]
https://docs.wso2.com/display/AM220/Passing+Enduser+Attributes+to+the+Backend+Using+JWT

Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Retry with authenticators for adaptive authentication.

[gayan gunawardana]

On Mon, May 7, 2018 at 7:17 PM, Maduranga Siriwardena 
wrote:

> Hi devs,
>
> In the Identity Server at the moment "retryAuthenticationEnabled" method
> in the authenticators decide whether the user is allowed to retry the
> authentication with that particular authenticator. Based on the result from
> this method, authenticator itself triggers the retry flow.
>
> Because of this we have a main disadvantage for the implementation of
> adaptive authentication. If retry is enabled, fail call back function in
> JavaScript is not triggered.
>
> So we are planning to change this behavior and send the authentication
> retry flow through the authentication framework. Below is the planned
> behavior.
>
>- Authenticator will retry to authenticate by default.
>- If the fail callback function has other steps to execute,
>authenticator will not retry to authenticate.
>- Developers can disable retry for a authentication sequence by
>setting a parameter in the context.
>
> Isn't it better to invoke fail callback function after pre-configured
number of retry attempts.

> Please provide us with feedback what need to be changed from the above
> mentioned behavior.
>
> Thanks,
> --
> Maduranga Siriwardena
> Senior Software Engineer
> WSO2 Inc; http://wso2.com/
>
> Email: madura...@wso2.com
> Mobile: +94718990591
> Blog: *https://madurangasiriwardena.wordpress.com/
> *
> 
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with MultiAttributeSeparator in IS 5.5.0

[gayan gunawardana]

On Mon, May 7, 2018 at 10:18 AM, Nuwandi Wickramasinghe <nuwan...@wso2.com>
wrote:

> Hi Gayan,
>
> What is the type of your UserStoreManager?
>
Default LDAP.

>
> On Sun, May 6, 2018 at 11:48 PM, gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>> Hi Nuwandi,
>>
>> Thanks for writing steps [1]. It works in IS 5.3.0 without a problem.
>> However when I try same steps for IS 5.5.0 even I change
>> MultiAttributeSeparator it always break values from ','. Could you please
>> let me know are there any additional steps or public jira regarding the
>> issue.
>>
>> [1] https://medium.com/@nuwandiwickramasinghe/wso2-identity-
>> server-5-3-0-as-the-identity-provider-for-aws-management-
>> console-dcdddefc2d79
>>
>> Thanks,
>> Gayan
>>
>
>
>
> --
>
> Best Regards,
>
> Nuwandi Wickramasinghe
>
> Senior Software Engineer
>
> WSO2 Inc.
>
> Web : http://wso2.com
>
> Mobile : 0719214873
>



-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Issue with MultiAttributeSeparator in IS 5.5.0

[gayan gunawardana]

Hi Nuwandi,

Thanks for writing steps [1]. It works in IS 5.3.0 without a problem.
However when I try same steps for IS 5.5.0 even I change
MultiAttributeSeparator it always break values from ','. Could you please
let me know are there any additional steps or public jira regarding the
issue.

[1]
https://medium.com/@nuwandiwickramasinghe/wso2-identity-server-5-3-0-as-the-identity-provider-for-aws-management-console-dcdddefc2d79

Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Exception in Facebook Federated Authentication

[gayan gunawardana]

On Mon, Apr 16, 2018 at 9:15 AM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

> AFAIR, this seems to be an issue with handling email type usernames
> without enabling email usernames..
>
Thanks Darshana for the input. It looks like that. I will configure some
other attribute (other than email) as subject identifier and see.

>
> Anyhow we have discussed to fix this from the sso consent implementation..
> @Omindu: Do we have any git issue related to this?
>
> Thanks,
>
> On Mon, Apr 16, 2018 at 9:01 AM, gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>>
>> Hi Tharindu,
>> On Mon, Apr 16, 2018 at 8:39 AM, Tharindu Edirisinghe <tharin...@wso2.com
>> > wrote:
>>
>>> Hi Gayan,
>>>
>>> It seems the error is coming form the consent management feature. If you
>>> don't require this feature, you can simply turn it off from the following
>>> property in identity.xml file.
>>>
>>> 
>>> 
>>> *false*
>>> 
>>>
>>> Alternatively you can turn off the following listener from identity.xml
>>> file too for getting rid of the issue.
>>>
>>> 
>>>
>>
>>> I could reproduce the same behavior and by setting any of the above
>>> configs, I could avoid the error and successfully authenticate the SP app
>>> (travelocity) with FB IDP.
>>>
>> Thanks for the explanation. I have already disabled consent management to
>> get it work. I suppose globally disabling consent management feature or
>> disabling the listener would not be a good solution.
>>
>>>
>>> @IAM Team - If we keep using the consent management feature, do we need
>>> any additional configuration? May be claim configuration to map the
>>> particular user claims which should require obtaining user consent?
>>>
>>
>>> Thanks,
>>> TharinduE
>>>
>>> On Sat, Apr 14, 2018 at 9:28 PM, gayan gunawardana <
>>> gmgunaward...@gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I have configured travelocity.com sample application as SAML inbound
>>>> and Facebook as federated authenticator for IS-5.5.0. After adding Facebook
>>>> credentials, got below UI.
>>>>
>>>>
>>>> ​After enabling debug logs found below exception. Is there any further
>>>> configuration I have to do to get it work ?
>>>>
>>>> [2018-04-14 20:25:49,655] ERROR {org.wso2.carbon.user.core.aut
>>>> horization.JDBCAuthorizationManager} -  Error occurred while accessing
>>>> Java Security Manager Privilege Block
>>>> [2018-04-14 20:25:49,658] ERROR {org.wso2.carbon.identity.appl
>>>> ication.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
>>>> -  Error occurred while evaluating post authentication
>>>> org.wso2.carbon.identity.application.authentication.framewor
>>>> k.exception.PostAuthenticationFailedException: Error occurred while
>>>> retrieving consent data of user: gmgunaward...@gmail.com for service
>>>> provider: CafeLebens-Sample in tenant domain: carbon.super.
>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>> k.handler.request.impl.consent.ConsentMgtPostAuthnHandler.ha
>>>> ndlePreConsent(ConsentMgtPostAuthnHandler.java:201)
>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>> k.handler.request.impl.consent.ConsentMgtPostAuthnHandler.ha
>>>> ndle(ConsentMgtPostAuthnHandler.java:106)
>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>> k.services.PostAuthenticationMgtService.executePostAuthnHand
>>>> ler(PostAuthenticationMgtService.java:109)
>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>> k.services.PostAuthenticationMgtService.handlePostAuthentica
>>>> tion(PostAuthenticationMgtService.java:78)
>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>> k.handler.request.impl.DefaultAuthenticationRequestHandler.h
>>>> andlePostAuthentication(DefaultAuthenticationRequestHandler.java:165)
>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>> k.handler.request.impl.DefaultAuthenticationRequestHandler.h
>>>> andle(DefaultAuthenticationRequestHandler.java:134)
>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>> k.han

Re: [Dev] Exception in Facebook Federated Authentication

[gayan gunawardana]

Hi Tharindu,
On Mon, Apr 16, 2018 at 8:39 AM, Tharindu Edirisinghe <tharin...@wso2.com>
wrote:

> Hi Gayan,
>
> It seems the error is coming form the consent management feature. If you
> don't require this feature, you can simply turn it off from the following
> property in identity.xml file.
>
> 
> 
> *false*
> 
>
> Alternatively you can turn off the following listener from identity.xml
> file too for getting rid of the issue.
>
>  type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
> name="org.wso2.carbon.identity.application.authentication.framework.
> handler.request.impl.consent.ConsentMgtPostAuthnHandler" orderId="110"
> *enable*="*false*" />
>

> I could reproduce the same behavior and by setting any of the above
> configs, I could avoid the error and successfully authenticate the SP app
> (travelocity) with FB IDP.
>
Thanks for the explanation. I have already disabled consent management to
get it work. I suppose globally disabling consent management feature or
disabling the listener would not be a good solution.

>
> @IAM Team - If we keep using the consent management feature, do we need
> any additional configuration? May be claim configuration to map the
> particular user claims which should require obtaining user consent?
>

> Thanks,
> TharinduE
>
> On Sat, Apr 14, 2018 at 9:28 PM, gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>> Hi All,
>>
>> I have configured travelocity.com sample application as SAML inbound and
>> Facebook as federated authenticator for IS-5.5.0. After adding Facebook
>> credentials, got below UI.
>>
>>
>> ​After enabling debug logs found below exception. Is there any further
>> configuration I have to do to get it work ?
>>
>> [2018-04-14 20:25:49,655] ERROR {org.wso2.carbon.user.core.aut
>> horization.JDBCAuthorizationManager} -  Error occurred while accessing
>> Java Security Manager Privilege Block
>> [2018-04-14 20:25:49,658] ERROR {org.wso2.carbon.identity.appl
>> ication.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
>> -  Error occurred while evaluating post authentication
>> org.wso2.carbon.identity.application.authentication.framewor
>> k.exception.PostAuthenticationFailedException: Error occurred while
>> retrieving consent data of user: gmgunaward...@gmail.com for service
>> provider: CafeLebens-Sample in tenant domain: carbon.super.
>> at org.wso2.carbon.identity.application.authentication.framewor
>> k.handler.request.impl.consent.ConsentMgtPostAuthnHan
>> dler.handlePreConsent(ConsentMgtPostAuthnHandler.java:201)
>> at org.wso2.carbon.identity.application.authentication.framewor
>> k.handler.request.impl.consent.ConsentMgtPostAuthnHan
>> dler.handle(ConsentMgtPostAuthnHandler.java:106)
>> at org.wso2.carbon.identity.application.authentication.framewor
>> k.services.PostAuthenticationMgtService.executePostAuthnHand
>> ler(PostAuthenticationMgtService.java:109)
>> at org.wso2.carbon.identity.application.authentication.framewor
>> k.services.PostAuthenticationMgtService.handlePostAuthentica
>> tion(PostAuthenticationMgtService.java:78)
>> at org.wso2.carbon.identity.application.authentication.framewor
>> k.handler.request.impl.DefaultAuthenticationRequestHandler.h
>> andlePostAuthentication(DefaultAuthenticationRequestHandler.java:165)
>> at org.wso2.carbon.identity.application.authentication.framewor
>> k.handler.request.impl.DefaultAuthenticationRequestHandler.
>> handle(DefaultAuthenticationRequestHandler.java:134)
>> at org.wso2.carbon.identity.application.authentication.framewor
>> k.handler.request.impl.DefaultRequestCoordinator.handle(Defa
>> ultRequestCoordinator.java:157)
>> at org.wso2.carbon.identity.application.authentication.framewor
>> k.servlet.CommonAuthenticationServlet.doPost(CommonAuthentic
>> ationServlet.java:53)
>> at org.wso2.carbon.identity.application.authentication.framewor
>> k.servlet.CommonAuthenticationServlet.doGet(CommonAuthentica
>> tionServlet.java:43)
>>
>> Thanks,
>> Gayan
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
>
> Tharindu Edirisinghe
> Senior Software Engineer | WSO2 Inc
> Platform Security Team
> Blog : http://tharindue.blogspot.com
> mobile : +94 775181586
>



-- 
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Exception in Facebook Federated Authentication

[gayan gunawardana]

Hi All,

I have configured travelocity.com sample application as SAML inbound and
Facebook as federated authenticator for IS-5.5.0. After adding Facebook
credentials, got below UI.


​After enabling debug logs found below exception. Is there any further
configuration I have to do to get it work ?

[2018-04-14 20:25:49,655] ERROR
{org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} -  Error
occurred while accessing Java Security Manager Privilege Block
[2018-04-14 20:25:49,658] ERROR
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
-  Error occurred while evaluating post authentication
org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException:
Error occurred while retrieving consent data of user:
gmgunaward...@gmail.com for service provider: CafeLebens-Sample in tenant
domain: carbon.super.
at
org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentMgtPostAuthnHandler.handlePreConsent(ConsentMgtPostAuthnHandler.java:201)
at
org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentMgtPostAuthnHandler.handle(ConsentMgtPostAuthnHandler.java:106)
at
org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService.executePostAuthnHandler(PostAuthenticationMgtService.java:109)
at
org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService.handlePostAuthentication(PostAuthenticationMgtService.java:78)
at
org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handlePostAuthentication(DefaultAuthenticationRequestHandler.java:165)
at
org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:134)
at
org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:157)
at
org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53)
at
org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doGet(CommonAuthenticationServlet.java:43)

Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with OIDC Request object

[gayan gunawardana]

Adding more context information.

I have removed given_name claim from openid scope to avoid getting
given_name via scopes also noticed VALUE column is alway null in
IDN_OIDC_REQ_OBJECT_CLAIMS table. Is that the intended behavior ?


​

Appreciate If you can look into this.

Thanks,
Gayan



On Tue, Apr 10, 2018 at 10:03 AM, gayan gunawardana <gmgunaward...@gmail.com
> wrote:

> Please note that I have gone through exactly same steps in [1], [2] for
> wso2is-5.6.0-m1
>
>
> [1] https://docs.wso2.com/display/IS550/Passing+OIDC+Authenticat
> ion+Request+Parameters+in+a+Request+Object
> [2] https://docs.wso2.com/display/IS550/Request+Object+Support
>
> On Tue, Apr 10, 2018 at 9:52 AM, gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>>
>>
>> On Tue, Apr 10, 2018 at 9:44 AM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi Gayan,
>>>
>>> *Request object *
>>>>
>>>> {
>>>>   "iss": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>>>>   "aud": "https://localhost:9444/oauth2/token;,
>>>>   "response_type": "id_token token",
>>>>   "client_id": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>>>>   "redirect_uri": "http://localhost:8080/playground2/oauth2client;,
>>>>   "scope": "openid",
>>>>   "state": "af0ifjsldkj",
>>>>   "nonce": "n-0S6_WzA2Mj",
>>>>   "max_age": 86400,
>>>>   "claims": {
>>>> "userinfo": {
>>>>   "given_name": {
>>>> "essential": true
>>>>   }
>>>> },
>>>> "id_token": {
>>>>   "given_name": {
>>>> "essential": true
>>>>   },
>>>>   "acr": {
>>>> "values": [
>>>>   "urn:mace:incommon:iap:silver"
>>>> ]
>>>>   }
>>>> }
>>>>   }
>>>> }
>>>>
>>>>
>>> Can you please provide the full authorization request that you are
>>> using. For your reference I will add a sample request as below.
>>>
>> There you go.
>> https://localhost:9443/oauth2/authorize?response_type=id_tok
>> en%20token_id=KqpUgGLpJaW5n5_OiAJlSnMiCiIa_
>> uri=http://localhost:8080/playground2/oauth2client
>> =openid=af0ifjsldkj=n-0S6_WzA2Mj=eyJ
>> hbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.eyJpc3MiOiJLcXBVZ0dMcEp
>> hVzVuNV9PaUFKbFNuTWlDaUlhIiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q
>> 6OTQ0NC9vYXV0aDIvdG9rZW4iLCJyZXNwb25zZV90eXBlIjoiaWRfdG9rZW4
>> gdG9rZW4iLCJjbGllbnRfaWQiOiJLcXBVZ0dMcEphVzVuNV9PaUFKbFNuTWl
>> DaUlhIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3B
>> sYXlncm91bmQyL29hdXRoMmNsaWVudCIsInNjb3BlIjoib3BlbmlkIiwic3R
>> hdGUiOiJhZjBpZmpzbGRraiIsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwibWF
>> 4X2FnZSI6ODY0MDAsImNsYWltcyI6eyJ1c2VyaW5mbyI6eyJnaXZlbl9uYW1
>> lIjp7ImVzc2VudGlhbCI6dHJ1ZX19LCJpZF90b2tlbiI6eyJnaXZlbl9uYW1
>> lIjp7ImVzc2VudGlhbCI6dHJ1ZX0sImFjciI6eyJ2YWx1ZXMiOlsidXJuOm1
>> hY2U6aW5jb21tb246aWFwOnNpbHZlciJdfX19fQ.riFqPq298AVlQgjEztmW
>> RAHwyGlvVsF9x0xwPmCrpQwWebJLEjmGLnBjuZsfXGk5dczlmgEB6SKf0o3W
>> WmMDgRMemHbxcnKvyaLxVX_PatZs72PC2kTCK71yK0qqwuGkifyK0fmHl_Uz
>> abyz17Hfspc5B11EdEl3cPJNheFZBuKGe68q_Z8TmBdpFVm6CPpTv2HkGcNJ
>> PzO4jfvl2KYb49v0WiV4gpGHKvy8ZPyEY-cdUxvI9uSUyxValC_M4S47usY55Dr_9F3weF_
>> Rd2d1uyNOebMnJGe-MvP2kwCVHpik-4kEHBJc4xw8TDmgS5HjB1UNiLrqOdzv0cRc-finAQ
>>
>>>
>>> https://server.example.com/authorize?
>>> response_type=code%20id_token
>>> _id=s6BhdRkqt3
>>> _uri=https%3A%2F%2Fclient.example.org%2Fcb
>>> =openid
>>> =af0ifjsldkj
>>> =n-0S6_WzA2Mj
>>> =eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ew0KICJpc3MiOiA
>>> iczZCaGRSa3F0MyIsDQogImF1ZCI6ICJodHRwczovL3NlcnZlci5leGFtcGxlLmN
>>> vbSIsDQogInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsDQogImNsaWV
>>> udF9pZCI6ICJzNkJoZFJrcXQzIiwNCiAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8
>>> vY2xpZW50LmV4YW1wbGUub3JnL2NiIiwNCiAic2NvcGUiOiAib3BlbmlkIiwNCiA
>>> ic3RhdGUiOiAiYWYwaWZqc2xka2oiLA0KICJub25jZSI6ICJuLTBTNl9XekEyTWo
>>> iLA0KICJtYXhfYWdlIjogODY0MDAsDQogImNsYWltcyI6IA0KICB7DQogICAidXN
>>> lcmluZm8iOiANCiAgICB7DQogICAgICJnaXZlbl9uYW1lIjogeyJlc3NlbnRpYWw
>>> iOiB0cnVlfSwNCiAgICAgIm5pY2tuYW1lIjogbnVsbCwNCiAgICAgImVtYWlsIjo
>

