Hi Asela, As of now I see 2 potential use cases for scope mappings.
1. There are two different RPs in an organization which are accessed by a partner. The application is configured for OpenID Connect delegated authentication with WSO2 IS in the organization and WSO2 IS is configured for OpenID Connect federation with the partner's in-house OP. The two RPs need to consume different set of attributes of the user from the partner OP. In this case scope mapping is needed to request attributes from federated OP. 2. An application or api gateway or micro-service in the partner domain calls into our API gateway which is protected by OAuth2 in WSO2 IS. WSO2 IS is configured for token delegation to accept the partner's scoped access tokens and exchange it to our own scoped access tokens. In this case scope mapping is needed to issue access tokens with the corresponding restricted set of scopes. Thanks & Regards, Johann. On Fri, May 31, 2019 at 9:43 AM Asela Pathberiya <as...@wso2.com> wrote: > > > On Fri, May 31, 2019 at 7:58 AM Johann Nallathamby <joh...@wso2.com> > wrote: > >> *Problem* >> >> When we federate to other OpenID Connect Providers, we can send scope >> values. However, currently the scope values are fixed per OP we define in >> IS. This works fine if the service provider is not a OpenID Connect RP or >> an RP not requesting scopes. If we are to support different scope >> combinations that can be requested by different RPs, it is not scalable to >> define individual OP configurations for each scope combination. >> >> *Solution* >> >> We must support scope mappings, so that we can map a set of scopes >> requested by the RP to another set of scopes supported by the OP. This way >> we don't need to create multiple OP configurations to support different >> scope combinations requested by different RPs. >> >> What are your thoughts on this? >> > > I am just wondering why does RP need to send different scopes to federated > IDP ? Is it just to retrieve different attributes from id_token or > userinfo attributes based on RP ? If it is not, is there any other use > cases ? > > Thanks, > Asela. > > >> >> Thanks & Regards, >> Johann. >> >> -- >> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | >> WSO2 Inc. >> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >> [image: Signature.jpg] >> > > > -- > Thanks & Regards, > Asela > > Mobile : +94 777 625 933 > > http://soasecurity.org/ > http://xacmlinfo.org/ > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture