[Dev] [IS-5.9.0-m1]Intermittent failures due to FatalTemplateErrorsException
Hi All, In IS-5.9.0-m1 pack, there are intermittent failures due to the below error[1]. Caused by: com.hubspot.jinjava.interpret.FatalTemplateErrorsException: InterpretException: Error resolving expression [user.association.enable_for_federated_users]: ClassCastException: java.util.HashMap$Node cannot be cast to java.util.HashMap$TreeNode This happens because we have provided a mix of LinkedHashMap and Map type properties to the gson library[2]. We have fixed it in carbon-kernel-4.5.0-m2[3] [1] - https://github.com/wso2/product-is/issues/5900 [2] - https://github.com/google/gson [3] - https://github.com/wso2/carbon-kernel/pull/2103/files Thank You. Hasini. -- *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [Architecture] [VOTE] Release WSO2 Identity Server 5.8.0 RC3
://github.com/wso2/product-is/milestone/82?closed=1> >>>>>>>- 5.8.0-RC1 fixes >>>>>>><https://github.com/wso2/product-is/milestone/78?closed=1> >>>>>>>- 5.8.0-Beta5 fixes >>>>>>><https://github.com/wso2/product-is/milestone/80?closed=1> >>>>>>>- 5.8.0-Beta4 fixes >>>>>>><https://github.com/wso2/product-is/milestone/79?closed=1> >>>>>>>- 5.8.0-Beta3 fixes >>>>>>><https://github.com/wso2/product-is/milestone/77?closed=1> >>>>>>>- 5.8.0-Beta fixes >>>>>>><https://github.com/wso2/product-is/milestone/75?closed=1> >>>>>>>- 5.8.0-Alpha5 fixes >>>>>>><https://github.com/wso2/product-is/milestone/74?closed=1> >>>>>>>- 5.8.0-Alpha4 fixes >>>>>>><https://github.com/wso2/product-is/milestone/73?closed=1> >>>>>>>- 5.8.0-Alpha3 fixes >>>>>>><https://github.com/wso2/product-is/milestone/72?closed=1> >>>>>>>- 5.8.0-Alpha2 fixes >>>>>>><https://github.com/wso2/product-is/milestone/71?closed=1> >>>>>>>- 5.8.0-Alpha fixes >>>>>>><https://github.com/wso2/product-is/milestone/70?closed=1> >>>>>>>- 5.8.0-M26 fixes >>>>>>><https://github.com/wso2/product-is/milestone/69?closed=1> >>>>>>>- 5.8.0-M25 fixes >>>>>>><https://github.com/wso2/product-is/milestone/68?closed=1> >>>>>>>- 5.8.0-M24 fixes >>>>>>><https://github.com/wso2/product-is/milestone/67?closed=1> >>>>>>>- 5.8.0-M6 fixes >>>>>>><https://github.com/wso2/product-is/milestone/64?closed=1> >>>>>>>- 5.8.0-M5 fixes >>>>>>><https://github.com/wso2/product-is/milestone/63?closed=1> >>>>>>>- 5.8.0-M4 fixes >>>>>>><https://github.com/wso2/product-is/milestone/62?closed=1> >>>>>>>- 5.8.0-M3 fixes >>>>>>><https://github.com/wso2/product-is/milestone/61?closed=1> >>>>>>>- 5.8.0-M2 fixes >>>>>>><https://github.com/wso2/product-is/milestone/60?closed=1> >>>>>>>- 5.8.0-M1 fixes >>>>>>><https://github.com/wso2/product-is/milestone/59?closed=1> >>>>>>> >>>>>>> >>>>>>> Source and distribution >>>>>>> >>>>>>> Runtime - https://github.com/wso2/product-is/releases/tag/v >>>>>>> <https://github.com/wso2/product-is/releases/download/v5.8.0-rc3/wso2is-5.8.0-rc3.zip> >>>>>>> 5.8.0-rc3 >>>>>>> <https://github.com/wso2/product-is/releases/download/v5.8.0-rc3/wso2is-5.8.0-rc3.zip> >>>>>>> Analytics - >>>>>>> https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc3 >>>>>>> <https://github.com/wso2/analytics-is/releases/download/v5.8.0-rc3/wso2is-analytics-5.8.0-rc3.zip> >>>>>>> >>>>>>> >>>>>>> Please download, test the product and vote. >>>>>>> >>>>>>> [+] Stable - go ahead and release >>>>>>> [-] Broken - do not release (explain why) >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> - WSO2 Identity and Access Management Team - >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Hasanthi Dissanayake >>>>>>> >>>>>>> Senior Software Engineer | WSO2 >>>>>>> >>>>>>> E: hasan...@wso2.com >>>>>>> M :0718407133| http://wso2.com <http://wso2.com/> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Hasanthi Dissanayake >>>>>> >>>>>> Senior Software Engineer | WSO2 >>>>>> >>>>>> E: hasan...@wso2.com >>>>>> M :0718407133| http://wso2.com <http://wso2.com/> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Shanika Wickramasinghe* >>>>> Software Engineer - QA Team >>>>> >>>>> Email: shani...@wso2.com >>>>> Mobile : +94713503563 >>>>> Web : http://wso2.com >>>>> >>>>> <http://wso2.com/signature> >>>>> >>>> >>>> >>>> -- >>>> *Isuranga Perera* | Software Engineer | WSO2 Inc. >>>> +94 71 735 7034 | isura...@wso2.com >>>> >>>> ___ >>>> Architecture mailing list >>>> architect...@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> >>> Hasanthi Dissanayake | Senior Software Engineer | WSO2 Inc. >>> (m) +94718407133 | (w) +94112145345 | Email: hasan...@wso2.com >>> >>> >> >> -- >> >> Hasanthi Dissanayake | Senior Software Engineer | WSO2 Inc. >> (m) +94718407133 | (w) +94112145345 | Email: hasan...@wso2.com >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> > ___ > Architecture mailing list > architect...@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Error when accessing SP after changing TokenPersistenceProcessor in identity.xml
Hi Farasath, Thank you for the clarification. Thank You. Hasini. On Wed, May 8, 2019 at 2:56 PM Farasath Ahamed wrote: > Hi Hasini, > > AFAIS this is the expected behaviour. > > Changing the token processor with existing data is cannot be done unless > you bring the old data to the format understood by the new token processor. > > Regards, > Farasath > > On Wed, May 8, 2019 at 2:53 PM Hasini Witharana wrote: > >> Hi All, >> >> I created a SP with the below property. >> >> *org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor* >> >> Then I changed the configuration as below and restart the server and >> created another SP. >> >> *org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor* >> >> When I try to edit the first SP which was created before the config >> change I got the below error. Is this the expected behaviour? >> >> Caused by: org.wso2.carbon.identity.oauth.IdentityOAuthAdminException: >> Error occurred while processing client id and client secret by >> TokenPersistenceProcessor >> at >> org.wso2.carbon.identity.oauth.dao.OAuthConsumerDAO.getOAuthConsumerSecret(OAuthConsumerDAO.java:87) >> at >> org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.getClientSecret(OAuthApplicationMgtListener.java:294) >> at >> org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.addClientSecret(OAuthApplicationMgtListener.java:270) >> >> Thank You. >> Hasini >> -- >> *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* >> *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com >> * >> >> > > -- > Farasath Ahamed > Associate Technical Lead, WSO2 Inc.: http://wso2.com > Mobile: +94777603866 > Blog: https://farasath.blogspot.com / https://medium.com/@farasath > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > -- *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Error when accessing SP after changing TokenPersistenceProcessor in identity.xml
Hi All, I created a SP with the below property. *org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor* Then I changed the configuration as below and restart the server and created another SP. *org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor* When I try to edit the first SP which was created before the config change I got the below error. Is this the expected behaviour? Caused by: org.wso2.carbon.identity.oauth.IdentityOAuthAdminException: Error occurred while processing client id and client secret by TokenPersistenceProcessor at org.wso2.carbon.identity.oauth.dao.OAuthConsumerDAO.getOAuthConsumerSecret(OAuthConsumerDAO.java:87) at org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.getClientSecret(OAuthApplicationMgtListener.java:294) at org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.addClientSecret(OAuthApplicationMgtListener.java:270) Thank You. Hasini -- *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Tenant OIDC logout fails with 'ID token signature validation failed.' error
Hi Ruwan/Sathya,
There are some standard claims defined in the OIDC specification[1], none
of them can be used instead of "realm", "tenant_domain".
However, the spec also says that it is okay to add any other claims to
id_token[2].
[1] - https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
[2] - https://openid.net/specs/openid-connect-core-1_0.html#IDToken
Thank You.
Hasini
On Fri, Apr 5, 2019 at 6:30 AM Ruwan Abeykoon wrote:
> Hi Sathya,
> I do not see any issue adding the info-set to the id-token, as
> conceptually it carries more information about the users identity.
> Did we checked if there an standard claims in id token we could use,
> instead of "realm", "tenant_domain", etc.
>
> Cheers,
> Ruwan A
>
> On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara wrote:
>
>> Hi all,
>>
>> In OIDC logout flow, we send the ID token as a user identification method
>> similar to following request.
>>
>> https://localhost:9443/oidc/logout?id_token_hint=
>> _logout_redirect_uri=
>> http://localhost:8080/playground2/oauth2client=1
>>
>> when validating the ID token, we are trying to get tenant domain from
>> subject claim of the id token hint [1] in the default flow. This will only
>> work if '*append tenant domain to subject identifier'* is selected in
>> the SP configuration. In other scenarios it fails with the error
>> "access_denied ID token signature validation failed." This is because if
>> subject does not contain the tenant domain, we try to validate the id token
>> with super tenant's keystore. Further this fails when subject identifier is
>> set as email claim, and email contains a different domain such as
>> sat...@wso2.com
>>
>> We have a config to enable/disable signing ID token with SP's keystore
>> identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by
>> default, ID token will be signed and validated using user's tenant domain
>> leading to above issue.
>>
>> As a possible solution, we have decided to include user tenant domain and
>> userstore domain as claims in the id token generated by IS. This can be
>> disabled by a config however in the default pack it will be enabled by
>> default. Sample id token will be as follows.
>>
>> {
>> "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ",
>> "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa",
>> "sub": "sathya",
>>
>>
>>
>> * "realm": {"tenant_domain: "wso2.com <http://wso2.com>",
>> "userstore_domain: "PRIMARY" }*,
>> "iss": "https://localhost:9443/oauth2/token;,
>> "exp": 1554367465,
>> "iat": 1554363865,
>> }
>>
>> Also 'SignJWTWithSPKey' property will be enabled by default in the
>> product, honoring service provider's tenant domain when obtaining keys for
>> signing and validating id tokens.
>>
>> Highly appreciate your suggestions and concerns on this.
>>
>> [1]
>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331
>> Thanks,
>> Sathya
>> --
>> Sathya Bandara
>> Senior Software Engineer
>> Blog: https://medium.com/@technospace
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>
>
> --
>
> *Ruwan Abeykoon*
> *Associate Director/Architect**,*
> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> *
> *lean.enterprise.middleware.*
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
--
*Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>*
*(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] How to configure SMTP servers which use trust based authentication?
Hi all, In output-event-adapters.xml under email configuration, there is a comment as below. ** Do we support this feature? Is there any documentation to configure SMTP servers with trust-based authentication? Your help is highly appreciated. Thank you, Hasini -- *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] JWT WSO2
Hi Felipe, Refer the step 6 in the blog [1] for claim configuration. [1] - https://medium.com/@hasiniwitharana/openid-connect-certification-configurations-for-basic-profile-with-wso2-identity-server-e3cd511a9f37 Thank You. On Thu, Feb 7, 2019 at 9:56 PM Felipe Pinheiro < felipe.pinhe...@ifactory.com.br> wrote: > Hello, > > I am trying to make a change in JWT by adding new information sent in the > request (/token). > > Is there a way to send a parameter in a custom grant type and add that > parameter inside JWT? > > I am with this issue there for some weeks and I don't know if is possible > to perform that change in the JWT. > > Thank you very much. > > Cheers, > Felipe Pinheiro > Software Developer > [image: telephone] +55 85 996123367 [image: skype] live:felipeagpinheiro > [image: > linkedin] linkedin.com/in/felipe-pinheiro-8b045587 > <https://www.linkedin.com/in/felipe-pinheiro-8b045587/> > Innovating Commerce with Shopping Intelligence > [image: OSF Banner] > <https://www.osf-commerce.com/ifactory-solutions-acquisition> > https://www.osf-commerce.com/ > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- *Hasini Witharana* Undergraduate | Department of Computer Science and Engineering University of Moratuwa Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/> ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] How to exclude nillable elements from the response of an Admin Service
Hi All, Sorry for the previous reply. I have added "@XmlElement( name = "element1")" annotation on top of the attribute "element1" and its get method. According to [1], this annotation should exclude null elements. [2] [3] and [4] are some resources that is useful for the solution. Still the nillable elements are not excluded from the response. [1] - https://dzone.com/articles/binding-json-xml-handling-null [2] - https://stackoverflow.com/questions/25665279/axis-1-4-how-to-exclude-nilllable-elements [3] - https://java-user.axis.apache.narkive.com/krE98CcC/jaxb-util-creating-omelement-based-on-annotations [4] - https://markmail.org/search/?q=list%3Aorg.apache.ws.axis-user+omit+null#query:list%3Aorg.apache.ws.axis-user%20omit%20null+page:1+mid:f6isx6k4tnnpuy4n+state:results Thank You. Hasini On Thu, Feb 7, 2019 at 7:03 PM Hasini Witharana wrote: > Hi All, > > I have added a new attribute "element1" to SAMLSSOServiceProviderDTO. > Admin service IdentitySAMLSSOConfigService has been changed by that > addition. "element1" is represented in the WSDL as follows. > > > > For an existing Service provider when the getServiceProviders method is > called the "element1" returns null. The response is shown below. > > > > > For the backward compatibility when an existing client call the Admin > Service, the null values should not be present. Is there a way to omit such > empty elements when the admin service is called? > > Thank You. > Hasini > -- > *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* > *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * > > -- *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] How to exclude nillable elements from the response of an Admin Service
Hi All, I added the "@XmlElement" On Thu, Feb 7, 2019 at 7:03 PM Hasini Witharana wrote: > Hi All, > > I have added a new attribute "element1" to SAMLSSOServiceProviderDTO. > Admin service IdentitySAMLSSOConfigService has been changed by that > addition. "element1" is represented in the WSDL as follows. > > > > For an existing Service provider when the getServiceProviders method is > called the "element1" returns null. The response is shown below. > > > > > For the backward compatibility when an existing client call the Admin > Service, the null values should not be present. Is there a way to omit such > empty elements when the admin service is called? > > Thank You. > Hasini > -- > *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* > *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * > > -- *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] How to exclude nillable elements from the response of an Admin Service
Hi All, I have added a new attribute "element1" to SAMLSSOServiceProviderDTO. Admin service IdentitySAMLSSOConfigService has been changed by that addition. "element1" is represented in the WSDL as follows. For an existing Service provider when the getServiceProviders method is called the "element1" returns null. The response is shown below. For the backward compatibility when an existing client call the Admin Service, the null values should not be present. Is there a way to omit such empty elements when the admin service is called? Thank You. Hasini -- *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com * ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IS]Code Refactoring in Response Type Handlers.
Hi all, In the TokenResponseTypeHandler[1] class we handle both token and id_token response types. When refactoring the code I have separated the logic into two classes where one class handle the creation of access token and other class handle the creation of id_token. There is a concern, if a customer has extended the TokenResponseTypeHandler class and done some modifications to id_token, after this refactoring that customer will fail to continue the work as before. How should I proceed? [1] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/handlers/TokenResponseTypeHandler.java Thank you. -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : hasi...@wso2.com <hasi...@wso2.com>* *Mobile : +94713850143[image: http://wso2.com/signature] <http://wso2.com/signature>* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Need to change the type of some variables to make the Identity Server, OIDC compliant.
Hi, OIDC test suite has been updated and now new issues have come in basic profile (where response_type=code). The issues are given below. 1. OP-scope-email In here email_verified is returned as a string in id_token and it should be a boolean value. 2. OP-scope-phone In here phone_number_verified is returned as a string in id_token and it should be a booleanvalue. If we change these parameters to return boolean values, will the existing users get effected by that? Thank you. -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : hasi...@wso2.com <hasi...@wso2.com>* *Mobile : +94713850143[image: http://wso2.com/signature] <http://wso2.com/signature>* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Dynamic client registration request fails due to no user information in the request header.
+prabath On Sat, Sep 16, 2017 at 2:08 PM, Johann Nallathamby <joh...@wso2.com> wrote: > > > On Sat, Sep 16, 2017 at 1:37 PM, Farasath Ahamed <farasa...@wso2.com> > wrote: > >> >> >> >> >> On Sat, Sep 16, 2017 at 1:21 PM, Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> Tenant domain of the application should always be read from the resource >>> path - i.e. URL. >>> >>> We can't read it from the user since we will have to support SaaS mode, >>> which is to authenticate with a super tenant user and create the >>> application in a tenant. >>> >> >> >> Can we really do this? Authenticate from super tenant credentials and >> create an application in tenant? >> >> Our token endpoint derives the app's tenant domain from the tenantDomain >> of the user who created the app[1]. The assumption behind is that we can >> create apps across tenants. ie. A user from super tenant cannot go and >> create an app in a tenant. >> > > I didn't think much about the DCR use case. I was talking in general. > First we need to think if SaaS scenario is applicable for DCR. If it is we > need to fix above limitation :). AFAIK above limitation comes because of > the limitation in the schema we have. And may be some model objects. > Nothing else. This is because OAuth2 was written way before IS 5.0.0 which > introduced SaaS concept. May be we even don't need to fix it immediately. > But we must follow same security pattern for all Rest endpoints, regardless > of limitations within the component. > > >> >> >> [1] https://github.com/wso2-extensions/identity-inbound-auth >> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >> /src/main/java/org/wso2/carbon/identity/oauth2/token/AccessT >> okenIssuer.java#L129 >> >> >>> >>> Please note that this is a standard pattern we follow in IS now, for >>> almost all endpoints. Therefore no one could be ignorant about it. Any new >>> Rest endpoint development must follow the same security pattern. We do >>> this with the help of the Authn/Authz valve implemented by Harsha. >>> >>> Regards, >>> Johann. >>> >>> On Sat, Sep 16, 2017 at 1:11 PM, Hasintha Indrajee <hasin...@wso2.com> >>> wrote: >>> >>>> Just asking for my knowledge, >>>> >>>> How do we identify the tenant domain of the application ? Do we have it >>>> in the context path ?, do we get it from user ?, or do we have anyway to >>>> convey it within the body (by appending to something) ? In a case if we get >>>> it from the identified user, how are we going to identify it from a request >>>> without any authentication mechanism ?. >>>> >>>> On Sat, Sep 16, 2017 at 12:36 PM, Gayan Gunawardana <ga...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Fri, Sep 15, 2017 at 2:47 PM, Hasini Witharana <hasi...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> In OIDC dynamic client registration, in the request header we need to >>>>>> send an already existing user and the password to register a client in >>>>>> WSO2 >>>>>> Identity server.In OIDC specification[1], It is not mandatory to send >>>>>> user >>>>>> details to register a client. >>>>>> >>>>>> When running the OIDC test suite for dynamic profile, test suite does >>>>>> not send any user details in the header. So we can't create any client >>>>>> and >>>>>> the test fails. >>>>>> >>>>>> For that issue if any user details are not provided in the >>>>>> registration request we can assign an anonymous user(*wso2*. >>>>>> *anonymous*.*user*) and register the client. >>>>>> >>>>> IMO correct design should be completely remove the requirement of >>>>> having a user. If we use *"wso2*.*anonymous*.*user" *some application >>>>> may have real username and some application may have *"wso2*. >>>>> *anonymous*.*user" *which end up with inconsistency. >>>>> Also need to think about creating a role per service provider if any >>>>> user doesn't have that role. >>>>> >>>>>> >>>>>> [1] - https://openid.n
[Dev] Dynamic client registration request fails due to no user information in the request header.
