Hi Farasath, That's going to be a problem when we use DCR, I guess. Shouldn't we send the claims given in the spec for each scope by default, without any special configurations in SP?
Thanks, Bhathiya On Sat, May 13, 2017 at 1:09 PM, Farasath Ahamed <farasa...@wso2.com> wrote: > Hi, > > Yes. We do support openid scopes (address, email, phone, profile). (Refer > [1]) > But as Tharindu has mentioned this too requires the relevant claims that > fall under these scopes to be configured as requested claims in the Service > Provider. > > For example, > OIDC scope 'address' would return "address" and "street" claims. But > unless you have these claims as requested claims in the claim configuration > of the SP. These claims won't be returned although you requested the token > with a scope value of "openid address" > > The idea here is Service Provider requested claims takes priority over > claims defined for scopes. > > > [1] https://docs.wso2.com/display/IS530/Configuring+ > Claims+for+a+Service+Provider (Click to view vital information when > configuring claims for an OpenID Connect Service Provider) > > > Thanks, > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > On Sat, May 13, 2017 at 11:36 AM, Bhathiya Jayasekara <bhath...@wso2.com> > wrote: > >> @IS team: Do we support these in our current implementation? >> >> Thanks, >> Bhathiya >> >> On Sat, May 13, 2017 at 11:34 AM, Bhathiya Jayasekara <bhath...@wso2.com> >> wrote: >> >>> Hi Tharindu, >>> >>> In OIDC there are other standard scopes[1] in addition to 'openid'. >>> These scopes are there to request specific user claims. I think we can use >>> them here. So when generating tokens, these scopes should be used as per >>> the requirement. >>> >>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>> >>> Thanks, >>> Bhathiya >>> >>> On Sat, May 13, 2017 at 12:18 AM, Tharindu Dharmarathna < >>> tharin...@wso2.com> wrote: >>> >>>> Hi All, >>>> >>>> We had a use case on APIM to send the user claims in the JWT Header to >>>> the backend server. >>>> >>>> Currently APIM C4 architecture was Getting the user claims and generate >>>> JWT from Key manager node. >>>> >>>> As in C5 architecture, we have to get the user claims from the IS or >>>> the third party key manager. >>>> >>>> I had observed below two ways of getting user claims into the Gateway >>>> from IS. >>>> >>>> 1. Generate token with OpenID scope. >>>> 2. Call userinfo endpoint with above generated token >>>> 3. Call OAuth2TokenValidation Service and get the token. >>>> >>>> When considering [2] in order to receive user info we have to set the >>>> requested claims in service provider according to the App. >>>> >>>> And from Current C4 architecture, we don't mandate to send openid token >>>> as a scope. >>>> >>>> Is there any other alternative ways to achieve above task. >>>> >>>> Thanks >>>> >>>> *Tharindu Dharmarathna*Senior Software Engineer >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> mobile: *+94779109091 <077%20910%209091>* >>>> >>> >>> >>> >>> -- >>> *Bhathiya Jayasekara* >>> *Associate Technical Lead,* >>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>> >>> *Phone: +94715478185 <071%20547%208185>* >>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>> <http://www.linkedin.com/in/bhathiyaj>* >>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>> *Blog: http://movingaheadblog.blogspot.com >>> <http://movingaheadblog.blogspot.com/>* >>> >> >> >> >> -- >> *Bhathiya Jayasekara* >> *Associate Technical Lead,* >> *WSO2 inc., http://wso2.com <http://wso2.com>* >> >> *Phone: +94715478185 <+94%2071%20547%208185>* >> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >> <http://www.linkedin.com/in/bhathiyaj>* >> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >> *Blog: http://movingaheadblog.blogspot.com >> <http://movingaheadblog.blogspot.com/>* >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > -- *Bhathiya Jayasekara* *Associate Technical Lead,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
