Hi Rushmin, On Fri, Jan 5, 2018 at 11:50 AM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote:
> Hi Rushmin, > > *How is this done now?* >> >> The application certificate should be imported to the keystore file and >> the alias should be mentioned in the service provider so that the service >> provider can validate the signature against the certificate identified >> by that alias. >> > > If we have the current option of importing the certificate to the > keystore, in JWT client authentication [1] we have to provide the > certificate alias as the client id inorder to identify the application. So > with this implementation we don't need to enforce end users to do the above > as we can fetch the client_id directly from the db. > > +1 for the approach. > > [1] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0 > > Thanks, > > On Fri, Jan 5, 2018 at 11:31 AM, Rushmin Fernando <rush...@wso2.com> > wrote: > >> >> In the identity server, a service provider represents the application >> which uses the Identity Server as an Identity Provider. >> >> In some cases, Identity Server needs to validate the identity of the >> application to make sure the authentication/authorization requests are >> coming from the legitimate application. >> >> *How is this done now?* >> >> The application certificate should be imported to the keystore file and >> the alias should be mentioned in the service provider so that the service >> provider can validate the signature against the certificate identified by >> that alias. >> >> *Why is this needs to be improved?* >> >> 1) keystore file resides in the file system. Therefore in a clustered >> deployment, either the certificate should be added to all the nodes or the >> keystore file should be synced. >> >> 2) The server needs a restart after importing a certificate. >> >> *What is the solution?* >> >> The certificate should be stored in the database so that it is shared and >> a restart is not needed. >> >> *High-level design/UX decisions* >> >> 1) The SP UI will have a new text area to enter the certificate in PEM >> format. >> > Is there any specific reason to use text area here? In IDP UI, we have an option to upload the idp cert. IMO it is better to have that option in SP UI as well for the UI consistance. Thanks Isura. > >> 2) The certificate will be stored in the SP_APP table. A new column will >> be added. >> >> *REASON*: >> >> Service provider --> certificate is a 1:1 relationship. >> >> 3) An interface will be introduced to abstract out the certificate >> handling of the SP. Two implementations will be there to support the >> current behavior and the proposed behavior. >> >> 4) Current behavior will be deprecated. >> >> 5) Choosing between the two implementations not explicit for the users, >> so a configuration will not be provided. If a certificate is not available >> in the database Identity Server will fall back to the current approach. >> >> *REASON*: >> >> 1. This feature is about changing an internal implementation. So the >> users should not worry about it. >> >> >> >> Please share your thoughts. >> >> >> >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94775615183 >> >> >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > > Hasanthi Dissanayake > > Senior Software Engineer | WSO2 > > E: hasan...@wso2.com > M :0718407133| http://wso2.com <http://wso2.com/> > -- *Isura Dilhara Karunaratne* Associate Technical Lead | WSO2 Email: is...@wso2.com Mob : +94 772 254 810 Blog : http://isurad.blogspot.com/
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