Re: [Dev] Issue with OIDC Request object

[gayan gunawardana]

Please note that I have gone through exactly same steps in [1], [2] for
wso2is-5.6.0-m1


[1] https://docs.wso2.com/display/IS550/Passing+OIDC+Authentication+Request+
Parameters+in+a+Request+Object
[2] https://docs.wso2.com/display/IS550/Request+Object+Support

On Tue, Apr 10, 2018 at 9:52 AM, gayan gunawardana <gmgunaward...@gmail.com>
wrote:

>
>
> On Tue, Apr 10, 2018 at 9:44 AM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Gayan,
>>
>> *Request object *
>>>
>>> {
>>>   "iss": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>>>   "aud": "https://localhost:9444/oauth2/token;,
>>>   "response_type": "id_token token",
>>>   "client_id": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>>>   "redirect_uri": "http://localhost:8080/playground2/oauth2client;,
>>>   "scope": "openid",
>>>   "state": "af0ifjsldkj",
>>>   "nonce": "n-0S6_WzA2Mj",
>>>   "max_age": 86400,
>>>   "claims": {
>>> "userinfo": {
>>>   "given_name": {
>>> "essential": true
>>>   }
>>> },
>>> "id_token": {
>>>   "given_name": {
>>> "essential": true
>>>   },
>>>   "acr": {
>>> "values": [
>>>   "urn:mace:incommon:iap:silver"
>>> ]
>>>   }
>>> }
>>>   }
>>> }
>>>
>>>
>> Can you please provide the full authorization request that you are using.
>> For your reference I will add a sample request as below.
>>
> There you go.
> https://localhost:9443/oauth2/authorize?response_type=id_
> token%20token_id=KqpUgGLpJaW5n5_OiAJlSnMiCiIa&
> redirect_uri=http://localhost:8080/playground2/oauth2client;
> scope=openid=af0ifjsldkj=n-0S6_WzA2Mj=
> eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.eyJpc3MiOiJLcXBVZ0dMcEphVzVuNV
> 9PaUFKbFNuTWlDaUlhIiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0NC
> 9vYXV0aDIvdG9rZW4iLCJyZXNwb25zZV90eXBlIjoiaWRfdG9rZW4gdG9rZW
> 4iLCJjbGllbnRfaWQiOiJLcXBVZ0dMcEphVzVuNV9PaUFKbFNuTWlDaUlhIi
> wicmVkaXJlY3RfdXJpIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3BsYXlncm
> 91bmQyL29hdXRoMmNsaWVudCIsInNjb3BlIjoib3BlbmlkIiwic3RhdGUiOi
> JhZjBpZmpzbGRraiIsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwibWF4X2FnZS
> I6ODY0MDAsImNsYWltcyI6eyJ1c2VyaW5mbyI6eyJnaXZlbl9uYW1lIjp7Im
> Vzc2VudGlhbCI6dHJ1ZX19LCJpZF90b2tlbiI6eyJnaXZlbl9uYW1lIjp7Im
> Vzc2VudGlhbCI6dHJ1ZX0sImFjciI6eyJ2YWx1ZXMiOlsidXJuOm1hY2U6aW
> 5jb21tb246aWFwOnNpbHZlciJdfX19fQ.riFqPq298AVlQgjEztmWRAHwyGlvVs
> F9x0xwPmCrpQwWebJLEjmGLnBjuZsfXGk5dczlmgEB6SKf0o3WWmMDgRMemHbxcnKvyaLxVX_
> PatZs72PC2kTCK71yK0qqwuGkifyK0fmHl_Uzabyz17Hfspc5B11EdEl3cPJNheFZBuKGe68q_
> Z8TmBdpFVm6CPpTv2HkGcNJPzO4jfvl2KYb49v0WiV4gpGHKvy8ZPyEY-
> cdUxvI9uSUyxValC_M4S47usY55Dr_9F3weF_Rd2d1uyNOebMnJGe-MvP2kwCVHpik-
> 4kEHBJc4xw8TDmgS5HjB1UNiLrqOdzv0cRc-finAQ
>
>>
>> https://server.example.com/authorize?
>> response_type=code%20id_token
>> _id=s6BhdRkqt3
>> _uri=https%3A%2F%2Fclient.example.org%2Fcb
>> =openid
>> =af0ifjsldkj
>> =n-0S6_WzA2Mj
>> =eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ew0KICJpc3MiOiA
>> iczZCaGRSa3F0MyIsDQogImF1ZCI6ICJodHRwczovL3NlcnZlci5leGFtcGxlLmN
>> vbSIsDQogInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsDQogImNsaWV
>> udF9pZCI6ICJzNkJoZFJrcXQzIiwNCiAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8
>> vY2xpZW50LmV4YW1wbGUub3JnL2NiIiwNCiAic2NvcGUiOiAib3BlbmlkIiwNCiA
>> ic3RhdGUiOiAiYWYwaWZqc2xka2oiLA0KICJub25jZSI6ICJuLTBTNl9XekEyTWo
>> iLA0KICJtYXhfYWdlIjogODY0MDAsDQogImNsYWltcyI6IA0KICB7DQogICAidXN
>> lcmluZm8iOiANCiAgICB7DQogICAgICJnaXZlbl9uYW1lIjogeyJlc3NlbnRpYWw
>> iOiB0cnVlfSwNCiAgICAgIm5pY2tuYW1lIjogbnVsbCwNCiAgICAgImVtYWlsIjo
>> geyJlc3NlbnRpYWwiOiB0cnVlfSwNCiAgICAgImVtYWlsX3ZlcmlmaWVkIjogeyJ
>> lc3NlbnRpYWwiOiB0cnVlfSwNCiAgICAgInBpY3R1cmUiOiBudWxsDQogICAgfSw
>> NCiAgICJpZF90b2tlbiI6IA0KICAgIHsNCiAgICAgImdlbmRlciI6IG51bGwsDQo
>> gICAgICJiaXJ0aGRhdGUiOiB7ImVzc2VudGlhbCI6IHRydWV9LA0KICAgICAiYWN
>> yIjogeyJ2YWx1ZXMiOiBbInVybjptYWNlOmluY29tbW9uOmlhcDpzaWx2ZXIiXX0
>> NCiAgICB9DQogIH0NCn0.nwwnNsk1-ZkbmnvsF6zTHm8CHERFMGQPhos-EJcaH4H
>> h-sMgk8ePrGhw_trPYs8KQxsn6R9Emo_wHwajyFKzuMXZFSZ3p6Mb8dkxtVyjoy2
>> GIzvuJT_u7PkY2t8QU9hjBcHs68PkgjDVTrG1uRTx0GxFbuPbj96tVuj11pTnmFC
>> UR6IEOXKYr7iGOCRB3btfJhM0_AKQUfqKnRlrRscc8Kol-cSLWoYE9l5QqholImz
>> jT_cMnNIznW9E7CDyWXTsO70xnB4

Re: [Dev] Issue with OIDC Request object

[gayan gunawardana]

On Tue, Apr 10, 2018 at 9:44 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Gayan,
>
> *Request object *
>>
>> {
>>   "iss": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>>   "aud": "https://localhost:9444/oauth2/token;,
>>   "response_type": "id_token token",
>>   "client_id": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>>   "redirect_uri": "http://localhost:8080/playground2/oauth2client;,
>>   "scope": "openid",
>>   "state": "af0ifjsldkj",
>>   "nonce": "n-0S6_WzA2Mj",
>>   "max_age": 86400,
>>   "claims": {
>> "userinfo": {
>>   "given_name": {
>> "essential": true
>>   }
>> },
>> "id_token": {
>>   "given_name": {
>> "essential": true
>>   },
>>   "acr": {
>> "values": [
>>   "urn:mace:incommon:iap:silver"
>> ]
>>   }
>> }
>>   }
>> }
>>
>>
> Can you please provide the full authorization request that you are using.
> For your reference I will add a sample request as below.
>
There you go.
https://localhost:9443/oauth2/authorize?response_type=id_token%20token_id=KqpUgGLpJaW5n5_OiAJlSnMiCiIa_uri=http://localhost:8080/playground2/oauth2client=openid=af0ifjsldkj=n-0S6_WzA2Mj=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.eyJpc3MiOiJLcXBVZ0dMcEphVzVuNV9PaUFKbFNuTWlDaUlhIiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0NC9vYXV0aDIvdG9rZW4iLCJyZXNwb25zZV90eXBlIjoiaWRfdG9rZW4gdG9rZW4iLCJjbGllbnRfaWQiOiJLcXBVZ0dMcEphVzVuNV9PaUFKbFNuTWlDaUlhIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3BsYXlncm91bmQyL29hdXRoMmNsaWVudCIsInNjb3BlIjoib3BlbmlkIiwic3RhdGUiOiJhZjBpZmpzbGRraiIsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwibWF4X2FnZSI6ODY0MDAsImNsYWltcyI6eyJ1c2VyaW5mbyI6eyJnaXZlbl9uYW1lIjp7ImVzc2VudGlhbCI6dHJ1ZX19LCJpZF90b2tlbiI6eyJnaXZlbl9uYW1lIjp7ImVzc2VudGlhbCI6dHJ1ZX0sImFjciI6eyJ2YWx1ZXMiOlsidXJuOm1hY2U6aW5jb21tb246aWFwOnNpbHZlciJdfX19fQ.riFqPq298AVlQgjEztmWRAHwyGlvVsF9x0xwPmCrpQwWebJLEjmGLnBjuZsfXGk5dczlmgEB6SKf0o3WWmMDgRMemHbxcnKvyaLxVX_PatZs72PC2kTCK71yK0qqwuGkifyK0fmHl_Uzabyz17Hfspc5B11EdEl3cPJNheFZBuKGe68q_Z8TmBdpFVm6CPpTv2HkGcNJPzO4jfvl2KYb49v0WiV4gpGHKvy8ZPyEY-cdUxvI9uSUyxValC_M4S47usY55Dr_9F3weF_Rd2d1uyNOebMnJGe-MvP2kwCVHpik-4kEHBJc4xw8TDmgS5HjB1UNiLrqOdzv0cRc-finAQ

>
> https://server.example.com/authorize?
> response_type=code%20id_token
> _id=s6BhdRkqt3
> _uri=https%3A%2F%2Fclient.example.org%2Fcb
> =openid
> =af0ifjsldkj
> =n-0S6_WzA2Mj
> =eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ew0KICJpc3MiOiA
> iczZCaGRSa3F0MyIsDQogImF1ZCI6ICJodHRwczovL3NlcnZlci5leGFtcGxlLmN
> vbSIsDQogInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsDQogImNsaWV
> udF9pZCI6ICJzNkJoZFJrcXQzIiwNCiAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8
> vY2xpZW50LmV4YW1wbGUub3JnL2NiIiwNCiAic2NvcGUiOiAib3BlbmlkIiwNCiA
> ic3RhdGUiOiAiYWYwaWZqc2xka2oiLA0KICJub25jZSI6ICJuLTBTNl9XekEyTWo
> iLA0KICJtYXhfYWdlIjogODY0MDAsDQogImNsYWltcyI6IA0KICB7DQogICAidXN
> lcmluZm8iOiANCiAgICB7DQogICAgICJnaXZlbl9uYW1lIjogeyJlc3NlbnRpYWw
> iOiB0cnVlfSwNCiAgICAgIm5pY2tuYW1lIjogbnVsbCwNCiAgICAgImVtYWlsIjo
> geyJlc3NlbnRpYWwiOiB0cnVlfSwNCiAgICAgImVtYWlsX3ZlcmlmaWVkIjogeyJ
> lc3NlbnRpYWwiOiB0cnVlfSwNCiAgICAgInBpY3R1cmUiOiBudWxsDQogICAgfSw
> NCiAgICJpZF90b2tlbiI6IA0KICAgIHsNCiAgICAgImdlbmRlciI6IG51bGwsDQo
> gICAgICJiaXJ0aGRhdGUiOiB7ImVzc2VudGlhbCI6IHRydWV9LA0KICAgICAiYWN
> yIjogeyJ2YWx1ZXMiOiBbInVybjptYWNlOmluY29tbW9uOmlhcDpzaWx2ZXIiXX0
> NCiAgICB9DQogIH0NCn0.nwwnNsk1-ZkbmnvsF6zTHm8CHERFMGQPhos-EJcaH4H
> h-sMgk8ePrGhw_trPYs8KQxsn6R9Emo_wHwajyFKzuMXZFSZ3p6Mb8dkxtVyjoy2
> GIzvuJT_u7PkY2t8QU9hjBcHs68PkgjDVTrG1uRTx0GxFbuPbj96tVuj11pTnmFC
> UR6IEOXKYr7iGOCRB3btfJhM0_AKQUfqKnRlrRscc8Kol-cSLWoYE9l5QqholImz
> jT_cMnNIznW9E7CDyWXTsO70xnB4SkG6pXfLSjLLlxmPGiyon_-Te111V8uE83Il
> zCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzw
>
> From the above mail what I understand is that you have provided a plain
> text value for the request parameter.  But here the value of the request
> parameter should be a JWT/JWS or  JWE. After using a JWT if you still
> observe the error please get back to us.
>

> Thanks,
>
>
>
> On Tue, Apr 10, 2018 at 9:37 AM, gayan gunawardana <
> gmgunaward...@gmail.com> wrote:
>
>> Hi All,
>>
>> Sent below request, expecting *given_name* claim but ID Token doesn't
>> have given_name claim when obtaining ID Token from Implicit grant type.
>>
>> *Request object *
>>
>> 

[Dev] Issue with OIDC Request object

[gayan gunawardana]

Hi All,

Sent below request, expecting *given_name* claim but ID Token doesn't have
given_name claim when obtaining ID Token from Implicit grant type.

*Request object *

{
  "iss": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
  "aud": "https://localhost:9444/oauth2/token;,
  "response_type": "id_token token",
  "client_id": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
  "redirect_uri": "http://localhost:8080/playground2/oauth2client;,
  "scope": "openid",
  "state": "af0ifjsldkj",
  "nonce": "n-0S6_WzA2Mj",
  "max_age": 86400,
  "claims": {
"userinfo": {
  "given_name": {
"essential": true
  }
},
"id_token": {
  "given_name": {
"essential": true
  },
  "acr": {
"values": [
  "urn:mace:incommon:iap:silver"
]
  }
}
  }
}

*ID Token*

{
  "at_hash": "A73K_CSStq6fs611ZzFs7A",
  "sub": "admin",
  "aud": [
"KqpUgGLpJaW5n5_OiAJlSnMiCiIa"
  ],
  "azp": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
  "amr": [],
  "iss": "https://localhost:9444/oauth2/token;,
  "exp": 1523335098,
  "nonce": "n-0S6_WzA2Mj",
  "iat": 1523331498,
  "sid": "e7278e7c-224b-45c2-a8e0-e5f36cb77b47"
}


[1]
https://docs.wso2.com/display/IS550/Passing+OIDC+Authentication+Request+Parameters+in+a+Request+Object
[2] https://docs.wso2.com/display/IS550/Request+Object+Support

Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] OAuth2 Client Authentication Error Response when authorization header is malformed

[Gayan Gunawardana]

On Fri, Jan 19, 2018 at 4:02 AM, Hasintha Indrajee <hasin...@wso2.com>
wrote:

> WDYT about the $subject ? Below quoted the descriptions of two types of
> error codes from spec [1]. It looks like "invalid_request" is more
> appropriate here. Any thoughts ? . An example authorization header is
> Base64Encoded (randomString which doesn't have the format
> clientid:clientSecret format)
>
In HTTP world this is bad request with status code 400 [1]. Definitely it
should be a invalid request.
[1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

>
>
>  invalid_request
>The request is missing a required parameter, includes an
>unsupported parameter value (other than grant type),
>repeats a parameter, includes multiple credentials,
>utilizes more than one mechanism for authenticating the
>client, or is otherwise malformed.
>
>  invalid_client
>Client authentication failed (e.g., unknown client, no
>client authentication included, or unsupported
>authentication method).  The authorization server MAY
>return an HTTP 401 (Unauthorized) status code to indicate
>which HTTP authentication schemes are supported.  If the
>client attempted to authenticate via the "Authorization"
>request header field, the authorization server MUST
>respond with an HTTP 401 (Unauthorized) status code and
>include the "WWW-Authenticate" response header field
>matching the authentication scheme used by the client.
>
>
>
> [1] https://tools.ietf.org/html/rfc6749
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with DLC pattern

[Gayan Gunawardana]

On Sat, Jan 13, 2018 at 7:24 AM, Nadeeshaan Gunasinghe <nadeesh...@wso2.com>
wrote:

> Hi Gayan,
>
> You can use following two properties,
>
> max.delivery.drop
>
> max.delivery.attempts
>
> By enabling max.delivery.drop will drop the message after the initiated
> number of attempts and the message processor will not be deactivated.
>
> Hope this suits your requirement.
>
Thanks Nadeeshaan & sorry for late reply.

>
> Cheers,
>
> *Nadeeshaan Gunasinghe*
> Senior Software Engineer, WSO2 Inc. http://wso2.com
> +94770596754 | nadeesh...@wso2.com | Skype: nadeeshaan.gunasinghe
> <#m_-6798070621843769959_>
> <http://www.facebook.com/nadeeshaan.gunasinghe>
> <http://lk.linkedin.com/in/nadeeshaan> <http://twitter.com/Nadeeshaan>
> <http://nadeeshaan.blogspot.com/>
> Get your own email signature
> <https://wisestamp.com/email-install?utm_source=promotion_medium=signature_campaign=get_your_own>
>
> On Sat, Jan 13, 2018 at 3:42 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>> Hi ESB team,
>>
>> I followed instruction given in [1] to implement DLC pattern (EI 6.1.1).
>> However there is a small issue when message processor try to send message
>> to suspended endpoint. The issue is message processor goes to *inactive*
>> state when sending messages to suspended endpoint. Due to that reason rest
>> of the messages in dlc-store won't be delivered to expected endpoint.
>>
>> Appreciate any help regarding above issue.
>>
>> [1] https://docs.wso2.com/display/IntegrationPatterns/Dead+Letter+Channel
>>
>> Thanks,
>> Gayan
>> --
>> Gayan Gunawardana
>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Issue with DLC pattern

[Gayan Gunawardana]

Hi ESB team,

I followed instruction given in [1] to implement DLC pattern (EI 6.1.1).
However there is a small issue when message processor try to send message
to suspended endpoint. The issue is message processor goes to *inactive*
state when sending messages to suspended endpoint. Due to that reason rest
of the messages in dlc-store won't be delivered to expected endpoint.

Appreciate any help regarding above issue.

[1] https://docs.wso2.com/display/IntegrationPatterns/Dead+Letter+Channel

Thanks,
Gayan
-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Problem with extracting a value in a SOAP response through a shell script

[Gayan Gunawardana]

Please check below approach if it works for your requirement.

cmd=$(curl -k -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type:
text/xml;charset=UTF-8" -H "SOAPAction:urn:getApplication" -d @get_sp.xml
"https://
$IP_ADDRESS:$HTTPS_PORT_IS/services/IdentityApplicationManagementService?wsdl")
cp /dev/null get_sp_reponse.xml
echo $cmd >> get_sp_reponse.xml
applicationID=$(grep -oP '(?<=ax2199:applicationID>)[^<]+'
"get_sp_reponse.xml")
echo "Service Provider Application ID: $applicationID"

*get_sp.xml*

http://schemas.xmlsoap.org/soap/envelope/;
xmlns:xsd="http://org.apache.axis2/xsd;>
   
   
  
 
 SERVICE_PROVIDER_NAME
  
   


On Fri, Jan 5, 2018 at 5:08 PM, Nipuni Bhagya <nipu...@wso2.com> wrote:

> Hi all,
>
> I'm writing shell scripts for the IAM Quick Start Guide and currently, I'm
> working on the shell script which automates the configuration of SSO with
> SAML2. I have encountered a problem while trying to get the application Id
> of a service provider in order to perform an update operation.
>
> The method I'm using to overcome this at the moment is,
>
> 1. I call the getApplication function in the Identity Application
> Management API
> 2. Write the response to a text file.
> 3. Convert that text file into an XML file.
> 4. grep the value of 
>
> But the problem with this approach is that I'm using a tool called xmllint to
> convert the text to XML format. Since xmllint is not a default Unix command
> the users will have to install it on their machines first. As it is not
> appropriate to ask for the user's password while running a script, I can't
> use xmllint and also most of the other approaches available.
>
> So I would really appreciate if someone of you could help me to find a
> better way to achieve this task.
>
> Thank you in advance,
> --
>
>
>
> *Kind Regards,Nipuni Bhagya*
>
> *Software Engineering Intern*
> *WSO2*
>
>
>
> *Mobile : +94 0779028904 <+94%2077%20767%201807>*
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Looking for a ClientCertificateBasedAuthentication sample code for accessing REST APIs

[Gayan Gunawardana]

On Tue, Nov 14, 2017 at 2:48 PM, Thilina Madumal <thilina...@wso2.com>
wrote:

> Hi Devs,
>
> Recently I have started implementing an oauth2-proxy client for Single
> Page Applications to be used as the proxy for securing resource access
> using OAuth2.
>
> During that, I wanted to validate the access token. In the documentation,
> I found that it can be achieved using introspection endpoint [1]. There the
> given curl commands use Basic Authorization to access the introspection
> endpoint.
>
> As I research further I found [2] where it describes 3 methods on
> authenticating and authorizing to REST-APIs in IS.
> IMO it would be more convenient if there were a link between these [1] and
> [2]. WDYT?
>
Not only introspection this is common to any REST API exposed by Identity
Server.
+1 for having a link to [2].

>
> Highly appreciate if someone could point me a sample implementation where
> ClientCertificateBasedAuthentication is used for authentication and
> authorization for IS REST APIs.
>
If this is about client side implementation you can try it from some tool
like SOAPUI.

>
> Also in the documentation giving a sample implementations for all the
> default methods described in [2] would be helpful for both the end-users
> and the community.
>

> [1] https://docs.wso2.com/display/IS530/Invoke+the+
> OAuth+Introspection+Endpoint
> [2] https://docs.wso2.com/display/IS530/Authenticating+
> and+Authorizing+REST+APIs
>
> Best,
> Thilina
> --
> *Thilina Madumal*
> *Software Engineer | **WSO2*
> Email: thilina...@wso2.com
> Mobile: *+ <+94%2077%20767%201807>94 774553167*
> Web:  <http://goog_716986954>http://wso2.com
>
> <http://wso2.com/signature>
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Remove provisioning-config.xml

[Gayan Gunawardana]

On Fri, Nov 10, 2017 at 3:19 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote:

> Hi Gayan,
> Thanks for bringing this up.
> We have not planned to do so.
> +1 for removing unusable config elements.
> Do you know the breakdown of usable and unusable elements. Can you create
> an Improvement JIRA if you know them?
> Lets keep the file for now, as not we are closing Beta9, and lets update
> Doc about deprecation.
>
AFAIK we do not use anything other than
true

>
> Cheers,
> Ruwan
>
> On Fri, Nov 10, 2017 at 5:46 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>> Hi All,
>>
>> Do we have any plan to deprecate  *provisioning-config.xml *form IS
>> 5.4.0 ? Most of configurations it has are unusable right now.
>>  Still we use fewer configurations like [1]. IMO it is better to remove
>> this configuration file.
>> true
>>
>> [1] https://docs.wso2.com/display/IS530/Extensible+SCIM+User+Sch
>> emas+With+WSO2+Identity+Server
>>
>> Thanks,
>> Gayan
>> --
>> Gayan Gunawardana
>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
>
> *Ruwan Abeykoon*
> *Associate Director/Architect**,*
> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> *
> *lean.enterprise.middleware.*
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Remove provisioning-config.xml

[Gayan Gunawardana]

Hi All,

Do we have any plan to deprecate  *provisioning-config.xml *form IS 5.4.0 ?
Most of configurations it has are unusable right now.
 Still we use fewer configurations like [1]. IMO it is better to remove
this configuration file.
true

[1]
https://docs.wso2.com/display/IS530/Extensible+SCIM+User+Schemas+With+WSO2+Identity+Server

Thanks,
Gayan
-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Error occurred while generating keys for Default application

[Gayan Gunawardana]

On Wed, Nov 1, 2017 at 3:20 PM, Sanjeewa Malalgoda <sanje...@wso2.com>
wrote:

> Hi Gayan,
> I cannot recall fixing something like this. But can we check same with
> updated pack as well.
> We dont see same behavior in default pack with H2.
>
Thanks. I will look in a updated pack if I get a time. btw according to my
understanding no need to invoke createApplicationRegistrationEntry() method
at this point.

>
> Thanks,
> sanjeewa.
>
> On Wed, Nov 1, 2017 at 11:54 AM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>> Hi All,
>>
>> I got this exception first time only when generating keys for Default
>> application.
>>
>> Environment:
>>
>>- IS as KM IS-5.3.0 and APIM-2.1.0
>>- DB postgres-10
>>- Without patches or wum updates
>>
>> Other applications works fine. If I delete Default application and create
>> new one with same name it works.
>> Appreciate your input.
>>
>> [2017-10-31 20:53:13,463] ERROR - 
>> ApplicationRegistrationSimpleWorkflowExecutor
>> Error occurred when updating the status of the Application creation process
>> org.wso2.carbon.apimgt.api.APIManagementException: Application
>> 'DefaultApplication' is already registered.
>> at org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.createApplicationR
>> egistrationEntry(ApiMgtDAO.java:293)
>> at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistration
>> SimpleWorkflowExecutor.complete(ApplicationRegistrationSimpl
>> eWorkflowExecutor.java:77)
>> at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistration
>> SimpleWorkflowExecutor.execute(ApplicationRegistrationSimple
>> WorkflowExecutor.java:54)
>> at org.wso2.carbon.apimgt.impl.APIConsumerImpl.requestApprovalF
>> orApplicationRegistration(APIConsumerImpl.java:2789)
>> at org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.requestAppr
>> ovalForApplicationRegistration(UserAwareAPIConsumer.java:36)
>> at org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunc
>> tion_getApplicationKey(APIStoreHostObject.java:385)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
>> at org.mozilla.javascript.FunctionObject.call(FunctionObject.ja
>> va:386)
>> at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime
>> .java:52)
>> at org.jaggeryjs.rhino.store.modules.subscription.c4._c_anonymo
>> us_2(/store/modules/subscription/key.jag:39)
>> at org.jaggeryjs.rhino.store.modules.subscription.c4.call(/stor
>> e/modules/subscription/key.jag)
>> at org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRunti
>> me.java:2430)
>> at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.
>> java:269)
>> at org.mozilla.javascript.IdFunctionObject.call(IdFunctionObjec
>> t.java:97)
>> at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime
>> .java:42)
>> at org.jaggeryjs.rhino.store.modules.subscription.c0._c_anonymo
>> us_10(/store/modules/subscription/module.jag:35)
>> at org.jaggeryjs.rhino.store.modules.subscription.c0.call(/stor
>> e/modules/subscription/module.jag)
>> at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime
>> .java:52)
>> at org.jaggeryjs.rhino.store.site.blocks.subscription.subscript
>> ion_add.ajax.c0._c_anonymous_1(/store/site/blocks/subscripti
>> on/subscription-add/ajax/subscription-add.jag:240)
>> at org.jaggeryjs.rhino.store.site.blocks.subscription.subscript
>> ion_add.ajax.c0.call(/store/site/blocks/subscription/subscri
>> ption-add/ajax/subscription-add.jag)
>> at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime
>> .java:23)
>> at org.jaggeryjs.rhino.store.site.blocks.subscription.subscript
>> ion_add.ajax.c0._c_script_0(/store/site/blocks/subscription/
>> subscription-add/ajax/subscription-add.jag:3)
>> at org.jaggeryjs.rhino.store.site.blocks.subscription.subscript
>> ion_add.ajax.c0.call(/store/site/blocks/subscription/subscri
>> ption-add/ajax/subscription-add.jag)
>> at org.mozilla.javascript.ContextFactory.doTopCall(ContextFacto
>> ry.java:394)
>> at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime
>> .java:309

[Dev] Error occurred while generating keys for Default application

[Gayan Gunawardana]

.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValv
e.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(
AccessLogValve.java:958)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(
CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:452)
at org.apache.coyote.http11.AbstractHttp11Processor.process(
AbstractHttp11Processor.java:1087)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
doRun(NioEndpoint.java:1756)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
run(NioEndpoint.java:1715)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.apimgt.api.APIManagementException: Application
'DefaultApplication' is already registered.
at org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.
createApplicationRegistrationEntry(ApiMgtDAO.java:293)
at org.wso2.carbon.apimgt.impl.workflow.ApplicationRegistrationSimpleW
orkflowExecutor.complete(ApplicationRegistrationSimpleW
orkflowExecutor.java:77)
... 75 more

Thanks,
Gayan
-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] What is the correct behavior when user store selected from Inbound Provisioning Configuration

[Gayan Gunawardana]

On Tue, Sep 19, 2017 at 12:13 AM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

> Since we returning the correct username in the response, its should be ok.
> This is a configuration issue if the client is expecting otherway.
>
I think it is better if there is a way to inform client application about
configuration issue. There is a possibility that SCIM consumers may not
look into admin console configurations at all. Also there is a high
possibility to client application to depend on only http response code.

>
> Thanks,
>
> On Tue, Sep 19, 2017 at 12:10 AM, Gayan Gunawardana <ga...@wso2.com>
> wrote:
>
>>
>>
>> On Mon, Sep 18, 2017 at 11:42 PM, Darshana Gunawardana <darsh...@wso2.com
>> > wrote:
>>
>>> Ok, now you asked the real question :)
>>>
>>> Yes I agree with the expected results you mentioned for all three cases.
>>> I have checked this behaviour on a latest pack[1][2] and it only provision
>>> user to specified userstore in the SP configuration in the case 3 which is
>>> a reasonable behariour. (I'm using locally built 5.4.0-SNAPSHOT version,
>>> which is slightly newer than 5.4.0-alpha2)
>>>
>>> What is the pack that you have tried?
>>>
>> I have used 5.4.0-alpha2 and your observation is correct i haven't get
>> expected result due to some wrong configurations.
>> We have to think about case 03 carefully because client application may
>> understand as provisioning is successful but it may not be the intended
>> user store.
>>
>>>
>>> [1]
>>> Sample Request:
>>> POST /wso2/scim/Users HTTP/1.1
>>> Host: localhost:9443
>>> Content-Type: application/json
>>> Authorization: Basic YWRtaW46YWRtaW4=
>>> Cache-Control: no-cache
>>> Postman-Token: a07e5cab-f4e9-52dd-d245-1b65552c5539
>>>
>>> {
>>>   "schemas": [
>>>
>>>   ],
>>>   "userName": "LDAP/darra...@wso2.com",
>>>   "password": "darray"
>>> }
>>>
>>> [2]
>>> Sample Response:
>>> {
>>> "meta": {
>>> "created": "2017-09-18T23:28:23",
>>> "location": "https://localhost:9443/wso2/s
>>> cim/Users/3d5b1153-79ef-4ea9-9b47-31c92a2bd3dd",
>>> "lastModified": "2017-09-18T23:28:23"
>>> },
>>> "schemas": [
>>> "urn:scim:schemas:core:1.0"
>>> ],
>>> "id": "3d5b1153-79ef-4ea9-9b47-31c92a2bd3dd",
>>> "userName": "H2/darra...@wso2.com"
>>> }
>>>
>>> Thanks,
>>>
>>>
>>> On Mon, Sep 18, 2017 at 11:00 PM, Gayan Gunawardana <ga...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Sep 18, 2017 at 10:27 PM, Darshana Gunawardana <
>>>> darsh...@wso2.com> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Mon, Sep 18, 2017 at 7:58 PM, Gayan Gunawardana <ga...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> ​
>>>>>> When user store selected from Inbound Provisioning Configuration
>>>>>> should we allow to provision other user stores as well ?
>>>>>>
>>>>>
>>>>> No.
>>>>>
>>>>>
>>>>>> For an example if we selected "TEST" as user store from Inbound
>>>>>> Provisioning Configuration, can we provision to PRIMARY user store as 
>>>>>> well ?
>>>>>>
>>>>>
>>>>> No.
>>>>>
>>>> Thanks Darshana but currently it works other way.
>>>>
>>>>>
>>>>> Given that you are already an expert on the provisioning area, I
>>>>> suppose you already knew the answers for above questions but you have a
>>>>> followup question in mind. May I know what that is? :)
>>>>>
>>>> I do not have specific follow up question :) just wanted to avoid
>>>> confusion of sending user store domain in request and selecting user store
>>>> domain from service provider.
>>>> case 01: Do not select user store domain from service provider and
>>>> sending user store domain in the request.
>>>> expectation: User store domain can be extracted from request and
>>>&

Re: [Dev] What is the correct behavior when user store selected from Inbound Provisioning Configuration

[Gayan Gunawardana]

On Mon, Sep 18, 2017 at 11:42 PM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

> Ok, now you asked the real question :)
>
> Yes I agree with the expected results you mentioned for all three cases. I
> have checked this behaviour on a latest pack[1][2] and it only provision
> user to specified userstore in the SP configuration in the case 3 which is
> a reasonable behariour. (I'm using locally built 5.4.0-SNAPSHOT version,
> which is slightly newer than 5.4.0-alpha2)
>
> What is the pack that you have tried?
>
I have used 5.4.0-alpha2 and your observation is correct i haven't get
expected result due to some wrong configurations.
We have to think about case 03 carefully because client application may
understand as provisioning is successful but it may not be the intended
user store.

