On Wed, Jun 14, 2017 at 11:06 PM, Bhathiya Jayasekara <bhath...@wso2.com> wrote:
> Hi Indunil, > > A few more details. > > On Wed, Jun 14, 2017 at 10:52 PM, Bhathiya Jayasekara <bhath...@wso2.com> > wrote: > >> Hi Indunil, >> >> Please see my comments inline. >> >> On Wed, Jun 14, 2017 at 7:28 PM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi, >>> >>> Thanks all of your valuable feedbacks. Currently we are implementing >>> following REST endpoints. We have modeled the the rest API using swagger >>> and you can find the attached swagger definition as well. Really appreciate >>> your comments and suggestions on the specified endpoints, please mention if >>> there are other required endpoints. >>> >>> >>> Endpoint Method Usage Request Body Response >>> /scopes POST Create Scopes [{"key": "openid", "name": "openid", >>> "description": "openid scope", "bindings": ["role1", "role2"]}] "HTTP/1.1 >>> 201 Created" >>> >> >> Here the request body is a json array. Does that mean we can create >> multiple scopes at once? If not, let's get rid of wrappering squire >> brackets. >> > > My +1 is to have multiple scopes in the request. > > >> >> >>> >>> DELETE Delete Scopes ["key1", "key2"] "HTTP/1.1 201 Deleted" >>> >>> PUT Update Scopes [{"key": "openid", "name": "openid", "description": >>> "openid scope", "bindings": ["role3"]}] "HTTP/1.1 201 Updated" >>> >> >> In these 2 cases the status code should be 200. (We may also use 204 for >> delete like DCRM spec does.) >> > > > From the http spec https://tools.ietf.org/html/rfc2616#section-9.7 : > > A successful response SHOULD be 200 (OK) if the response includes an > entity describing the status, 202 (Accepted) if the action has not > yet been enacted, or 204 (No Content) if the action has been enacted > but the response does not include an entity. > > > So you can choose between 200 or 204 depending on the response body you > send back. > > Further, instead of sending a request body in the DELETE request (which is > not restricted by the spec though), we can send it like this. > > DELETE /scopes?keys=key1,key2 WDYT? +1. @Indunil Did we consider this when implementing delete scopes? Thanks Isura. > > Thanks, > Bhathiya > > >> >> >>> /scopes?filter=maxResults+Eq+100 GET Get all available Scopes >>> [{"key": "openid", "name": "openid", "description": "openid scope", >>> "bindings": []}] >>> >>> /scopes/by-bindings GET Get Scopes by Binding/s {"bindings": ["role1", >>> "role2"]} [{"key": "openid", "name": "openid", "description": "openid >>> scope", "bindings": ["role1", "role2"]}] >>> >> >> This should be a POST if you have a request body. Instead of that, how >> about something like this? >> >> /scopes?bindings=role1,role2 >> >> >>> >>> /scopes/keys GET Get all the available >>> Scope Keys >>> ["key1", "key2"] >>> >>> /scopes/keys/by-bindings GET Get Scope keys >>> by Binding/s {"bindings": ["role1", "role2"]} ["key1", "key2"] >>> >> >> We can do the same here. >> >> /scopes/keys?bindings=role1,role2 >> >> >>> >>> /scopes/{scope_key} GET Get a Scope by Scope Key >>> {"key": "openid", "name": "openid", "description": "openid scope", >>> "bindings": []} >>> >>> DELETE Delete a Scope by >>> Scope Key >>> "HTTP/1.1 201 Deleted" >>> >>> PUT Update a Scope by >>> Scope Key {"key": "openid", "name": "openid", "description": "openid >>> scope", "bindings": ["role3", "role4"]} "HTTP/1.1 201 Updated" >>> >> >> Need to change the status codes as suggested above. >> >> Thanks, >> Bhathiya >> >> >>> >>> >>> @Nuwan: We have a suggestion to modified the database schema as follows >>> to properly store bindings (considering the performance issues in using >>> comma separated values and renaming the "ROLES" field to a generic name), >>> but need to discuss about this and finalize. >>> >>> >>> >>> Appreciate your comments and suggestions and I will arrange a meeting >>> tomorrow to have a further discussion on this. >>> >>> Thanks and Regards >>> >>> >>> On Mon, Jun 12, 2017 at 2:53 AM, Nuwan Dias <nuw...@wso2.com> wrote: >>> >>>> >>>> On Fri, Jun 9, 2017 at 5:46 AM Indunil Upeksha Rathnayake < >>>> indu...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> We are currently working on implementing following features which are >>>>> needed for APIM 3.0. You can find the initial discussion details in [1]. >>>>> >>>>> 1. Sign UserInfo JWT response >>>>> 2. Scope registration and Scope binding >>>>> 3. DCRM >>>>> >>>>> >>>>> *Sign UserInfo JWT response:* >>>>> JWT user info response signing implementation is in [1]. >>>>> >>>>> Currently in APIM, there is a key manager global wise configuration to >>>>> configure needed claims which needed to be send in user info response. We >>>>> need to consider, when no SP wise requested claims are configured as in >>>>> APIM, whether we need to send all the claims bound for a specific scope in >>>>> oidc-scope-config.xml. >>>>> Currently in IS, we are sending only those claims which are common in >>>>> both OIDC scope config and SP claim configuration (ie. intersection of >>>>> claim in both these configs). >>>>> >>>>> *Shall we send all the bounded claims if requested claims are not >>>>> defined?