Hi, In OIDC dynamic client registration, in the request header we need to send an already existing user and the password to register a client in WSO2 Identity server.In OIDC specification[1], It is not mandatory to send user details to register a client. When running the OIDC test suite for dynamic profile, test suite does not send any user details in the header. So we can't create any client and the test fails. For that issue if any user details are not provided in the registration request we can assign an anonymous user(*wso2*.*anonymous*.*user*) and register the client. [1] - https://openid.net/specs/openid-connect-registration-1_0.html -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : hasi...@wso2.com <hasi...@wso2.com>* *Mobile : +94713850143[image: http://wso2.com/signature] <http://wso2.com/signature>* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Some tests in OIDC test suite are not working for response_type = id_token
Hi, Some tests in the OIDC certification test suite[1] are not working for the response_type = id_token. Tests that are not working are given below. - OP-scope-All - OP-scope-phone - OP-scope-email - OP-scope-address - OP-scope-profile - OP-Response-form_post For these tests we don't get any feedback from the test suite. When I inquire about that, OIDC certification community has opened a github issue for not giving any response.[2] I checked our response with Gluu server's response for the test "OP-scope-address". Gluu server is fully OIDC certified. The comparison is attached below. Number of parameters are same in both responses and only difference is "aud" value in id_token is returned as a list in our response where as Gluu return it as a string. As per the OIDC specification[3] "aud" value is defined as below. audREQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. *In the common special case when there is one audience, the aud value MAY be a single case sensitive string.* We only return one audience for "aud" value but it is returned as an array. As per the specification it is not mandatory to return a string as "aud" value when it contains only one value. How ever these same tests are finely working for other response types.(code, id_token token). In those cases also, we return the "aud" value as an array. Can you please help me on this issue? Thank you. [1] - https://op.certification.openid.net:60024 [2] - https://github.com/openid-certification/oidctest/issues/48 [3] - http://openid.net/specs/openid-connect-core-1_0.html -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : hasi...@wso2.com <hasi...@wso2.com>* *Mobile : +94713850143 <+94%2071%20385%200143>[image: http://wso2.com/signature] <http://wso2.com/signature>* comparison Description: Binary data ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Regarding auth_time claim in OIDC id_token
Hi Asela, We take the session updated time as the new auth_time. Thank you. On Tue, Aug 29, 2017 at 5:59 PM, Asela Pathberiya <as...@wso2.com> wrote: > > > On Tue, Aug 29, 2017 at 4:29 PM, Hasini Witharana <hasi...@wso2.com> > wrote: > >> Hi Asela, >> >> If SP sends a force auth request, we update the existing session. >> > > So; Are we generating new auth_time when session is updated ? > > >> >> Thanks, >> Hasini >> >> >> >> On Wed, Aug 23, 2017 at 1:27 PM, Asela Pathberiya <as...@wso2.com> wrote: >> >>> >>> >>> On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana <hasi...@wso2.com> >>> wrote: >>> >>>> Hi, >>>> >>>> In the OIDC specification auth_time is defined as below.[1] >>>> >>>> Time when the End-User authentication occurred. Its value is a JSON >>>> number representing the number of seconds from 1970-01-01T0:0:0Z as >>>> measured in UTC until the date/time. When a max_age request is made or >>>> when auth_time is requested as an Essential Claim, then this Claim is >>>> REQUIRED; otherwise, its inclusion is OPTIONAL. >>>> >>>> In the current implementation when the user is authenticated for the >>>> first time using user credentials, auth_time is considered as the session >>>> created time. After that when user is implicitly login in using a cookie >>>> without giving user credentials, auth_time is considered as session updated >>>> time. >>>> >>> >>> If SP sends a force authe request, Are we creating a new session or >>> update the existing session ? >>> >>> If max_age is expired, Does SP need to send a force auth request or >>> just an authentication request ? >>> >>> Thanks, >>> Asela. >>> >>>> >>>> As I think the auth_time should be the first time user authenticated >>>> using credentials. >>>> [2] is the fix made for this issue. >>>> >>>> Thank you. >>>> >>>> [1] - http://openid.net/specs/openid-connect-core-1_0.html >>>> [2] - https://github.com/wso2-extensions/identity-inbound-auth-oau >>>> th/pull/455 >>>> >>>> -- >>>> >>>> *Hasini Witharana* >>>> Software Engineering Intern | WSO2 >>>> >>>> >>>> *Email : hasi...@wso2.com <hasi...@wso2.com>* >>>> >>>> *Mobile : +94713850143 <+94%2071%20385%200143>[image: >>>> http://wso2.com/signature] <http://wso2.com/signature>* >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Asela >>> >>> ATL >>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>> +358 449 228 979 >>> >>> http://soasecurity.org/ >>> http://xacmlinfo.org/ >>> >> >> >> >> -- >> >> *Hasini Witharana* >> Software Engineering Intern | WSO2 >> >> >> *Email : hasi...@wso2.com <hasi...@wso2.com>* >> >> *Mobile : +94713850143 <+94%2071%20385%200143>[image: >> http://wso2.com/signature] <http://wso2.com/signature>* >> > > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 <+94%2077%20762%205933> > +358 449 228 979 > > http://soasecurity.org/ > http://xacmlinfo.org/ > -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : hasi...@wso2.com <hasi...@wso2.com>* *Mobile : +94713850143[image: http://wso2.com/signature] <http://wso2.com/signature>* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] Regarding auth_time claim in OIDC id_token
Hi Asela, If SP sends a force auth request, we update the existing session. Thanks, Hasini On Wed, Aug 23, 2017 at 1:27 PM, Asela Pathberiya <as...@wso2.com> wrote: > > > On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana <hasi...@wso2.com> > wrote: > >> Hi, >> >> In the OIDC specification auth_time is defined as below.[1] >> >> Time when the End-User authentication occurred. Its value is a JSON >> number representing the number of seconds from 1970-01-01T0:0:0Z as >> measured in UTC until the date/time. When a max_age request is made or >> when auth_time is requested as an Essential Claim, then this Claim is >> REQUIRED; otherwise, its inclusion is OPTIONAL. >> >> In the current implementation when the user is authenticated for the >> first time using user credentials, auth_time is considered as the session >> created time. After that when user is implicitly login in using a cookie >> without giving user credentials, auth_time is considered as session updated >> time. >> > > If SP sends a force authe request, Are we creating a new session or > update the existing session ? > > If max_age is expired, Does SP need to send a force auth request or just > an authentication request ? > > Thanks, > Asela. > >> >> As I think the auth_time should be the first time user authenticated >> using credentials. >> [2] is the fix made for this issue. >> >> Thank you. >> >> [1] - http://openid.net/specs/openid-connect-core-1_0.html >> [2] - https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/pull/455 >> >> -- >> >> *Hasini Witharana* >> Software Engineering Intern | WSO2 >> >> >> *Email : hasi...@wso2.com <hasi...@wso2.com>* >> >> *Mobile : +94713850143 <+94%2071%20385%200143>[image: >> http://wso2.com/signature] <http://wso2.com/signature>* >> > > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 <+94%2077%20762%205933> > +358 449 228 979 > > http://soasecurity.org/ > http://xacmlinfo.org/ > -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : hasi...@wso2.com <hasi...@wso2.com>* *Mobile : +94713850143[image: http://wso2.com/signature] <http://wso2.com/signature>* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Regarding auth_time claim in OIDC id_token
Hi, In the OIDC specification auth_time is defined as below.[1] Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. In the current implementation when the user is authenticated for the first time using user credentials, auth_time is considered as the session created time. After that when user is implicitly login in using a cookie without giving user credentials, auth_time is considered as session updated time. As I think the auth_time should be the first time user authenticated using credentials. [2] is the fix made for this issue. Thank you. [1] - http://openid.net/specs/openid-connect-core-1_0.html [2] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/455 -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : hasi...@wso2.com <hasi...@wso2.com>* *Mobile : +94713850143[image: http://wso2.com/signature] <http://wso2.com/signature>* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] Regarding the OIDC openid scope in WSO2 IS
Hi, Currently I am working on making WSO2 IS OpenID Connect certified. I ran a test on requesting essential claims from OP, when the scope is openid. It gave an error saying unexpected claims returned. Then I inquired about this issue through the mailing list of OIDC specifications [1]. I got some information from that as openid scope should only return subject and issuer. IS 5.4.0 is supporting many claims for scope openid. They are : sub,email,email_verified,name,family_name,given_name,middle_ name,nickname, preferred_username,profile,picture,website,gender,birthdate,zoneinfo,locale, phone_number,phone_number_verified,address,street,updated_at I couldn't find In the OIDC specification where it mention that, openid scope should only return subject and issuer. Can you please help me on this issue? Thank you. [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/subject.html -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : hasi...@wso2.com <hasi...@wso2.com>* *Mobile : +94713850143[image: http://wso2.com/signature] <http://wso2.com/signature>* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] [IDENTITY-6155] Invoking the user info endpoint without properly setting the 'Bearer' header causes server errors
Hi, I am working on the jira IDENTITY-6155 <https://wso2.org/jira/browse/IDENTITY-6155>. When Invoking the user info endpoint without adding the access token to the 'Bearer' header causes the server to return an ArrayIndexOutOfBoundsException with the full stacktrace to the client. As per the OIDC/oauth2.0 specifications[1][2], this sort of a request can be treated as an invalid request. Please refer the PR[3] which fixes this issue. [1]- http://openid.net/specs/openid-connect-core-1_0.html#UserInfoError [2]- https://tools.ietf.org/html/rfc6750#section-6.2 [3]- https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/420 Thank you. -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : hasi...@wso2.com <hasi...@wso2.com>* *Mobile : +94713850143[image: http://wso2.com/signature] <http://wso2.com/signature>* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