>
> [1]
> Sample Request:
> POST /wso2/scim/Users HTTP/1.1
> Host: localhost:9443
> Content-Type: application/json
> Authorization: Basic YWRtaW46YWRtaW4=
> Cache-Control: no-cache
> Postman-Token: a07e5cab-f4e9-52dd-d245-1b65552c5539
>
> {
>   "schemas": [
>
>   ],
>   "userName": "LDAP/darra...@wso2.com",
>   "password": "darray"
> }
>
> [2]
> Sample Response:
> {
> "meta": {
> "created": "2017-09-18T23:28:23",
> "location": "https://localhost:9443/wso2/
> scim/Users/3d5b1153-79ef-4ea9-9b47-31c92a2bd3dd",
> "lastModified": "2017-09-18T23:28:23"
>     },
> "schemas": [
> "urn:scim:schemas:core:1.0"
> ],
> "id": "3d5b1153-79ef-4ea9-9b47-31c92a2bd3dd",
> "userName": "H2/darra...@wso2.com"
> }
>
> Thanks,
>
>
> On Mon, Sep 18, 2017 at 11:00 PM, Gayan Gunawardana <ga...@wso2.com>
> wrote:
>
>>
>>
>> On Mon, Sep 18, 2017 at 10:27 PM, Darshana Gunawardana <darsh...@wso2.com
>> > wrote:
>>
>>>
>>>
>>> On Mon, Sep 18, 2017 at 7:58 PM, Gayan Gunawardana <ga...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> ​
>>>> When user store selected from Inbound Provisioning Configuration should
>>>> we allow to provision other user stores as well ?
>>>>
>>>
>>> No.
>>>
>>>
>>>> For an example if we selected "TEST" as user store from Inbound
>>>> Provisioning Configuration, can we provision to PRIMARY user store as well 
>>>> ?
>>>>
>>>
>>> No.
>>>
>> Thanks Darshana but currently it works other way.
>>
>>>
>>> Given that you are already an expert on the provisioning area, I suppose
>>> you already knew the answers for above questions but you have a followup
>>> question in mind. May I know what that is? :)
>>>
>> I do not have specific follow up question :) just wanted to avoid
>> confusion of sending user store domain in request and selecting user store
>> domain from service provider.
>> case 01: Do not select user store domain from service provider and
>> sending user store domain in the request.
>> expectation: User store domain can be extracted from request and
>> provision to respective user store.
>>
>> case 02: Select user store domain from service provider and send request
>> without user store domain.
>> expectation: User store domain can be taken from service provider
>> configurations.
>>
>> case 03: Select user store domain from service provider and send
>> different user store domain in the request.
>> expectation: In this case we can either throw an exception or we can
>> provision users to user store configured in service provider.
>>
>> I guess you are agree with case 01, case 02 but what about case 03 ?
>>
>>>
>>> Thanks,
>>>
>>>
>>>>
>>>> Thanks,
>>>> Gayan
>>>> --
>>>> Gayan Gunawardana
>>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>>> Email: ga...@wso2.com
>>>> Mobile: +94 (71) 8020933
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>>
>>> *Darshana Gunawardana*Technical Lead
>>> WSO2 Inc.; http://wso2.com
>>>
>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
>>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
>>> Middleware
>>>
>>
>>
>>
>> --
>> Gayan Gunawardana
>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
> Middleware
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] What is the correct behavior when user store selected from Inbound Provisioning Configuration

[Gayan Gunawardana]

On Mon, Sep 18, 2017 at 10:27 PM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

>
>
> On Mon, Sep 18, 2017 at 7:58 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>> ​
>> When user store selected from Inbound Provisioning Configuration should
>> we allow to provision other user stores as well ?
>>
>
> No.
>
>
>> For an example if we selected "TEST" as user store from Inbound
>> Provisioning Configuration, can we provision to PRIMARY user store as well ?
>>
>
> No.
>
Thanks Darshana but currently it works other way.

>
> Given that you are already an expert on the provisioning area, I suppose
> you already knew the answers for above questions but you have a followup
> question in mind. May I know what that is? :)
>
I do not have specific follow up question :) just wanted to avoid
confusion of sending user store domain in request and selecting user store
domain from service provider.
case 01: Do not select user store domain from service provider and sending
user store domain in the request.
expectation: User store domain can be extracted from request and provision
to respective user store.

case 02: Select user store domain from service provider and send request
without user store domain.
expectation: User store domain can be taken from service provider
configurations.

case 03: Select user store domain from service provider and send different
user store domain in the request.
expectation: In this case we can either throw an exception or we can
provision users to user store configured in service provider.

I guess you are agree with case 01, case 02 but what about case 03 ?

>
> Thanks,
>
>
>>
>> Thanks,
>> Gayan
>> --
>> Gayan Gunawardana
>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
> Middleware
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] What is the correct behavior when user store selected from Inbound Provisioning Configuration

[Gayan Gunawardana]

​
When user store selected from Inbound Provisioning Configuration should we
allow to provision other user stores as well ?
For an example if we selected "TEST" as user store from Inbound
Provisioning Configuration, can we provision to PRIMARY user store as well ?

Thanks,
Gayan
-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SCIM 2.0 as default in IS 5.4.0

[Gayan Gunawardana]

On Mon, Sep 18, 2017 at 10:19 AM, Prabath Siriwardena <prab...@wso2.com>
wrote:

>
>
> On Sun, Sep 17, 2017 at 9:42 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>>
>> On Mon, Sep 18, 2017 at 8:29 AM, Darshana Gunawardana <darsh...@wso2.com>
>> wrote:
>>
>>> Hi Prabath,
>>>
>>> We do have two endpoints for SCIM 1.1 & SCIM 2. But there are some
>>> listeners we need to enable in order to populated relevant metadata such as
>>> ID, Created\Modified dates against the correct URI specified by the each
>>> specification.
>>>
>>> Given that, different clients may use different protocol of they already
>>> support, we should have ability to have both protocols working
>>> simultaneously.
>>>
>> According to this even single client can use SCIM 1.1 and 2.0
>> simultaneously right ?
>> Yes so ideally it should work but in practice it will bring some
>> complexities. We have to test use-cases like creating user with SCIM 1.1
>> and updating with SCIM 2.0.
>> IMO we should support only one protocol at a time but not both.
>>
>
> Can we please identify those complexities...?
>
> We cannot terminate support for SCIM 1.1 - both have to co-exist for few
> releases till we deprecate SCIM 1.1. If both cannot co-exist then we need
> to review our design...
>
What I am suggesting is not to terminate support for SCIM 1.1 but at a time
enable only.
Enable SCIM 1.1 as default option. If client applications work with SCIM
1.1 they can continue. If client applications want to work with SCIM 2.0 we
should be able to enable SCIM 2.0 by disabling SCIM 1.1 from
configurations.

>
> Thanks & regards,
> -Prabath
>
>
>
>>
>>> Created: https://wso2.org/jira/browse/IDENTITY-6458 to track this.
>>>
>>> Thanks,
>>>
>>> On Mon, Sep 18, 2017 at 8:11 AM, Darshana Gunawardana <darsh...@wso2.com
>>> > wrote:
>>>
>>>> Hi Gayan,
>>>>
>>>> Due to the limitation we have in the user core level, we don't support
>>>> complex filtering, pagination, sorting. Refer [1] & [2].
>>>>
>>>> [1] https://github.com/wso2-extensions/identity-inbound-prov
>>>> isioning-scim2/blob/v1.0.5/components/org.wso2.carbon.identi
>>>> ty.scim2.common/src/main/java/org/wso2/carbon/identity/scim2
>>>> /common/impl/SCIMUserManager.java#L834
>>>> [2] https://github.com/wso2-extensions/identity-inbound-prov
>>>> isioning-scim2/blob/v1.0.5/components/org.wso2.carbon.identi
>>>> ty.scim2.common/src/main/java/org/wso2/carbon/identity/scim2
>>>> /common/impl/SCIMUserManager.java#L793
>>>>
>>>> Thanks,
>>>>
>>>> On Mon, Sep 18, 2017 at 7:50 AM, Gayan Gunawardana <ga...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Mon, Sep 11, 2017 at 9:14 PM, Vindula Jayawardana <
>>>>> vindula...@cse.mrt.ac.lk> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> +1 for this as the global adoption of SCIM 2.0 is right on the track
>>>>>> as Ishara has mentioned.
>>>>>>
>>>>> @Vindula
>>>>> Do we support pagination, complex filters and bulk operation to
>>>>> resolve cyclic dependencies. As I know you have implemented these features
>>>>> but there are some limitations because of C4 user core component. I am not
>>>>> sure about the meaning of word "default" but if we are promoting SCIM 2.0,
>>>>> have to inform what is the real value getting out of it.
>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> *Vindula Jayawardana*
>>>>>> Computer Science and Engineering Dept.
>>>>>> University of Moratuwa
>>>>>> mobile : +713462554
>>>>>> Email : vindula...@cse.mrt.ac.lk
>>>>>>
>>>>>> <https://www.facebook.com/vindula.jayawardana>
>>>>>> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
>>>>>> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
>>>>>> <https://twitter.com/vindulajay>
>>>>>>
>>>>>> *“Respect is how to treat everyone, not just those you want to
>>>>>> impress. "*
>>>>>>
>>>>>>
>>>>>> *-Richard 

Re: [Dev] SCIM 2.0 as default in IS 5.4.0

[Gayan Gunawardana]

On Mon, Sep 18, 2017 at 8:29 AM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

> Hi Prabath,
>
> We do have two endpoints for SCIM 1.1 & SCIM 2. But there are some
> listeners we need to enable in order to populated relevant metadata such as
> ID, Created\Modified dates against the correct URI specified by the each
> specification.
>
> Given that, different clients may use different protocol of they already
> support, we should have ability to have both protocols working
> simultaneously.
>
According to this even single client can use SCIM 1.1 and 2.0
simultaneously right ?
Yes so ideally it should work but in practice it will bring some
complexities. We have to test use-cases like creating user with SCIM 1.1
and updating with SCIM 2.0.
IMO we should support only one protocol at a time but not both.

>
> Created: https://wso2.org/jira/browse/IDENTITY-6458 to track this.
>
> Thanks,
>
> On Mon, Sep 18, 2017 at 8:11 AM, Darshana Gunawardana <darsh...@wso2.com>
> wrote:
>
>> Hi Gayan,
>>
>> Due to the limitation we have in the user core level, we don't support
>> complex filtering, pagination, sorting. Refer [1] & [2].
>>
>> [1] https://github.com/wso2-extensions/identity-inbound-prov
>> isioning-scim2/blob/v1.0.5/components/org.wso2.carbon.ide
>> ntity.scim2.common/src/main/java/org/wso2/carbon/identity/
>> scim2/common/impl/SCIMUserManager.java#L834
>> [2] https://github.com/wso2-extensions/identity-inbound-prov
>> isioning-scim2/blob/v1.0.5/components/org.wso2.carbon.ide
>> ntity.scim2.common/src/main/java/org/wso2/carbon/identity/
>> scim2/common/impl/SCIMUserManager.java#L793
>>
>> Thanks,
>>
>> On Mon, Sep 18, 2017 at 7:50 AM, Gayan Gunawardana <ga...@wso2.com>
>> wrote:
>>
>>>
>>>
>>> On Mon, Sep 11, 2017 at 9:14 PM, Vindula Jayawardana <
>>> vindula...@cse.mrt.ac.lk> wrote:
>>>
>>>> Hi,
>>>>
>>>> +1 for this as the global adoption of SCIM 2.0 is right on the track as
>>>> Ishara has mentioned.
>>>>
>>> @Vindula
>>> Do we support pagination, complex filters and bulk operation to resolve
>>> cyclic dependencies. As I know you have implemented these features but
>>> there are some limitations because of C4 user core component. I am not sure
>>> about the meaning of word "default" but if we are promoting SCIM 2.0,  have
>>> to inform what is the real value getting out of it.
>>>
>>>>
>>>> Thanks
>>>>
>>>> *Vindula Jayawardana*
>>>> Computer Science and Engineering Dept.
>>>> University of Moratuwa
>>>> mobile : +713462554
>>>> Email : vindula...@cse.mrt.ac.lk
>>>>
>>>> <https://www.facebook.com/vindula.jayawardana>
>>>> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
>>>> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
>>>> <https://twitter.com/vindulajay>
>>>>
>>>> *“Respect is how to treat everyone, not just those you want to impress.
>>>> "*
>>>>
>>>>
>>>> *-Richard Branson-*
>>>>
>>>>
>>>>
>>>> On 11 September 2017 at 19:10, Darshana Gunawardana <darsh...@wso2.com>
>>>> wrote:
>>>>
>>>>> One aspect is that we don't have a SCIM 2.0 outbound provisioning
>>>>> connector available. So IS to IS provisioning will not be smooth until we
>>>>> get the outbound provisioning connector ready.
>>>>>
>>>>> On Mon, Sep 11, 2017 at 5:34 PM, Pulasthi Mahawithana <
>>>>> pulast...@wso2.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Shall we make $subject instead of SCIM 1.1? Any known issues on
>>>>>> having it as default? Users who are migrating from older versions will
>>>>>> still have SCIM 1.1 configs and won't be affected as they would keep the
>>>>>> old configs.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Pulasthi Mahawithana*
>>>>>> Senior Software Engineer
>>>>>> WSO2 Inc., http://wso2.com/
>>>>>> Mobile: +94-71-5179022 <+94%2071%20517%209022>
>>>>>> Blog: https://medium.com/@pulasthi7/
>>>>>>
>>>>>> <https://wso2.com/signature>
>>>>>>
>>>>>
>>>>&g

Re: [Dev] SCIM 2.0 as default in IS 5.4.0

[Gayan Gunawardana]

On Mon, Sep 11, 2017 at 9:14 PM, Vindula Jayawardana <
vindula...@cse.mrt.ac.lk> wrote:

> Hi,
>
> +1 for this as the global adoption of SCIM 2.0 is right on the track as
> Ishara has mentioned.
>
@Vindula
Do we support pagination, complex filters and bulk operation to resolve
cyclic dependencies. As I know you have implemented these features but
there are some limitations because of C4 user core component. I am not sure
about the meaning of word "default" but if we are promoting SCIM 2.0,  have
to inform what is the real value getting out of it.

>
> Thanks
>
> *Vindula Jayawardana*
> Computer Science and Engineering Dept.
> University of Moratuwa
> mobile : +713462554
> Email : vindula...@cse.mrt.ac.lk
>
> <https://www.facebook.com/vindula.jayawardana>
> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
> <https://twitter.com/vindulajay>
>
> *“Respect is how to treat everyone, not just those you want to impress. "*
>
>
> *-Richard Branson-*
>
>
>
> On 11 September 2017 at 19:10, Darshana Gunawardana <darsh...@wso2.com>
> wrote:
>
>> One aspect is that we don't have a SCIM 2.0 outbound provisioning
>> connector available. So IS to IS provisioning will not be smooth until we
>> get the outbound provisioning connector ready.
>>
>> On Mon, Sep 11, 2017 at 5:34 PM, Pulasthi Mahawithana <pulast...@wso2.com
>> > wrote:
>>
>>> Hi,
>>>
>>> Shall we make $subject instead of SCIM 1.1? Any known issues on having
>>> it as default? Users who are migrating from older versions will still have
>>> SCIM 1.1 configs and won't be affected as they would keep the old configs.
>>>
>>>
>>> --
>>> *Pulasthi Mahawithana*
>>> Senior Software Engineer
>>> WSO2 Inc., http://wso2.com/
>>> Mobile: +94-71-5179022 <+94%2071%20517%209022>
>>> Blog: https://medium.com/@pulasthi7/
>>>
>>> <https://wso2.com/signature>
>>>
>>
>>
>>
>> --
>> Regards,
>>
>>
>> *Darshana Gunawardana*Technical Lead
>> WSO2 Inc.; http://wso2.com
>>
>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
>> Middleware
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Dynamic client registration request fails due to no user information in the request header.

[Gayan Gunawardana]

On Fri, Sep 15, 2017 at 2:47 PM, Hasini Witharana <hasi...@wso2.com> wrote:

> Hi,
>
> In OIDC dynamic client registration, in the request header we need to send
> an already existing user and the password to register a client in WSO2
> Identity server.In OIDC specification[1], It is not mandatory to send user
> details to register a client.
>
> When running the OIDC test suite for dynamic profile, test suite does not
> send any user details in the header. So we can't create any client and the
> test fails.
>
> For that issue if any user details are not provided in the registration
> request we can assign an anonymous user(*wso2*.*anonymous*.*user*) and
> register the client.
>
IMO correct design should be completely remove the requirement of having a
user. If we use *"wso2*.*anonymous*.*user" *some application may have real
username and some application may have *"wso2*.*anonymous*.*user" *which
end up with inconsistency.
Also need to think about creating a role per service provider if any user
doesn't have that role.

>
> [1] - https://openid.net/specs/openid-connect-registration-1_0.html
>
> --
>
> *Hasini Witharana*
> Software Engineering Intern | WSO2
>
>
> *Email : hasi...@wso2.com <hasi...@wso2.com>*
>
> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
> http://wso2.com/signature] <http://wso2.com/signature>*
>
> --
> You received this message because you are subscribed to the Google Groups
> "WSO2 Engineering Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to engineering-group+unsubscr...@wso2.com.
> For more options, visit https://groups.google.com/a/wso2.com/d/optout.
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Usage of "kid" JWT header parameter

[Gayan Gunawardana]

On Fri, Sep 1, 2017 at 10:18 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Gayan,
>
> It seems we can use [1] which contains the exact logic to generate 'kid'
> value. WDYT?
>
According to JWS specification [1]

The structure of the "kid" value is unspecified. Its value MUST be a
case-sensitive string.

However client should be able to obtain necessary keys by invoking jwks_uri
with "kid" value. In some implementations "x5t" is used as "kid".

You can find similar log in [2] as well.


[1] https://tools.ietf.org/html/rfc7515#section-4.1.4
[2]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/feature-OIDC-enh-5.3.x/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L414

>
> [1] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/
> oauth2/util/OAuth2Util.java#L1568
>
> Thanks,
>
>
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>
> On Fri, Sep 1, 2017 at 10:10 AM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>> In order to retrieve tenant public key to calculate kid value we can use
>> same logic as in [1].
>>
>> boolean isJWTSignedWithSPKey = 
>> OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey();
>> String tenantDomain = null;
>> if(isJWTSignedWithSPKey) {
>> tenantDomain = (String) 
>> request.getProperty(MultitenantConstants.TENANT_DOMAIN);
>> } else {
>> tenantDomain = 
>> request.getAuthorizationReqDTO().getUser().getTenantDomain();
>> }
>>
>>
>> [1] https://github.com/wso2-extensions/identity-inbound-auth-
>> oauth/blob/master/components/org.wso2.carbon.identity.
>> oauth/src/main/java/org/wso2/carbon/identity/openidconnect/
>> DefaultIDTokenBuilder.java#L434
>>
>> On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana <darsh...@wso2.com
>> > wrote:
>>
>>> Will prioritize this for IS 5.4.0.
>>>
>>> Thanks,
>>>
>>> On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena <prab...@wso2.com>
>>> wrote:
>>>
>>>> Hope we will fix this for IS 5.4.0..?
>>>>
>>>> Thanks & regards,
>>>> -Prabath
>>>>
>>>> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
>>>> indu...@wso2.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <ga...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
>>>>>> indu...@wso2.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> In IS, when signing the ID token, we are passing the "kid" header
>>>>>>> parameter in the response.
>>>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>>>>>>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT
>>>>>>> okenBuilder.java#L122
>>>>>>>
>>>>>>> As per the specification (Refer [1]) :
>>>>>>>
>>>>>>>> *The kid value is a key identifier used in identifying the key to
>>>>>>>> be used to verify the signature.If the kid value is unknown to the RP, 
>>>>>>>> it
>>>>>>>> needs to retrieve the contents of the OP's JWK Set again to obtain the 
>>>>>>>> OP's
>>>>>>>> current set of keys. *
>>>>>>>>
>>>>>>>
>>>>>>> We have hard coded this "kid" value in the implementation level.
>>>>>>> What happens if the signing key is a different one than the default one?
>>>>>>>
>>>>>>> Seems like this "kid" is like a hint to identify which specific key
>>>>>>> to be used to validate the signature, when there are multiple keys. Is 
>>>>>>> it a
>>>>>>> valid use case in IS, since there cannot be multiple certs available in
>>>>>>&g

Re: [Dev] [IS] Usage of "kid" JWT header parameter

[Gayan Gunawardana]

In order to retrieve tenant public key to calculate kid value we can use
same logic as in [1].

boolean isJWTSignedWithSPKey =
OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey();
String tenantDomain = null;
if(isJWTSignedWithSPKey) {
tenantDomain = (String)
request.getProperty(MultitenantConstants.TENANT_DOMAIN);
} else {
tenantDomain = request.getAuthorizationReqDTO().getUser().getTenantDomain();
}


[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L434

On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

> Will prioritize this for IS 5.4.0.
>
> Thanks,
>
> On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
>
>> Hope we will fix this for IS 5.4.0..?
>>
>> Thanks & regards,
>> -Prabath
>>
>> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <ga...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
>>>> indu...@wso2.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> In IS, when signing the ID token, we are passing the "kid" header
>>>>> parameter in the response.
>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>>>>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT
>>>>> okenBuilder.java#L122
>>>>>
>>>>> As per the specification (Refer [1]) :
>>>>>
>>>>>> *The kid value is a key identifier used in identifying the key to be
>>>>>> used to verify the signature.If the kid value is unknown to the RP, it
>>>>>> needs to retrieve the contents of the OP's JWK Set again to obtain the 
>>>>>> OP's
>>>>>> current set of keys. *
>>>>>>
>>>>>
>>>>> We have hard coded this "kid" value in the implementation level. What
>>>>> happens if the signing key is a different one than the default one?
>>>>>
>>>>> Seems like this "kid" is like a hint to identify which specific key to
>>>>> be used to validate the signature, when there are multiple keys. Is it a
>>>>> valid use case in IS, since there cannot be multiple certs available in
>>>>> resident IDP? And also is it correct to use a hard coded value from
>>>>> back-end?
>>>>>
>>>> Having hard coded value is not correct. "kid" value should be generated
>>>> based on certificate "thumbprint". Hard coded value would work for super
>>>> tenant default keystore.
>>>>
>>>
>>> Thanks. I have created a public JIRA in [1] to handle this.
>>>
>>> [1] https://wso2.org/jira/browse/IDENTITY-6311
>>>
>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> This is hard coded in JwksEndpoint as well.
>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth.end
>>>>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint/
>>>>> jwks/JwksEndpoint.java#L54
>>>>>
>>>>> But in JWTTokenGenerator, we are not setting the "kid" parameter.
>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>>>>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo
>>>>> kenGenerator.java#L293
>>>>>
>>>>> In which scenarios, this "kid" header parameter should be sent and
>>>>> should not be sent? Recently we have implemented to sign the user info JWT
>>>>> response and need to verify whether "kid" parameter should be sent there 
>>>>> as
>>>>> well.
>>>>>
>>>>>
>>>>>
>>>>> Appreciate your ideas on above concerns.
>>>>>
>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html
>>>>>
>>>>>
>>>>> Thanks and Regards
>>>>> --
>>>>> Indunil Upeksha Rathnayake
>>>>> Software Engineer | WSO2 Inc
>>>>> Emailindu...@wso2.com
>>>>> Mobile   0772182255 <077%20218%202255>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Gayan Gunawardana
>>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>>> Email: ga...@wso2.com
>>>> Mobile: +94 (71) 8020933
>>>>
>>>
>>>
>>>
>>> --
>>> Indunil Upeksha Rathnayake
>>> Software Engineer | WSO2 Inc
>>> Emailindu...@wso2.com
>>> Mobile   0772182255 <077%20218%202255>
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Twitter : @prabath
>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>
>> Mobile : +1 650 625 7950 <(650)%20625-7950>
>>
>> http://facilelogin.com
>>
>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
> Middleware
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] View the group (role) id through management console

[Gayan Gunawardana]

On Wed, Aug 30, 2017 at 12:46 AM, Nilasini Thirunavukkarasu <
nilas...@wso2.com> wrote:

> Hi,
>
> We have a way to view user id through management console. By enabling
> "supported by default" for user id claim we could able to view the user id.
> Likewise are we having any configurations to see the group id through
> management console?
>
No. Group id is not stored in user store. You can do a group name filter.

>
> Thanks,
> T.Nila.
>
> --
> Nilasini Thirunavukkarasu
> Software Engineer - WSO2
>
> Email : nilas...@wso2.com
> Mobile : +94775241823 <+94%2077%20524%201823>
> Web : http://wso2.com/
>
>
> <http://wso2.com/signature>
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Usage of "kid" JWT header parameter

[Gayan Gunawardana]

On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> In IS, when signing the ID token, we are passing the "kid" header
> parameter in the response.
> https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/
> DefaultIDTokenBuilder.java#L122
>
> As per the specification (Refer [1]) :
>
>> *The kid value is a key identifier used in identifying the key to be used
>> to verify the signature.If the kid value is unknown to the RP, it needs to
>> retrieve the contents of the OP's JWK Set again to obtain the OP's current
>> set of keys. *
>>
>
> We have hard coded this "kid" value in the implementation level. What
> happens if the signing key is a different one than the default one?
>
> Seems like this "kid" is like a hint to identify which specific key to be
> used to validate the signature, when there are multiple keys. Is it a valid
> use case in IS, since there cannot be multiple certs available in resident
> IDP? And also is it correct to use a hard coded value from back-end?
>
Having hard coded value is not correct. "kid" value should be generated
based on certificate "thumbprint". Hard coded value would work for super
tenant default keystore.


>
>
>
> This is hard coded in JwksEndpoint as well.
> https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth.endpoint/src/main/java/org/wso2/carbon/
> identity/oauth/endpoint/jwks/JwksEndpoint.java#L54
>
> But in JWTTokenGenerator, we are not setting the "kid" parameter.
> https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authcontext/
> JWTTokenGenerator.java#L293
>
> In which scenarios, this "kid" header parameter should be sent and should
> not be sent? Recently we have implemented to sign the user info JWT
> response and need to verify whether "kid" parameter should be sent there as
> well.
>
>
>
> Appreciate your ideas on above concerns.
>
> [1] http://openid.net/specs/openid-connect-core-1_0.html
>
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Audience(aud) value in OpenID Connect ID Token vs Token Introspection response

[Gayan Gunawardana]

On Wed, Aug 23, 2017 at 1:46 PM, Asela Pathberiya <as...@wso2.com> wrote:

>
>
> On Tue, Aug 22, 2017 at 11:32 AM, Gayan Gunawardana <ga...@wso2.com>
> wrote:
>
>> According to OpenID connect specification [1] "aud" value is client id
>> with identifiers for other audiences.
>>
>>  {
>>"iss": "https://server.example.com;,
>>"sub": "24400320",
>>"aud": "s6BhdRkqt3",
>>"nonce": "n-0S6_WzA2Mj",
>>"exp": 1311281970,
>>"iat": 1311280970,
>>"auth_time": 1311280969,
>>"acr": "urn:mace:incommon:iap:silver"
>>   }
>>
>> But in token introspection "aud" value is more like service provider URL
>> with identifiers for other audiences.
>>
>
> Where is it mentioned that it must be the SP URL.  I guess it must be some
> kind of identification such as client id.  Isn't it ?
>
Yes no it is not a URL but kind of URI which represent service provider.
According to offline chat had with Ruwan in Oauth/OpenID connect
configuration there should be a way to configure Audiences like in SAML.

>
>
>>
>>  {
>>   "active": true,
>>   "client_id": "l238j323ds-23ij4",
>>   "username": "jdoe",
>>   "scope": "read write dolphin",
>>   "sub": "Z5O3upPC88QrAjx00dis",
>>   "aud": "https://protected.example.net/resource;,
>>   "iss": "https://server.example.com/;,
>>   "exp": 1419356238,
>>   "iat": 1419350238,
>>   "extension_field": "twenty-seven"
>>  }
>>
>> Can we have different Audience values for token introspection response
>> and ID Token ? If not we can have both as Audience values.
>>
>> [1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken
>> [2] https://tools.ietf.org/html/rfc7662#section-2.2
>>
>> Thanks,
>> Gayan
>>
>> --
>> Gayan Gunawardana
>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
> Thanks & Regards,
> Asela
>
> ATL
> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>  +358 449 228 979
>
> http://soasecurity.org/
> http://xacmlinfo.org/
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Audience(aud) value in OpenID Connect ID Token vs Token Introspection response

[Gayan Gunawardana]

According to OpenID connect specification [1] "aud" value is client id with
identifiers for other audiences.

 {
   "iss": "https://server.example.com;,
   "sub": "24400320",
   "aud": "s6BhdRkqt3",
   "nonce": "n-0S6_WzA2Mj",
   "exp": 1311281970,
   "iat": 1311280970,
   "auth_time": 1311280969,
   "acr": "urn:mace:incommon:iap:silver"
  }

But in token introspection "aud" value is more like service provider URL
with identifiers for other audiences.

 {
  "active": true,
  "client_id": "l238j323ds-23ij4",
  "username": "jdoe",
  "scope": "read write dolphin",
  "sub": "Z5O3upPC88QrAjx00dis",
  "aud": "https://protected.example.net/resource;,
  "iss": "https://server.example.com/;,
  "exp": 1419356238,
  "iat": 1419350238,
  "extension_field": "twenty-seven"
 }

Can we have different Audience values for token introspection response and
ID Token ? If not we can have both as Audience values.

[1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken
[2] https://tools.ietf.org/html/rfc7662#section-2.2

Thanks,
Gayan

-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Missing Attributes in Token Introspection Response

[Gayan Gunawardana]

On Mon, Aug 21, 2017 at 1:54 PM, Farasath Ahamed <farasa...@wso2.com> wrote:

>
>
>
> On Mon, Aug 21, 2017 at 1:23 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>>
>> On Mon, Aug 21, 2017 at 1:21 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote:
>>
>>> Hi All,
>>> I think we need to add them in introspection result, since they were
>>> anyway present in AuthenticationResponse inside JWT.
>>>
>>> @Gayan,
>>> How about the acr, amr ?
>>>
>> +1 we can add them too.
>>
>
> Can we also consider providing an extension point to decide attributes
> that go into the introspection response?
>
+1 token binding will introduce some more attributes.

>
>
>>
>>> Cheers,
>>> Ruwan
>>>
>>> On Mon, Aug 21, 2017 at 11:08 AM, Gayan Gunawardana <ga...@wso2.com>
>>> wrote:
>>>
>>>> Hi Indunil,
>>>>
>>>> Form token introspection response I can get below attributes.
>>>>
>>>> {"scope":"openid","active":true,"token_type":"Bearer","exp":
>>>> 1503061170,"iat":1503057570,"client_id":"oRbEK6KkycbSLGxt3JH
>>>> ciaitPzoa","username":"admin@carbon.super"}
>>>>
>>>> But some of optional attributes are not included in introspection
>>>> response
>>>>
>>>>sub
>>>>   OPTIONAL.  Subject of the token, as defined in JWT [RFC7519 
>>>> <https://tools.ietf.org/html/rfc7519>].
>>>>   Usually a machine-readable identifier of the resource owner who
>>>>   authorized this token.
>>>>
>>>>aud
>>>>   OPTIONAL.  Service-specific string identifier or list of string
>>>>   identifiers representing the intended audience for this token, as
>>>>   defined in JWT [RFC7519 <https://tools.ietf.org/html/rfc7519>].
>>>>
>>>>iss
>>>>   OPTIONAL.  String representing the issuer of this token, as
>>>>   defined in JWT [RFC7519 <https://tools.ietf.org/html/rfc7519>].
>>>>
>>>> Do we have any limitation to support above attributes ?
>>>>
>>>>
>>>> [1] https://tools.ietf.org/html/rfc7662
>>>>
>>>> Thanks,
>>>> Gayan
>>>> --
>>>> Gayan Gunawardana
>>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>>> Email: ga...@wso2.com
>>>> Mobile: +94 (71) 8020933
>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Gayan Gunawardana
>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Missing Attributes in Token Introspection Response

[Gayan Gunawardana]

On Mon, Aug 21, 2017 at 1:21 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote:

> Hi All,
> I think we need to add them in introspection result, since they were
> anyway present in AuthenticationResponse inside JWT.
>
> @Gayan,
> How about the acr, amr ?
>
+1 we can add them too.

>
> Cheers,
> Ruwan
>
> On Mon, Aug 21, 2017 at 11:08 AM, Gayan Gunawardana <ga...@wso2.com>
> wrote:
>
>> Hi Indunil,
>>
>> Form token introspection response I can get below attributes.
>>
>> {"scope":"openid","active":true,"token_type":"Bearer","exp":
>> 1503061170,"iat":1503057570,"client_id":"oRbEK6KkycbSLGxt3J
>> HciaitPzoa","username":"admin@carbon.super"}
>>
>> But some of optional attributes are not included in introspection
>> response
>>
>>sub
>>   OPTIONAL.  Subject of the token, as defined in JWT [RFC7519 
>> <https://tools.ietf.org/html/rfc7519>].
>>   Usually a machine-readable identifier of the resource owner who
>>   authorized this token.
>>
>>aud
>>   OPTIONAL.  Service-specific string identifier or list of string
>>   identifiers representing the intended audience for this token, as
>>   defined in JWT [RFC7519 <https://tools.ietf.org/html/rfc7519>].
>>
>>iss
>>   OPTIONAL.  String representing the issuer of this token, as
>>   defined in JWT [RFC7519 <https://tools.ietf.org/html/rfc7519>].
>>
>> Do we have any limitation to support above attributes ?
>>
>>
>> [1] https://tools.ietf.org/html/rfc7662
>>
>> Thanks,
>> Gayan
>> --
>> Gayan Gunawardana
>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Missing Attributes in Token Introspection Response

[Gayan Gunawardana]

Hi Indunil,

Form token introspection response I can get below attributes.

{"scope":"openid","active":true,"token_type":"Bearer","exp":1503061170,"iat":1503057570,"client_id":"oRbEK6KkycbSLGxt3JHciaitPzoa","username":"admin@carbon.super
"}

But some of optional attributes are not included in introspection response

   sub
  OPTIONAL.  Subject of the token, as defined in JWT [RFC7519
<https://tools.ietf.org/html/rfc7519>].
  Usually a machine-readable identifier of the resource owner who
  authorized this token.

   aud
  OPTIONAL.  Service-specific string identifier or list of string
  identifiers representing the intended audience for this token, as
  defined in JWT [RFC7519 <https://tools.ietf.org/html/rfc7519>].

   iss
  OPTIONAL.  String representing the issuer of this token, as
  defined in JWT [RFC7519 <https://tools.ietf.org/html/rfc7519>].

Do we have any limitation to support above attributes ?


[1] https://tools.ietf.org/html/rfc7662

Thanks,
Gayan
-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Avoid Invoking REST endpoints from SSO login page

[Gayan Gunawardana]

In IS 5.4.0-m2 SSO login page we can see couple of hyper links for Forgot
Password, Forgot Username, Register Now as below.


​
Actually how it renders is

 <%
url = new URL(identityMgtEndpointContext +
"/recoverpassword.do?callback=" + Encode.forHtmlAttribute
(urlEncodedURL));
httpURLConnection = (HttpURLConnection) url.openConnection();
httpURLConnection.setRequestMethod("HEAD");
httpURLConnection.connect();
if (httpURLConnection.getResponseCode() ==
HttpURLConnection.HTTP_OK) {
%>
Forgot Password 

<%
}

So every time when user goes to SSO login page need to send 3 http requests
to render 3 hyper links. Also if any of API raises back-end exception, bad
stack trace will be printed as below.

WARN {org.apache.cxf.phase.PhaseInterceptorChain} -  Application {
http://endpoint.recovery.identity.carbon.wso2.org/}ClaimsApi has thrown
exception, unwinding now
org.apache.cxf.interceptor.Fault

 Is there a better way to handle this situation ?