* >>>>> >>>>> *Scope registration and Scope binding:* >>>>> New endpoints will be exposed in IS 5.4.0 to handle Scope register, >>>>> bind, update, delete, list etc. >>>>> >>>>> As per the current implementation of APIM and IoT, following things >>>>> can be noticed and have following concerns. >>>>> >>>>> - Scope can be bound with roles or permissions - Uses scope to >>>>> role binding in APIM and uses scope to permission binding in IoT. >>>>> >>>>> >>>>> - Both of the above bindings are stored in "IDN_OAUTH2_SCOPE" >>>>> table where roles and permissions both are stored as a comma separated >>>>> string in same column named "ROLES". AFAIU, there is no indication >>>>> with a >>>>> prefix in scope registration, where to separate the two bindings. >>>>> *There >>>>> can be other bindings which will be added in future, isn't it better to >>>>> renamed the field as "BINDINGS"? There can be a situation where both >>>>> set of >>>>> roles and permissions are bound to a scope?* >>>>> >>>>> Its better to rename but please note that this is a minor version >>>> upgrade and hence it's better to avoid schema changes. >>>> >>>>> >>>>> - >>>>> >>>>> >>>>> - In scope validation, currently there are validators for role >>>>> based and permission based. The corresponding validator will be >>>>> selected >>>>> based on the prefix (ex: Permission based scope validator only >>>>> validates >>>>> the scope which are having "perm" as the prefix of the scopes) and if >>>>> scope >>>>> prefix is not defined, those will directly go to the default role based >>>>> scope validator. *How this prefix has to be considered and >>>>> validated in scope registration with the bindings?* >>>>> >>>>> >>>>> - In scope registration, AFAIU, scope key and name are the >>>>> essential details to be included. *What is the difference of >>>>> theses and where these values will be used? scope key is the unique >>>>> value >>>>> which need to be considered in scope binding?* >>>>> >>>>> >>>>> 1. Scope Register and Bind >>>>> There can be following scenarios a scope can be registered and bound. >>>>> CreateScope - scope key, scope name, roles >>>>> CreateScope - scope key, scope name, permissions >>>>> CreateScope - scope key, scope name >>>>> >>>>> So that we have implemented >>>>> "/api/identity/oauth2/scope/v0.9/registerScope" >>>>> endpoint to register set of scopes with the bindings. "key" and "name" >>>>> cannot be null and bindings(added a generic property rather adding two >>>>> properties for roles and permissions) will be stored as comma separated >>>>> values in IDN_OAUTH2_SCOPE table. >>>>> >>>>>> {"scope": [{"key": "openid", "name": "openid", "description": "openid >>>>>> scope", "bindings": ["role1", "role2"]}]} >>>>>> >>>>> >>>>> 2. Scope Update >>>>> "/updateScope" endpoint to update a set of scopes with the bindings >>>>> which need to be added and deleted. >>>>> >>>>>> {"scope": [{"key": "openid", "addedBindings": ["role3"], >>>>>> "deletedBindings": ["role2"]}]} >>>>>> >>>>> >>>>> 3. Scope Delete >>>>> "/deleteScope" endpoint to delete a set of scopes. >>>>> >>>>>> {"scope": ["scope_key_1", "scope_key_2"]} >>>>>> >>>>> >>>>> 4. Scope List >>>>> Endpoints for following scenarios. >>>>> 1. Get scope by key >>>>> 2. Get scope key list by role/s - given a role or role list, return >>>>> the list of scope keys that includes all of those roles >>>>> 3. Get scope key list by permission/s - given a permission or >>>>> permission list, return the list of scope keys that includes all of those >>>>> permissions >>>>> 4. Get scopes by role/s - for a given role or role list, return the >>>>> list of scopes that includes all of those roles with all the details >>>>> 5. Get scopes by permission/s - for a given permission or permission >>>>> list, return the list of scopes that includes all of those permissions >>>>> with >>>>> all the details >>>>> 6. Get all the available scope keys >>>>> 7. Get all the available scopes with their description and allocated >>>>> roles/permissions >>>>> >>>>> Appreciate your comments and suggestions on this. >>>>> >>>>> >>>>> *DCRM:* >>>>> Abilashini is working on this as a GSoC project and discussion is in >>>>> [3]. >>>>> >>>>> >>>>> [1] Discussion on features which required for APIM to be incl... @ Tue >>>>> May 30, 2017 10:30am - 12pm (IST) (WSO2 Engineering Group) >>>>> [2] https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>> th/pull/385 >>>>> [3] [Dev] GSOC : OAuth 2.0 Dynamic Client Registration Management >>>>> Protocol Support >>>>> >>>>> Thanks and Regards >>>>> >>>>> >>>>> -- >>>>> Indunil Upeksha Rathnayake >>>>> Software Engineer | WSO2 Inc >>>>> Email indu...@wso2.com >>>>> Mobile 0772182255 <077%20218%202255> >>>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Software Architect - WSO2, Inc. http://wso2.com >>>> email : nuw...@wso2.com >>>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>>> >>> >>> >>> >>> -- >>> Indunil Upeksha Rathnayake >>> Software Engineer | WSO2 Inc >>> Email indu...@wso2.com >>> Mobile 0772182255 <077%20218%202255> >>> >> >> >> >> -- >> *Bhathiya Jayasekara* >> *Associate Technical Lead,* >> *WSO2 inc., http://wso2.com <http://wso2.com>* >> >> *Phone: +94715478185 <071%20547%208185>* >> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >> <http://www.linkedin.com/in/bhathiyaj>* >> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >> *Blog: http://movingaheadblog.blogspot.com >> <http://movingaheadblog.blogspot.com/>* >> > > > > -- > *Bhathiya Jayasekara* > *Associate Technical Lead,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <+94%2071%20547%208185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* > -- *Isura Dilhara Karunaratne* Senior Software Engineer | WSO2 Email: is...@wso2.com Mob : +94 772 254 810 <+94%2077%20225%204810> Blog : http://isurad.blogspot.com/
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture