On Sat, May 13, 2017 at 10:40 PM, Bhathiya Jayasekara <bhath...@wso2.com> wrote:
> Thanks for the explanation Farasath. > > So this means we have to do a DCR call and another service call to > register claims to SP. @Tharindu: looks like we don't have a choice here. > Hi Bathiya, "Requested Claim" is a feature which is specific to WSO2 Identity Server. You may not find such a feature in all Identity Providers. Better to think about third party key managers as well. In your case is it required to put all user claims in JWT or set of claims define in some configuration ? Apart from Scopes you can even use [1],[2] to request claims. [1] http://openid.net/specs/openid-connect-core-1_0.html#JWTRequests [2] http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter > > Thanks, > Bhathiya > > On Sat, May 13, 2017 at 1:49 PM, Farasath Ahamed <farasa...@wso2.com> > wrote: > >> >> On Sat, May 13, 2017 at 1:15 PM, Bhathiya Jayasekara <bhath...@wso2.com> >> wrote: >> >>> Hi Farasath, >>> >>> That's going to be a problem when we use DCR, I guess. Shouldn't we send >>> the claims given in the spec for each scope by default, without any special >>> configurations in SP? >>> >> >> Not really. >> >> Even the spec says[1], >> >> In some cases, the End-User will be given the option to have the OpenID >>> Provider decline to provide some or all information requested by RPs. To >>> minimize the amount of information that the End-User is being asked to >>> disclose, an RP can elect to only request a subset of the information >>> available from the UserInfo Endpoint. >> >> >> Simply put we are not bound to provide all the claims a client(Relying >> party) asks for using a 'scope'. There should be a way to control the >> claims that are sent out based on the application. This is because the >> sensitive nature of a claim depends on the application and other factors as >> well. For example, 'phone number' might be a sensitive claim for some apps. >> Therefore for such apps, we need to have a way to control a client from >> getting hold of that claim using scope 'phone'. >> >> So we can consider "requested claims" in Service Provider config as our >> way of allowing an application admin to decide what claims an external >> client can retrieve and what not. >> >> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >> >> >>> Thanks, >>> Bhathiya >>> >>> >>> >>> On Sat, May 13, 2017 at 1:09 PM, Farasath Ahamed <farasa...@wso2.com> >>> wrote: >>> >>>> Hi, >>>> >>>> Yes. We do support openid scopes (address, email, phone, profile). >>>> (Refer [1]) >>>> But as Tharindu has mentioned this too requires the relevant claims >>>> that fall under these scopes to be configured as requested claims in the >>>> Service Provider. >>>> >>>> For example, >>>> OIDC scope 'address' would return "address" and "street" claims. But >>>> unless you have these claims as requested claims in the claim configuration >>>> of the SP. These claims won't be returned although you requested the token >>>> with a scope value of "openid address" >>>> >>>> The idea here is Service Provider requested claims takes priority over >>>> claims defined for scopes. >>>> >>>> >>>> [1] https://docs.wso2.com/display/IS530/Configuring+Claims+f >>>> or+a+Service+Provider (Click to view vital information when >>>> configuring claims for an OpenID Connect Service Provider) >>>> >>>> >>>> Thanks, >>>> Farasath Ahamed >>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> <http://wso2.com/signature> >>>> >>>> >>>> >>>> On Sat, May 13, 2017 at 11:36 AM, Bhathiya Jayasekara < >>>> bhath...@wso2.com> wrote: >>>> >>>>> @IS team: Do we support these in our current implementation? >>>>> >>>>> Thanks, >>>>> Bhathiya >>>>> >>>>> On Sat, May 13, 2017 at 11:34 AM, Bhathiya Jayasekara < >>>>> bhath...@wso2.com> wrote: >>>>> >>>>>> Hi Tharindu, >>>>>> >>>>>> In OIDC there are other standard scopes[1] in addition to 'openid'. >>>>>> These scopes are there to request specific user claims. I think we can >>>>>> use >>>>>> them here. So when generating tokens, these scopes should be used as per >>>>>> the requirement. >>>>>> >>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>>>>> >>>>>> Thanks, >>>>>> Bhathiya >>>>>> >>>>>> On Sat, May 13, 2017 at 12:18 AM, Tharindu Dharmarathna < >>>>>> tharin...@wso2.com> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> We had a use case on APIM to send the user claims in the JWT Header >>>>>>> to the backend server. >>>>>>> >>>>>>> Currently APIM C4 architecture was Getting the user claims and >>>>>>> generate JWT from Key manager node. >>>>>>> >>>>>>> As in C5 architecture, we have to get the user claims from the IS or >>>>>>> the third party key manager. >>>>>>> >>>>>>> I had observed below two ways of getting user claims into the >>>>>>> Gateway from IS. >>>>>>> >>>>>>> 1. Generate token with OpenID scope. >>>>>>> 2. Call userinfo endpoint with above generated token >>>>>>> 3. Call OAuth2TokenValidation Service and get the token. >>>>>>> >>>>>>> When considering [2] in order to receive user info we have to set >>>>>>> the requested claims in service provider according to the App. >>>>>>> >>>>>>> And from Current C4 architecture, we don't mandate to send openid >>>>>>> token as a scope. >>>>>>> >>>>>>> Is there any other alternative ways to achieve above task. >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> *Tharindu Dharmarathna*Senior Software Engineer >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> mobile: *+94779109091 <077%20910%209091>* >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Bhathiya Jayasekara* >>>>>> *Associate Technical Lead,* >>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>> >>>>>> *Phone: +94715478185 <071%20547%208185>* >>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>> <https://twitter.com/bhathiyax>* >>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Bhathiya Jayasekara* >>>>> *Associate Technical Lead,* >>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>> >>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>> *Twitter: https://twitter.com/bhathiyax >>>>> <https://twitter.com/bhathiyax>* >>>>> *Blog: http://movingaheadblog.blogspot.com >>>>> <http://movingaheadblog.blogspot.com/>* >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>> >>> >>> -- >>> *Bhathiya Jayasekara* >>> *Associate Technical Lead,* >>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>> >>> *Phone: +94715478185 <+94%2071%20547%208185>* >>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>> <http://www.linkedin.com/in/bhathiyaj>* >>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>> *Blog: http://movingaheadblog.blogspot.com >>> <http://movingaheadblog.blogspot.com/>* >>> >> >> > > > -- > *Bhathiya Jayasekara* > *Associate Technical Lead,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <+94%2071%20547%208185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