Thanks,
Gayan

-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Two critical issues in IS 5.3.0 SCIM 1.1 implementation

[Gayan Gunawardana]

On Tue, Aug 15, 2017 at 10:44 PM, Johann Nallathamby <joh...@wso2.com>
wrote:

> IAM Team,
>
> I found below two critical issues in IS 5.3.0 SCIM 1.1 implementation.
>
> 1. Users/{id} PATCH operation expects the "schemas" attribute to be empty.
> If the core schema value is given it throws an error [1].
>
> 2. "userName" attribute is mandatory in Users/{id} PATCH operation. This
> is not the case according to the spec [2].
>
> I think the first issue is a MUST fix. Because all the users who will try
> our SCIM patch implementation will face this issue and discontinue
> trying/using WSO2 IS 5.3.0. So I think this must be fixed.
>
Yes we have to look at fixing this issue in backward-compatible manner.

>
> The second issue seems to be a problem with our implementation design. I
> don't know if this could be easily fixed. May be it can be fixed at the
> cost of performance. Someone has to check on this. But if that is the case
> what is going to be our stance here? Compliance vs. Performance. Which side
> do we take? I would say compliance is more important. What are your
> thoughts?
>
We can fix this issue as well but need to check for API changes.

>
> [1] https://wso2.org/jira/browse/IDENTITY-6271
> [2] https://wso2.org/jira/browse/IDENTITY-6272
>
> Thanks & Regards,
> Johann.
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Supporting attributes feature for SCIM filtering

[Gayan Gunawardana]

dpress.com <http://nallaa.wordpress.com>*
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Chamila Dilshan Wijayarathna,
>>>> PhD Research Student
>>>> The University of New South Wales (UNSW Canberra)
>>>> Australian Centre for Cyber Security
>>>> Australian Defence Force Academy
>>>> PO Box 7916, Canberra BA ACT 2610
>>>> Australia
>>>> Mobile:(+61)416895795 <+61%20416%20895%20795>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>>
>>> *Johann Dilantha Nallathamby*
>>> Senior Lead Solutions Engineer
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile - *+9476950*
>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>
>>
>>
>>
>> --
>> Chamila Dilshan Wijayarathna,
>> PhD Research Student
>> The University of New South Wales (UNSW Canberra)
>> Australian Centre for Cyber Security
>> Australian Defence Force Academy
>> PO Box 7916, Canberra BA ACT 2610
>> Australia
>> Mobile:(+61)416895795 <+61%20416%20895%20795>
>>
>>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SCIM 2.0 Compliance Test Suite HTTP client

[Gayan Gunawardana]

On Fri, Jul 21, 2017 at 6:07 PM, Vindula Jayawardana <
vindula...@cse.mrt.ac.lk> wrote:

> Hi,
>
> As I mentioned in the proposal, the intended http client for the project
> is Feign client [1]. However, it was experienced that using the feign as
> the http client makes the implementation process more lagging due to
> following reasons.
>
> 1. The documentation support for the client is not that sufficient (less
> documentation/blogs).
> 2. As the compliance test exploits most of the http features, the current
> feign implementation has caused addition efforts to be made to accommodate
> the necessary requirements(eg: extension schema based operations).
>
> Due to the above reasons and since the project is deadline sensitive, I
> think it would be much more flexible to use apache http client [2] as the
> http client for the project. This change can be accommodated without much
> of effort and also as the client is an established client, the mentioned
> difficulties will be mitigated. What do you think?
>
+1
We can have a look at Feign client [1] and analyze difficulties a bit. IMO
making lot of effort to get it working with Feign client is not a main
objective of the project. If Feign client is more harder to use due to
above reasons you mentioned, can switch http client. If you can make http
client configurable with some default implementation would be great.

>
> [1] - https://github.com/OpenFeign/feign
> [2] - https://hc.apache.org/
>
> Thank you,
> *Vindula Jayawardana*
> Computer Science and Engineering Dept.
> University of Moratuwa
> mobile : +713462554
> Email : vindul...@gmail.com
>
> <https://www.facebook.com/vindula.jayawardana>
> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
> <https://twitter.com/vindulajay>
>
> *“Respect is how to treat everyone, not just those you want to impress. "*
>
>
> *-Richard Branson-*
>
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Admin/Tenant Admin Users cannot be filtered to get the SCIM ID

[Gayan Gunawardana]

Whatever the implementation behavior should be identical among user list
command and user filter command. With new implementation if admin user has
SCIM ID it will be returned from both list and filter.

On Fri, Jul 21, 2017 at 2:17 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Indunil,
>
> Please refer following mail in Architecture [1]. Seems Sathya is going to
> provide SCIM support for admin users by generating admin users' SCIM
> userId. After this implementation it seems this issue will be fixed.
>
> [1] mail : [Architecture] [IS] SCIM Support for Admin Users
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>
> On Fri, Jul 21, 2017 at 2:11 PM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>>
>> On Fri, Jul 21, 2017 at 2:06 PM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> I have checked followings with IS 5.3.0 WUM updated pack.
>>>
>>> 1) List users
>>> curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users
>>> Result: *{"Errors":[{"description":"Users not found in the user
>>> store.","code":"404"}]}*
>>>
>>> 2) Filter admin user
>>> curl -v -k --user admin:admin https://localhost:9443/wso2/sc
>>> im/Users?filter=userName+Eq+%22admin%22
>>> Result:
>>> *{"schemas":["urn:scim:schemas:core:1.0"],"totalResults":1,"Resources":[{"userName":"admin"}]}*
>>>
>>> Seems like there is a contradiction here. When listing all the users,
>>> admin user details won't retrieved, but retrieved with the filtering. Since
>>> admin user doesn't have a SCIM ID, it shouldn't retrieved in any scenarios.
>>> WDT?
>>>
>> Yes so filter command should not return admin user if it doesn't have
>> SCIM ID.
>>
>>>
>>> Thanks and Regards
>>>
>>>
>>> On Fri, Nov 6, 2015 at 9:33 AM, Nadeesha Meegoda <nadees...@wso2.com>
>>> wrote:
>>>
>>>> Thanks Chamila. Unerstood!
>>>>
>>>> On Thu, Nov 5, 2015 at 9:48 PM, Chamila Wijayarathna <cham...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Nadeesha,
>>>>>
>>>>> As I mentioned in my previous mail, super admin and tenant admin are
>>>>> not created with a SCIM ID, so you can't retrieve them using SCIM GET.
>>>>>
>>>>> I was suggesting above request to get other users of tenant, if you
>>>>> are interested, since the command you were using previously for retrieving
>>>>> tenant users were wrong.
>>>>>
>>>>> Thanks
>>>>>
>>>>> On Thu, Nov 5, 2015 at 5:03 PM, Nadeesha Meegoda <nadees...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> So I requested to get the SCIM ID as what Chamila mentioned by the
>>>>>> following command
>>>>>> curl -v -k --user ten...@new.com:123456
>>>>>> https://localhost:9443/wso2/scim/Users?filter=userNameEqtenant
>>>>>>
>>>>>> But still this doesn't give any result only a http 404 error. So
>>>>>> tenant admins also are considered for the special flaw?
>>>>>>
>>>>>> On Thu, Nov 5, 2015 at 3:41 PM, Gayan Gunawardana <ga...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Nov 5, 2015 at 3:13 PM, Darshana Gunawardana <
>>>>>>> darsh...@wso2.com> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Nov 5, 2015 at 12:45 PM, Gayan Gunawardana <ga...@wso2.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Nov 5, 2015 at 11:26 AM, Chamila Wijayarathna <
>>>>>>>>> cham...@wso2.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Nadeesha,
>>>>>>>>>>
>>>>>>>>>> When creating super admin or tenant admin users, they don't get
>>>>>>>>>&

Re: [Dev] [IS] Admin/Tenant Admin Users cannot be filtered to get the SCIM ID

[Gayan Gunawardana]

On Fri, Jul 21, 2017 at 2:06 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> I have checked followings with IS 5.3.0 WUM updated pack.
>
> 1) List users
> curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users
> Result: *{"Errors":[{"description":"Users not found in the user
> store.","code":"404"}]}*
>
> 2) Filter admin user
> curl -v -k --user admin:admin https://localhost:9443/wso2/
> scim/Users?filter=userName+Eq+%22admin%22
> Result:
> *{"schemas":["urn:scim:schemas:core:1.0"],"totalResults":1,"Resources":[{"userName":"admin"}]}*
>
> Seems like there is a contradiction here. When listing all the users,
> admin user details won't retrieved, but retrieved with the filtering. Since
> admin user doesn't have a SCIM ID, it shouldn't retrieved in any scenarios.
> WDT?
>
Yes so filter command should not return admin user if it doesn't have SCIM
ID.

>
> Thanks and Regards
>
>
> On Fri, Nov 6, 2015 at 9:33 AM, Nadeesha Meegoda <nadees...@wso2.com>
> wrote:
>
>> Thanks Chamila. Unerstood!
>>
>> On Thu, Nov 5, 2015 at 9:48 PM, Chamila Wijayarathna <cham...@wso2.com>
>> wrote:
>>
>>> Hi Nadeesha,
>>>
>>> As I mentioned in my previous mail, super admin and tenant admin are not
>>> created with a SCIM ID, so you can't retrieve them using SCIM GET.
>>>
>>> I was suggesting above request to get other users of tenant, if you are
>>> interested, since the command you were using previously for retrieving
>>> tenant users were wrong.
>>>
>>> Thanks
>>>
>>> On Thu, Nov 5, 2015 at 5:03 PM, Nadeesha Meegoda <nadees...@wso2.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> So I requested to get the SCIM ID as what Chamila mentioned by the
>>>> following command
>>>> curl -v -k --user ten...@new.com:123456 https://localhost:9443/wso2/sc
>>>> im/Users?filter=userNameEqtenant
>>>>
>>>> But still this doesn't give any result only a http 404 error. So tenant
>>>> admins also are considered for the special flaw?
>>>>
>>>> On Thu, Nov 5, 2015 at 3:41 PM, Gayan Gunawardana <ga...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Thu, Nov 5, 2015 at 3:13 PM, Darshana Gunawardana <
>>>>> darsh...@wso2.com> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Nov 5, 2015 at 12:45 PM, Gayan Gunawardana <ga...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Nov 5, 2015 at 11:26 AM, Chamila Wijayarathna <
>>>>>>> cham...@wso2.com> wrote:
>>>>>>>
>>>>>>>> Hi Nadeesha,
>>>>>>>>
>>>>>>>> When creating super admin or tenant admin users, they don't get
>>>>>>>> created with a SCIM ID since they are considered as special users in 
>>>>>>>> IS.
>>>>>>>> Because of this when listing users through scim, those users will not 
>>>>>>>> get
>>>>>>>> listed.
>>>>>>>> But if you want, you can add a SCIM ID manually by updating the
>>>>>>>> user and then you will be able to list the also as SCIM Users.
>>>>>>>>
>>>>>>>> When listing users of tenants, you need to use credentials of
>>>>>>>> tenant admin users. When sending SCIM request with admin:admin, you 
>>>>>>>> will
>>>>>>>> only see users at super tenant. Also for filter, don't use @
>>>>>>>> tenant.com, because if u logged in as tenant admin and list users,
>>>>>>>> there you won't see user name with @tenant.com, so your curl
>>>>>>>> command to filter a user at tenant should be as follows.
>>>>>>>>
>>>>>>>> curl -v -k --user ad...@tenant.com:admin123 http
>>>>>>>> s://localhost:9443/wso2/scim/Users?filter=userNameEqtenant
>>>>>>>> <https://localhost:9443/wso2/scim/Users?filter=usernameeqten...@hello.com>
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>

Re: [Dev] [APIM]Source code of entitlement jar file

[Gayan Gunawardana]

On Wed, Jul 12, 2017 at 7:32 AM, Abimaran Kugathasan <abima...@wso2.com>
wrote:

> Hi Denuwanthi,
>
> As I remember, we are using the sample provided by Nadeesha here [1], also
> decompiling the JAR will give you more information from META-INF/MANIFEST.MF
>
I guess it is better to have source code somewhere like APIM samples.
Source code previously available in the article written by Nadeesha. You
can find same source code from [1][2].

[1]
http://wso2.com/library/articles/2015/03/bring-your-social-identity-to-perform-organizational-authorization-actions-with-wso2-identity-server/
[2]
https://github.com/GayanM/role-based-authorization-artifacts/blob/master/entitlement/src/main/java/org/wso2/sample/callback/APIEntitlementCallbackHandler.java

>
> [1]: http://wso2.com/library/articles/2014/02/use-of-wso2-
> api-manager-to-validate-fine-grained-policy-decisions-using-xacml/
>
> On Wed, Jul 12, 2017 at 1:10 PM, Denuwanthi De Silva <denuwan...@wso2.com>
> wrote:
>
>> Hi,
>>
>> When referring document[1] to enable RBAC using XACML in APIM, it
>> mentions to add ' entitlement-1.0-SNAPSHOT JAR' file. In the doc the link
>> for the JAR is provided.
>> But where can I get the source repository of this jar?
>>
>> I checked in carbon-apimgt & product-apim. Couldn't find.
>> Appreciate if some one can point me to the source of it?
>>
>>
>> [1]https://docs.wso2.com/display/AM210/Enabling+Role-Based+
>> Access+Control+Using+XACML
>>
>>
>> Thanks
>> --
>> Denuwanthi De Silva
>> Senior Software Engineer;
>> WSO2 Inc.; http://wso2.com,
>> Email: denuwan...@wso2.com
>> Blog: https://denuwanthi.wordpress.com/
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Thanks
> Abimaran Kugathasan
> Senior Software Engineer - API Technologies
>
> Email : abima...@wso2.com
> Mobile : +94 773922820 <+94%2077%20392%202820>
>
> <http://stackoverflow.com/users/515034>
> <http://lk.linkedin.com/in/abimaran>
> <http://www.lkabimaran.blogspot.com/>  <https://github.com/abimarank>
> <https://twitter.com/abimaran>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Handling required claims in ID Token

[Gayan Gunawardana]

Hi Sagara, Denuwanthi,

There are many ways to write custom grant type. Even ClientCredentials
grant type can be extended to custom grant type where do not need to think
about ID token. If can you point to exact example and explain the problem,
it would be great.

Thanks,
Gayan

On Tue, Jul 4, 2017 at 9:37 PM, Denuwanthi De Silva <denuwan...@wso2.com>
wrote:

> Thank you Sagara for the response.
> Yes, as you mentioned it means logical to use the server error response.
> will proceed with that.
>
>
> Thanks,
>
> On Tue, Jul 4, 2017 at 7:08 PM, Sagara Gunathunga <sag...@wso2.com> wrote:
>
>>
>>
>> On Tue, Jul 4, 2017 at 6:54 PM, Denuwanthi De Silva <denuwan...@wso2.com>
>> wrote:
>>
>>> Hi,
>>>
>>> In OIDC spec,following claims are mentioned as mandatory.
>>> -iss
>>> -sub
>>> -aud
>>> -exp
>>> -iat
>>>
>>> Currently as mentioned in jira [1], it is possible to write custom
>>> OAuth2 grant type which returns IDToken without "sub" claim.
>>>
>>> When we handle this scenario, there is a small concern
>>>  that need to be clarified.
>>>
>>> -When analyze the spec we could  not find any instance where it
>>> mentioned the error message to display in such a scenario.
>>> In that case, shall we come up with *new error message*?
>>> {"error_description":"custom description.","error":"custom_error"}
>>>
>>> - or throw a server exception and send the standard *server error*
>>> message ?
>>> ex:
>>> {"error_description":"Internal Server Error.","error":"server_error"}
>>>
>>
>> IMO what happen here is, server can not generate valid IDToken.
>>  "Internal Server Error " can properly describe this behavior  so better to
>> use that code, returning custom code may cause  interoperability  issues as
>> well.
>>
>> Thanks !
>>
>>>
>>>
>>> Appreciate any input on how to proceed with this.
>>>
>>> [1]https://wso2.org/jira/browse/IDENTITY-6088
>>> [2]http://openid.net/specs/openid-connect-core-1_0.html#IDToken
>>>
>>> Thanks,
>>> --
>>> Denuwanthi De Silva
>>> Senior Software Engineer;
>>> WSO2 Inc.; http://wso2.com,
>>> Email: denuwan...@wso2.com
>>> Blog: https://denuwanthi.wordpress.com/
>>>
>>
>>
>>
>> --
>> Sagara Gunathunga
>>
>> Associate Director / Architect; WSO2, Inc.;  http://wso2.com
>> V.P Apache Web Services;http://ws.apache.org/
>> Linkedin; http://www.linkedin.com/in/ssagara
>> Blog ;  http://ssagara.blogspot.com
>>
>>
>
>
> --
> Denuwanthi De Silva
> Senior Software Engineer;
> WSO2 Inc.; http://wso2.com,
> Email: denuwan...@wso2.com
> Blog: https://denuwanthi.wordpress.com/
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [GSoC][SCIM] SCIM 2.0 Test Dependencies

[Gayan Gunawardana]

On Sat, Jul 1, 2017 at 8:54 AM, Vindula Jayawardana <
vindula...@cse.mrt.ac.lk> wrote:

> Hi,
>
> In SCIM 2.0 compliance test suite, there are inter dependencies between
> tests. For an example,
>
> We have identified /Schemas endpoint as a critical test which tests the
> schemas corresponding to user and group resources according to SCIM
> specification. However in a case where a SCIM service provider has
> customized the schemas according to their own requirements, this test will
> be failed. As the test suite uses the /Schemas endpoint to learn about the
> service providers schema definitions (consider the case where there is a
> user schema extension defined by the service provider), if the /Schemas
> endpoint fails, the test suite will be terminated immediately as the test
> suite cannot learn the configurations. However we can also make it not to
> terminate but to get adjusted to the service provider's configs after just
> failing the /Schemas endpoint test only. With that, the service provider
> will be able to run the remaining tests on the altered schemas without
> being blocked due to test dependency. But it should also be noted that,
> this approach can cause the test suite to not to adhere to the
> specification, but to adjust itself dynamically after a proper indication
> of the reason for the adjustment.
>
> Hence, as identified in the above example, there are two possible options
> in a test dependency situation.
>
> 1. Terminate
> 2. Adjust accordingly and continue the suite but fails only the parent
> test.
>
> What is the best way of handling this?. Any thoughts on this is highly
> appreciated.
>
Thanks for bringing this question. SCIM 2.0 is an open standard for
identity provisioning. Advantage of open standard is if two parties follow
a common standard/specifications integration should be seamless. Idea of
compliance test is to make sure given software product is adhere to
particular specification hence I am +1 to terminate the test.

