Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

Hi On Tue, May 9, 2017 at 10:31 AM, Farasath Ahamed wrote: > > > On Tuesday, May 9, 2017, Isura Karunaratne wrote: > >> Hi Fara, >> >> I think we can use following way to fix the problem. >> >> >>- Check an OAuth application is registered for SP in >>doPreUpdateApplication method, if no

Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

On Tuesday, May 9, 2017, Isura Karunaratne wrote: > Hi Fara, > > I think we can use following way to fix the problem. > > >- Check an OAuth application is registered for SP in >doPreUpdateApplication method, if not, return and skip following steps. >- Get the value of SaaS property in

Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

Hi Hasanthi, On Tue, May 9, 2017 at 8:41 AM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi Sathya, > > Does the spec [1] contains any detail about access token revocation? > > According to the Oauth 2 spec, revocation of a refresh token should also > invalidate all access tokens b

Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

Hi Fara, I think we can use following way to fix the problem. - Check an OAuth application is registered for SP in doPreUpdateApplication method, if not, return and skip following steps. - Get the value of SaaS property in ApplicationMgtListener.doPreUpdateApplication() - *value1*

Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

Hi Sathya, Does the spec [1] contains any detail about access token revocation? It is evident that we should revoke the refresh token such that user is not > permitted to obtain further access tokens for the application. yes it is obvious that we should not allow to generate access tokens using

Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

On Monday, May 8, 2017, Pulasthi Mahawithana wrote: > Hi Sathya, > > I think it would be better to do this with a application mgt listener > rather than doing this at the validation time. We can use a > "ApplicationMgtListener.doPostUpdateApplication()"[1] implementation and > invalidate all the

Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

Hi Sathya, I think it would be better to do this with a application mgt listener rather than doing this at the validation time. We can use a "ApplicationMgtListener.doPostUpdateApplication()"[1] implementation and invalidate all the tokens issued to users from other tenants when the application is

[Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

Hi All, This is in relation to issue [1] which happens when using a valid access token issued to a SaaS enabled application (application in a separate domain. User from another tenant domain). After disabling SaaS, it is still possible to use the same access token to access the UserInfo endpoint f