What was the approach for SCIM 1.1 ?

>
> Thank you
> *Vindula Jayawardana*
> Computer Science and Engineering Dept.
> University of Moratuwa
> mobile : +713462554
> Email : vindul...@gmail.com
>
> <https://www.facebook.com/vindula.jayawardana>
> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
> <https://twitter.com/vindulajay>
>
> *“Respect is how to treat everyone, not just those you want to impress. "*
>
>
> *-Richard Branson-*
>
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Default Claim Mapping for Multiple User Stores from claim-config.xml

[Gayan Gunawardana]

Hi All,


http://wso2.org/claims/givenname
First Name
givenName
First Name

1

 

With this configuration *givenName *map to*
http://wso2.org/claims/givenname <http://wso2.org/claims/givenname> *for*
PRIMARY *user store

*. *
In IS 5.3.0 we can set map attribute from drop down for multiple user
stores.


​
Is there a way to do same configuration from claim-config.xml ? If not
isn't it better to support by changing structure of claim-config.xml ?

Thanks,
Gayan

-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [GSoC 2017][IS] SCIM 2.0 Compliance Test Suite

[Gayan Gunawardana]

Hi Vindula,

On Mon, Jun 5, 2017 at 4:14 PM, Vindula Jayawardana <
vindula...@cse.mrt.ac.lk> wrote:

> Hi,
>
> Kindly find the weekly update below.
>
> Within the week time span, I have been working on the webapp component
> proposed in the system architecture. In parallel, I also looked in to
> implementing scimcore component as well. In implementing the scimcore
> component, as we discussed in the previous mails, I used the Charon code
> (which relates to scheme specifications only) as a base code.
>
You suppose to use feign JAX-RS client right ? Can you directly use charon
core objects [1][2] in REST client or did you implement your own object
model ? I guess you may find json encoding and decoding problem with charon
core standard objects.

[1]
https://github.com/wso2/charon/blob/master/modules/charon-core/src/main/java/org/wso2/charon3/core/objects/User.java
[2]
https://github.com/wso2/charon/blob/master/modules/charon-core/src/main/java/org/wso2/charon3/core/objects/Group.java

>
> In this week, I am planning on look into the scimcore component more with
> adhering to schema specification. Also I did not mock the SCIM 1.1 /Schemas
> endpoint in IS yet since it is not that urgent at the moment (it is helpful
> in understanding the protocol specification). Hence I will look into mock
> that as well since now I can work with protocol specification as well.
>
Could you able to run SCIM 1.1 compliance test if you mock /Schemas
endpoint ? This task also important to get an understanding about
compliance test.

>
> Thank you.
>
> *Vindula Jayawardana*
> Computer Science and Engineering Dept.
> University of Moratuwa
> mobile : +713462554
> Email : vindul...@gmail.com
>
> <https://www.facebook.com/vindula.jayawardana>
> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
> <https://twitter.com/vindulajay>
>
> *“Respect is how to treat everyone, not just those you want to impress. "*
>
>
> *-Richard Branson-*
>
>
>
> On 29 May 2017 at 10:50, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>>
>> On Mon, May 29, 2017 at 1:21 AM, Vindula Jayawardana <
>> vindula...@cse.mrt.ac.lk> wrote:
>>
>>> Hi,
>>>
>>> I have been working on understanding more on the current SCIM 1.1 test
>>> suite. Hence I further analyzed it and identified the following
>>> possibilities.
>>>
>> +1
>>
>>>
>>> 1. Apart from the specification specific implementation aspects, a
>>> significant amount of code reuse can be done from the current code base.
>>> However as per the SCIM mailing list [1] some concerns were raised
>>> regarding the current structure of the implementation.
>>> 2. For the proposed scim core component, we can make use of the Charon
>>> [2] code base as a start.
>>>
>>> As Identity Server currently supports SCIM 2.0 in the C5 architecture
>>> only, I have added a PR [3] and a jira [4] to make it available for C4
>>> architecture as well. Greatly appreciate if you can review it and merge.
>>>
>> We will review [3],[4] btw can you continue the work with IS 6.0.0 in C5
>> ? I guess for compliance test it won't make much difference.
>>
>>>
>>> I am currently working in the webapp of the component architecture
>>> proposed and hoping to start implementing the scimcore component in the
>>> coming week. Apart from that, will look into mocking the /Schemas endpoint
>>> in the SCIM 1.1 implementation of Identity Server to get a better
>>> understanding on how the SCIM 1.1 test suite works with IS.
>>>
>> Great progress Vindula keep it up.
>>
>>>
>>> [1] - https://mailarchive.ietf.org/arch/msg/scim/JYFpusDrtQ94hnghv
>>> EPjczU4laE
>>> [2] - https://github.com/wso2/charon
>>> [3] - https://github.com/wso2-extensions/identity-inbound-provis
>>> ioning-scim2/pull/16
>>> [4] - https://wso2.org/jira/projects/IDENTITY/issues/IDENTITY-5942
>>>
>>> Thank you
>>>
>>> *Vindula Jayawardana*
>>> Computer Science and Engineering Dept.
>>> University of Moratuwa
>>> mobile : +713462554
>>> Email : vindul...@gmail.com
>>>
>>> <https://www.facebook.com/vindula.jayawardana>
>>> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
>>> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
>>> <https://twitter.com/vindulajay>
>>>
>>> *“Respect is how to treat everyone, not just those you wan

Re: [Dev] [GSoC 2017][IS] SCIM 2.0 Compliance Test Suite

[Gayan Gunawardana]

..@gmail.com
>>>>
>>>> <https://www.facebook.com/vindula.jayawardana>
>>>> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
>>>> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
>>>> <https://twitter.com/vindulajay>
>>>>
>>>> *“Respect is how to treat everyone, not just those you want to impress.
>>>> "*
>>>>
>>>>
>>>> *-Richard Branson-*
>>>>
>>>>
>>>>
>>>> On 30 March 2017 at 23:13, Vindula Jayawardana <
>>>> vindula...@cse.mrt.ac.lk> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> As mentioned above, I looked at the SCIM 1.1 compliance test suite
>>>>> [1]. Due to the reason that the SCIM 1.1 test suite requires an internet
>>>>> facing SCIM 1.1 server to run the tests against, I setup-ed an Identity
>>>>> Server instance in AWS [2]. However when the test are run, it fails due to
>>>>> /ServiceProviderConfigs and /Schemas endpoints. As WSO2 SCIM 1.1 support
>>>>> [3] is not covering the mentioned two endpoints, tests are
>>>>> failing when run.
>>>>>
>>>>> However in order to get an idea on how the result representation had
>>>>> been done in SCIM 1.1 compliance test suit, I mocked the
>>>>> /ServiceProviderConfigs endpoint [4] and was able to get the
>>>>> following output.
>>>>>
>>>>>
>>>>> ​
>>>>>
>>>>> Due to the complexity of mocking the /Schemas endpoint and also as the
>>>>> test on one endpoint ( /ServiceProviderConfigs) could give the nature
>>>>> of the result representation as seen above, I did not try to mock /Schemas
>>>>> endpoint and run the test suit again. However I tried by mocking the
>>>>> endpoint with 501 NOT IMPLEMENTED [5] as the output, but that was not
>>>>> accepted by the test suit as a valid return object.
>>>>>
>>>>> However, in my opinion, the SCIM test suit should be flexible in
>>>>> nature to skip any test which was given the input from the SCIM server as
>>>>> 501 NOT IMPLEMENTED [5]. I encourage such kind of implementation to be
>>>>> adopted in the proposed SCIM 2.0 compliance test suit as in that way the
>>>>> test suit acknowledges the SP's inability to provide those endpoints while
>>>>> making sure such kind of inability does not compromise the ability to run
>>>>> the test suit on other endpoints.
>>>>>
>>>>> [1] - http://www.simplecloud.info/#complianceTest
>>>>> [2] - https://aws.amazon.com/
>>>>> [3] - https://github.com/wso2/charon/tree/release-2.0.7
>>>>> [4] - https://github.com/Vindulamj/mocked-identity-inbound-provi
>>>>> sioning-scim/tree/master/identity-inbound-provisioning-scim-master
>>>>> [5] - http://www.simplecloud.info/specs/draft-scim-api-01.html#anchor6
>>>>>
>>>>> *Vindula Jayawardana*
>>>>> Computer Science and Engineering Dept.
>>>>> University of Moratuwa
>>>>> mobile : +713462554
>>>>> Email : vindul...@gmail.com
>>>>>
>>>>> <https://www.facebook.com/vindula.jayawardana>
>>>>> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
>>>>> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
>>>>> <https://twitter.com/vindulajay>
>>>>>
>>>>> *“Respect is how to treat everyone, not just those you want to
>>>>> impress. "*
>>>>>
>>>>>
>>>>> *-Richard Branson-*
>>>>>
>>>>>
>>>>>
>>>>> On 10 March 2017 at 16:42, Vindula Jayawardana <
>>>>> vindula...@cse.mrt.ac.lk> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Thank you very much for the prompt replies. I will look into the
>>>>>> points you have mentioned and will keep you updated here.
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> *Vindula Jayawardana*
>>>>>> Computer Science and Engineering Dept.
>>>>>> University of Moratuwa
>>>>>> mobile : +713462554
>>>>>> Email : vindul...@gmail.com
>>>

Re: [Dev] Security using IS 5.3.0

[Gayan Gunawardana]

On Mon, May 22, 2017 at 3:55 PM, Melodias <osbtestmail...@gmail.com> wrote:

> Hi
> I would like add extra security using IS 5.3.0.
>
> My first scenario is:
> I'm in London and I'm login to my webApp using SSO IS 5.3.0. After 30
> minutes someone login to my account from Beijing. It is not possible that
> it
> was me, because 30 minutes before I was in London. Can IS send me an email,
> that someone login to my account from Beijing?
>
In this case you want to proceed the login from Beijing and sending an
email just informing user about suspicious login or do you want to stop
login from Beijing with an email notification ?

>
> My second scenario is:
> to have trusted device. In first login I add my pc to trusted device. To
> add
> device, IS will send on my mobile phone message with code i have to write,
> to add trusted device. When I login to my account from other device, then
> IS
> send me an email with message that someone loggin to my account from
> unknown
> device, and to login I must have new code to add new device.
>
>From device side which attribute can you send to identify device ? Is there
any capability to run a agent program from device side ?

>
> It is possible to do this scenarios using IS?
>
> my regards
>
>
>
> --
> View this message in context: http://wso2-oxygen-tank.10903.
> n7.nabble.com/Security-using-IS-5-3-0-tp149117.html
> Sent from the WSO2 Development mailing list archive at Nabble.com.
> _______
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] 6.0.0 roadmap

[Gayan Gunawardana]

On Mon, May 22, 2017 at 8:00 PM, Hanen Ben Rhouma <hanen...@gmail.com>
wrote:

> Hello,
>
> Could you please state the new features and bug fixes introduced within IS
> 6.0.0.m2
>
Basically focused on SCIM 2.0 support and bug fixes from 6.0.0-m1.

>
> And what's coming within the major release and it's date please?
>
Plan is not yet finalized.

>
> Regards,
> Hanen
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [APIM][C5] - Best Way to get the end user information

[Gayan Gunawardana]

indu,
>>>>>>
>>>>>> In OIDC there are other standard scopes[1] in addition to 'openid'.
>>>>>> These scopes are there to request specific user claims. I think we can 
>>>>>> use
>>>>>> them here. So when generating tokens, these scopes should be used as per
>>>>>> the requirement.
>>>>>>
>>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>>>>>>
>>>>>> Thanks,
>>>>>> Bhathiya
>>>>>>
>>>>>> On Sat, May 13, 2017 at 12:18 AM, Tharindu Dharmarathna <
>>>>>> tharin...@wso2.com> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> We had a use case on APIM to send the user claims in the JWT Header
>>>>>>> to the backend server.
>>>>>>>
>>>>>>> Currently APIM C4 architecture was Getting the user claims and
>>>>>>> generate JWT from Key manager node.
>>>>>>>
>>>>>>> As in C5 architecture, we have to get the user claims from the IS or
>>>>>>> the third party key manager.
>>>>>>>
>>>>>>> I had observed below two ways of getting user claims into the
>>>>>>> Gateway from IS.
>>>>>>>
>>>>>>> 1. Generate token with OpenID scope.
>>>>>>> 2. Call userinfo endpoint with above generated token
>>>>>>> 3. Call OAuth2TokenValidation Service and get the token.
>>>>>>>
>>>>>>> When considering [2] in order to receive user info we have to set
>>>>>>> the requested claims in service provider according to the App.
>>>>>>>
>>>>>>> And from Current C4 architecture, we don't mandate to send openid
>>>>>>> token as a scope.
>>>>>>>
>>>>>>> Is there any other alternative ways to achieve above task.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> *Tharindu Dharmarathna*Senior Software Engineer
>>>>>>> WSO2 Inc.; http://wso2.com
>>>>>>> lean.enterprise.middleware
>>>>>>>
>>>>>>> mobile: *+94779109091 <077%20910%209091>*
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Bhathiya Jayasekara*
>>>>>> *Associate Technical Lead,*
>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>*
>>>>>>
>>>>>> *Phone: +94715478185 <071%20547%208185>*
>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
>>>>>> <http://www.linkedin.com/in/bhathiyaj>*
>>>>>> *Twitter: https://twitter.com/bhathiyax
>>>>>> <https://twitter.com/bhathiyax>*
>>>>>> *Blog: http://movingaheadblog.blogspot.com
>>>>>> <http://movingaheadblog.blogspot.com/>*
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Bhathiya Jayasekara*
>>>>> *Associate Technical Lead,*
>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>*
>>>>>
>>>>> *Phone: +94715478185 <+94%2071%20547%208185>*
>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
>>>>> <http://www.linkedin.com/in/bhathiyaj>*
>>>>> *Twitter: https://twitter.com/bhathiyax
>>>>> <https://twitter.com/bhathiyax>*
>>>>> *Blog: http://movingaheadblog.blogspot.com
>>>>> <http://movingaheadblog.blogspot.com/>*
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> *Bhathiya Jayasekara*
>>> *Associate Technical Lead,*
>>> *WSO2 inc., http://wso2.com <http://wso2.com>*
>>>
>>> *Phone: +94715478185 <+94%2071%20547%208185>*
>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
>>> <http://www.linkedin.com/in/bhathiyaj>*
>>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>*
>>> *Blog: http://movingaheadblog.blogspot.com
>>> <http://movingaheadblog.blogspot.com/>*
>>>
>>
>>
>
>
> --
> *Bhathiya Jayasekara*
> *Associate Technical Lead,*
> *WSO2 inc., http://wso2.com <http://wso2.com>*
>
> *Phone: +94715478185 <+94%2071%20547%208185>*
> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
> <http://www.linkedin.com/in/bhathiyaj>*
> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>*
> *Blog: http://movingaheadblog.blogspot.com
> <http://movingaheadblog.blogspot.com/>*
>



-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Client credential grant type for ID token generation

[Gayan Gunawardana]

On Thu, May 4, 2017 at 2:41 PM, Pushpalanka Jayawardhana <la...@wso2.com>
wrote:

> Hi All,
>
> This is in relation to issue [1] which happened when we issue ID_token for
> client credentials grant.
>
> Client credentials grant type is not really a part of OpenID Connect
> specification, as it only mentions of authorization code grant flow(Basic
> Profile) and implicit grant flow (Implicit profile), and hybrid flow.
> This is an additional thing when we issue id_token for client credentials
> grant.
>
> Also this does not make much sense when we issue an ID_token to an
> application which is presented in client credentials grant.
> In my opinion we should get rid of this, if noone is currently using it.
> Appreciate your inputs.
>
Also OpenID Connect specification does not talk about issuing ID_token for
password grant type as well. Apart from specification POV issuing ID_token
for password grant type is not logically wrong.
Issuing ID_token for client credentials grant type is logically wrong hence
+1 to remove the functionality.

>
> [1] - https://wso2.org/jira/browse/IDENTITY-4915
>
> Thanks,
> --
> Pushpalanka.
> --
> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
> Mobile: +94779716248
> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/
> pushpalanka/ | Twitter: @pushpalanka
>
>


-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Why is redirect_uris mandatory in DCR request?

[Gayan Gunawardana]

t;>>
>>>>> WSO2 Inc.
>>>>>
>>>>> Web : http://wso2.com
>>>>>
>>>>> Mobile : 0719214873 <071%20921%204873>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks & Regards,
>>>>
>>>> *Johann Dilantha Nallathamby*
>>>> Technical Lead & Product Lead of WSO2 Identity Server
>>>> Governance Technologies Team
>>>> WSO2, Inc.
>>>> lean.enterprise.middleware
>>>>
>>>> Mobile - *+9476950*
>>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>>
>>>
>>>
>>>
>>> --
>>> Pushpalanka.
>>> --
>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>>> Mobile: +94779716248
>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>>> ushpalanka/ | Twitter: @pushpalanka
>>>
>>>
>>
>>
>> --
>>
>> Best Regards,
>>
>> Nuwandi Wickramasinghe
>>
>> Software Engineer
>>
>> WSO2 Inc.
>>
>> Web : http://wso2.com
>>
>> Mobile : 0719214873
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Manoj Gunawardena
> Tech Lead
> WSO2, Inc.: http://wso2.com
> lean.enterprise.middleware
> Mobile : +94 77 2291643
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How to Wrap Java Exception in UUF

[Gayan Gunawardana]

I could able to get errorCode as well since cause.getTargetException()
provide UserPortalUIException.

On Tue, Mar 14, 2017 at 9:24 AM, Gayan Gunawardana <ga...@wso2.com> wrote:

>
>
> On Tue, Mar 14, 2017 at 9:17 AM, Ayesha Dissanayaka <aye...@wso2.com>
> wrote:
>
>> Hi,
>>
>> I think this[1] has to be fixed from UUF in order to be able to access
>> original exception.
>>
> Still cause.getTargetException() gives original exception, how can we get
> errorCode in that case?
>
>>
>> [1] https://github.com/wso2/carbon-uuf/issues/177
>>
>> Thanks!
>> -Ayesha
>>
>>
>> On Tue, Mar 14, 2017 at 9:10 AM, Gayan Gunawardana <ga...@wso2.com>
>> wrote:
>>
>>>
>>> Hi UUF team,
>>>
>>> Client OSGI service throw  UserPortalUIException with error message
>>> (message) and error code (errorCode).
>>>
>>> String error = "Failed to update user password.";
>>> LOGGER.error(error, e);
>>> throw new UserPortalUIException(error, e.getErrorCode());
>>>
>>> Form client side .js I can retrieve error message as below
>>>
>>> } catch (e) {
>>> var message = e.message;
>>> var cause = e.getCause();
>>> if (cause != null) {
>>> //the exceptions thrown by the actual osgi service method is 
>>> wrapped inside a InvocationTargetException.
>>> if (cause instanceof 
>>> java.lang.reflect.InvocationTargetException) {
>>> message = cause.getTargetException().message;
>>> }
>>> }
>>>
>>> Is there a way to retrieve errorCode as well ?
>>>
>>> Thanks,
>>> Gayan
>>>
>>> --
>>> Gayan Gunawardana
>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: ga...@wso2.com
>>> Mobile: +94 (71) 8020933
>>>
>>
>>
>>
>> --
>> *Ayesha Dissanayaka*
>> Senior Software Engineer,
>> WSO2, Inc : http://wso2.com
>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com=D=1=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
>> 20, Palm grove Avenue, Colombo 3
>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
>>
>
>
>
> --
> Gayan Gunawardana
> Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>



-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How to Wrap Java Exception in UUF

[Gayan Gunawardana]

On Tue, Mar 14, 2017 at 9:17 AM, Ayesha Dissanayaka <aye...@wso2.com> wrote:

> Hi,
>
> I think this[1] has to be fixed from UUF in order to be able to access
> original exception.
>
Still cause.getTargetException() gives original exception, how can we get
errorCode in that case?

>
> [1] https://github.com/wso2/carbon-uuf/issues/177
>
> Thanks!
> -Ayesha
>
>
> On Tue, Mar 14, 2017 at 9:10 AM, Gayan Gunawardana <ga...@wso2.com> wrote:
>
>>
>> Hi UUF team,
>>
>> Client OSGI service throw  UserPortalUIException with error message
>> (message) and error code (errorCode).
>>
>> String error = "Failed to update user password.";
>> LOGGER.error(error, e);
>> throw new UserPortalUIException(error, e.getErrorCode());
>>
>> Form client side .js I can retrieve error message as below
>>
>> } catch (e) {
>>  var message = e.message;
>> var cause = e.getCause();
>> if (cause != null) {
>> //the exceptions thrown by the actual osgi service method is 
>> wrapped inside a InvocationTargetException.
>> if (cause instanceof 
>> java.lang.reflect.InvocationTargetException) {
>> message = cause.getTargetException().message;
>> }
>> }
>>
>> Is there a way to retrieve errorCode as well ?
>>
>> Thanks,
>> Gayan
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
> *Ayesha Dissanayaka*
> Senior Software Engineer,
> WSO2, Inc : http://wso2.com
> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com=D=1=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
> 20, Palm grove Avenue, Colombo 3
> E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
>



-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] How to Wrap Java Exception in UUF

[Gayan Gunawardana]

Hi UUF team,

Client OSGI service throw  UserPortalUIException with error message
(message) and error code (errorCode).

String error = "Failed to update user password.";
LOGGER.error(error, e);
throw new UserPortalUIException(error, e.getErrorCode());

Form client side .js I can retrieve error message as below

} catch (e) {
var message = e.message;
var cause = e.getCause();
if (cause != null) {
//the exceptions thrown by the actual osgi service method
is wrapped inside a InvocationTargetException.
if (cause instanceof java.lang.reflect.InvocationTargetException) {
message = cause.getTargetException().message;
}
}

Is there a way to retrieve errorCode as well ?

Thanks,
Gayan

-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [GSoC 2017][IS] SCIM 2.0 Compliance Test Suite

[Gayan Gunawardana]

Hi Vindula,

Thanks for your interest in this project.
Since you have good knowledge about SCIM 2.0 specifications, could you
please look at SCIM 1.1 compliance test and source code [1]. SCIM 2.0
compliance test doesn't need to be same as SCIM 1.1 just get an idea from
SCIM 1.1 compliance test. Further you can extract test scenarios from [2]
as well.

[1]https://github.com/erdtman/simplecloud.info
<https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Ferdtman%2Fsimplecloud.info=D=1=AFQjCNGycfiBxzWbdCVjpGlABAw9OXxGaQ>
[2]
https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/tree/master/tests

Thanks,
Gayan

On Thu, Mar 9, 2017 at 7:51 PM, Vindula Jayawardana <
vindula...@cse.mrt.ac.lk> wrote:

> Hi,
>
> I am Vindula Jayawardana, a final year undergraduate of Computer Science
> and Engineering Department of University of Moratuwa. I am interested in
> applying for the "Proposal 21: [IS] SCIM 2.0 compliance test suite" which
> you have offered for the GSoC project idea pool.
>
> I have a good understanding on SCIM core and protocol specifications for
> both SCIM 1.1 and SCIM 2.0. Based on my knowledge I have written few blog
> posts specifically catering on SCIM [1] and the use cases of SCIM [2]. Also
> I have tried SCIM 1.1 and 2.0 APIs of wso2 IS. I went though the references
> provided and would like to know more on the scope of the coverage report
> and detailed analysis view need to be generated as a deliverable. Could you
> kindly guide me on the said matter.
>
> [1] - https://medium.com/@vindulajayawardana/scim-make-
> it-fast-cheap-and-easy-b2bd56492c15#.ec1kncbde
> [2] - https://medium.com/@vindulajayawardana/5-things-
> that-will-not-be-a-nightmare-anymore-if-you-support-scim-
> 9353d73836a7#.ihcm9aqub
>
> Thank you,
>
> *Vindula Jayawardana*
> Computer Science and Engineering Dept.
> University of Moratuwa
> mobile : +713462554
> Email : vindul...@gmail.com
>
> <https://www.facebook.com/vindula.jayawardana>
> <http://lk.linkedin.com/pub/vindula-jayawardana/a7/315/53b>
> <https://plus.google.com/u/0/+VindulaJayawardana/posts>
> <https://twitter.com/vindulajay>
>
> *“Respect is how to treat everyone, not just those you want to impress. "*
>
>
> *-Richard Branson-*
>
>
>


-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS 6.0.0] [SCIM 2.0] Extend SCIM2.0 meta data in the SCIM response to include User Life cycle State

[Gayan Gunawardana]

On Wed, Mar 1, 2017 at 1:38 PM, Indunil Upeksha Rathnayake <indu...@wso2.com
> wrote:

> Hi,
>
> In IS 6.0.0 with SCIM 2.0 support, we are planning to Extend SCIM2.0 meta
> data in the SCIM response to include User Life cycle State. Currently, in
> database level, "state" parameter is getting saved in the "IDM_USER" table
> (Refer [1]).
>
> As per the SCIM2 Core specification(Refer [2]), there are specifically
> defined sub attributes for the "meta" attribute. So that, I think it's
> invalid to include "state" inside the meta attributes in the response as
> below.
>
> "meta":{*"state":"CREATED"*, "created":"2017-02-28T11:50:12Z","location":"
> http://localhost:9292/scim/v2/Users/1.945a6def-d139-4abc-9090-e4dd10217580
> ","lastModified":"2017-02-28T11:50:12Z","resourceType":"User"}
>
> "state" is not defined as a core attribute in the specification, so that
> it need to be considered as an extended attribute and need to be added from
> a SCIM extension. If so, "state" can't be added for the list of meta
> attributes since, extended attributes are kept in their own sub-attribute
> namespace identified by the schema extension URI [2].
>
Meta attributes are common set of attributes shared across all entities
such as User, Group ...etc. IMO we shouldn't and we can't include "state"
attribute under meta attributes.

>
> Is it appropriate to add "state" attribute from a SCIM extension and add
> it to the response separately as below?
>

> {"meta":{"created":"2017-02-28T11:50:12Z","location":"http
> ://localhost:9292/scim/v2/Users/1.945a6def-d139-4abc-9090-e4dd10217580","
> lastModified":"2017-02-28T11:50:12Z","resourceType":"User"},"schemas":[
> "urn:ietf:params:scim:schemas:core:2.0:User","
> urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"name":{
> "familyName":"user1"},"id":"1.945a6def-d139-4abc-9090-e4dd10217580",
> "userName":"user1", *"EnterpriseUser"**:{"state":"CREATED"}*}
>
> +1 to have enterprise user extension for "state" attribute. What are the
available values for "state" attribute and also check "active" attribute in
standard schema.

> Appreciate your ideas.
>
> [1] https://github.com/wso2/carbon-identity-mgt/blob/
> master/feature/org.wso2.carbon.identity.mgt.feature/
> resources/dbscripts/identity-mgt/h2.sql#L29
> [2] https://tools.ietf.org/html/rfc7643#section-3.1
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255
>



-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Error while initiating response builder

[Gayan Gunawardana]

@Thusitha

Is there any reason behind this ?

Does it require MSF4JRuntimeDelegate from jaxrs-delegates. As I can
remember we added noStart() to jaxrs-delegates since it is a fragment
bundle.

Thanks,
Gayan
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Error while initiating response builder

[Gayan Gunawardana]

@Hasintha

Please add this to user dependency list and check.


org.wso2.msf4j
jaxrs-delegates
${msf4j.version}
test


optionList.add(mavenBundle().
groupId("org.wso2.msf4j").
artifactId("jaxrs-delegates")
.versionAsInProject().noStart())

Thanks,

Gayan


On Sat, Feb 25, 2017 at 9:07 PM, Hasintha Indrajee <hasin...@wso2.com>
wrote:

> @KasunG : We cannot exclude this dependency since it's required to build
> up osgi environment for tests. I checked and removed all other transitive
> ways of inheriting this dependency. But still the issue is there.
>
> @Thusitha : This is not due to picking two bundles. Rather picking a
> bundle and a maven dependency I guess. So we need to to find a way to
> exclude this maven dependency from test run time. I checked adding
> different scopes (ex - test, compile) But still couldn't get it solved.
>
> On Sat, Feb 25, 2017 at 5:17 PM, Thusitha Thilina Dayaratne <
> thusit...@wso2.com> wrote:
>
>> Hi Hasintha,
>>
>> According to the stacktrace, it seems that RuntimeDelegate class is
>> loaded from 2 bundles. Can you check if you have 2 dependecnies which
>> provided this class ?
>>
>> Thanks
>> Thusitha
>>
>> On Sat, Feb 25, 2017 at 5:10 PM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>>
>>> Hi all,
>>>
>>> I am getting the following class cast exception while initiating a
>>> Response builder. Following is the line of code causing this issue. Note
>>> that I am only getting this while running tests. Any Idea about the cause
>>> of this issue ?
>>>
>>> Response.ResponseBuilder builder = Response.noContent();
>>>
>>>
>>> msf4j-core[org.wso2.msf4j.internal.MSF4JMessageProcessor] : Unmapped
>>> exception
>>> java.lang.LinkageError: ClassCastException: attempting to
>>> castjar:file:/home/hasinthaindrajee/.m2/repository/javax/ws/
>>> rs/javax.ws.rs-api/2.0/javax.ws.rs-api-2.0.jar!/javax/ws/rs/ext/RuntimeDelegate.class
>>> to bundleresource://53.fwk689654773/javax/ws/rs/ext/RuntimeDele
>>> gate.class
>>> at javax.ws.rs.ext.RuntimeDelegate.findDelegate(RuntimeDelegate
>>> .java:146)
>>> at javax.ws.rs.ext.RuntimeDelegate.getInstance(RuntimeDelegate.java:120)
>>> at javax.ws.rs.core.Response$ResponseBuilder.newInstance(Respon
>>> se.java:848)
>>> at javax.ws.rs.core.Response.status(Response.java:590)
>>> at javax.ws.rs.core.Response.status(Response.java:601)
>>> at javax.ws.rs.core.Response.accepted(Response.java:709)
>>> at org.wso2.carbon.identity.sample.outbound.response.ACSRequest
>>> ResponseBuilderFactory.createBuilder(ACSRequestResponseBuild
>>> erFactory.java:16)
>>> at org.wso2.carbon.identity.gateway.resource.GatewayManager.exe
>>> cute(GatewayManager.java:86)
>>> at org.wso2.carbon.identity.gateway.resource.GatewayResource.pr
>>> ocessGet(GatewayResource.java:59)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.wso2.msf4j.internal.router.HttpMethodInfo.invoke(HttpMet
>>> hodInfo.java:132)
>>> at org.wso2.msf4j.internal.MSF4JMessageProcessor.dispatchMethod
>>> (MSF4JMessageProcessor.java:130)
>>> at org.wso2.msf4j.internal.MSF4JMessageProcessor.receive(MSF4JM
>>> essageProcessor.java:72)
>>> at org.wso2.carbon.transport.http.netty.listener.WorkerPoolDisp
>>> atchingSourceHandler.lambda$publishToWorkerPool$12(WorkerPoo
>>> lDispatchingSourceHandler.java:125)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:745)
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>
>>>
>>
>>
>> --
>> Thusitha Dayaratne
>> Software Engineer
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> Mobile  +94712756809 <071%20275%206809>
>> Blog  alokayasoya.blogspot.com
>> Abouthttp://about.me/thusithathilina
>> <http://wso2.com/signature>
>>
>>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] HTTP Verb PATCH support for MSF4J

[Gayan Gunawardana]

On Sun, Feb 26, 2017 at 11:48 PM, Afkham Azeez <az...@wso2.com> wrote:

> Someone suggested on SO to use the PATCH annotation from io.swagger.jaxrs
>
> That may be a good alternative since we already support Swagger.
>
Thanks for the alternative so we can go with io.swagger.jaxrs.PATCH.

>
> On Sun, Feb 26, 2017 at 11:46 PM, Afkham Azeez <az...@wso2.com> wrote:
>
>> We can add that annotation to MSF4J itself.
>>
>> On Sun, Feb 26, 2017 at 11:28 PM, Gayan Gunawardana <ga...@wso2.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> Since javax.ws.rs does not provide http verb PATCH we have to have
>>> custom Patch annotation as below.
>>>
>>> @Target({ElementType.METHOD})@Retention(RetentionPolicy.RUNTIME)@HttpMethod("PATCH")public
>>>  @interface PATCH {}
>>>
>>> Is it ok to have this annotation in component level or is there any
>>> common place we can put this annotation ?
>>>
>>> Alternatively we can use "X-HTTP-Method-Override" header too.
>>>
>>> WDYT ?
>>>
>>> Thanks,
>>> Gayan
>>>
>>> --
>>>
>>> Gayan Gunawardana
>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: ga...@wso2.com
>>> Mobile: +94 (71) 8020933
>>>
>>
>>
>>
>> --
>> *Afkham Azeez*
>> Senior Director, Platform Architecture; WSO2, Inc.; http://wso2.com
>> Member; Apache Software Foundation; http://www.apache.org/
>> * <http://www.apache.org/>*
>> *email: **az...@wso2.com* <az...@wso2.com>
>> * cell: +94 77 3320919 <077%20332%200919>blog: **http://blog.afkham.org*
>> <http://blog.afkham.org>
>> *twitter: **http://twitter.com/afkham_azeez*
>> <http://twitter.com/afkham_azeez>
>> *linked-in: **http://lk.linkedin.com/in/afkhamazeez
>> <http://lk.linkedin.com/in/afkhamazeez>*
>>
>> *Lean . Enterprise . Middleware*
>>
>
>
>
> --
> *Afkham Azeez*
> Senior Director, Platform Architecture; WSO2, Inc.; http://wso2.com
> Member; Apache Software Foundation; http://www.apache.org/
> * <http://www.apache.org/>*
> *email: **az...@wso2.com* <az...@wso2.com>
> * cell: +94 77 3320919 <+94%2077%20332%200919>blog: *
> *http://blog.afkham.org* <http://blog.afkham.org>
> *twitter: **http://twitter.com/afkham_azeez*
> <http://twitter.com/afkham_azeez>
> *linked-in: **http://lk.linkedin.com/in/afkhamazeez
> <http://lk.linkedin.com/in/afkhamazeez>*
>
> *Lean . Enterprise . Middleware*
>



-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev