Hi Gayan, On Sun, May 14, 2017 at 8:08 AM, Gayan Gunawardana <ga...@wso2.com> wrote:
> > > On Sat, May 13, 2017 at 10:40 PM, Bhathiya Jayasekara <bhath...@wso2.com> > wrote: > >> Thanks for the explanation Farasath. >> >> So this means we have to do a DCR call and another service call to >> register claims to SP. @Tharindu: looks like we don't have a choice here. >> > Hi Bathiya, > "Requested Claim" is a feature which is specific to WSO2 Identity Server. > You may not find such a feature in all Identity Providers. > Yes, but there can be such restrictions in other IDPs too. So this should be handled in each KM implementation. > Better to think about third party key managers as well. > In your case is it required to put all user claims in JWT or set of claims > define in some configuration ? > > Apart from Scopes you can even use [1],[2] to request claims. > Thanks for the information. But we still need to register those claims to SP as Farasath mentioned, I assume. Am I correct? Thanks, Bhathiya > > [1] http://openid.net/specs/openid-connect-core-1_0.html#JWTRequests > > [2] http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter > >> >> Thanks, >> Bhathiya >> >> On Sat, May 13, 2017 at 1:49 PM, Farasath Ahamed <farasa...@wso2.com> >> wrote: >> >>> >>> On Sat, May 13, 2017 at 1:15 PM, Bhathiya Jayasekara <bhath...@wso2.com> >>> wrote: >>> >>>> Hi Farasath, >>>> >>>> That's going to be a problem when we use DCR, I guess. Shouldn't we >>>> send the claims given in the spec for each scope by default, without any >>>> special configurations in SP? >>>> >>> >>> Not really. >>> >>> Even the spec says[1], >>> >>> In some cases, the End-User will be given the option to have the OpenID >>>> Provider decline to provide some or all information requested by RPs. To >>>> minimize the amount of information that the End-User is being asked to >>>> disclose, an RP can elect to only request a subset of the information >>>> available from the UserInfo Endpoint. >>> >>> >>> Simply put we are not bound to provide all the claims a client(Relying >>> party) asks for using a 'scope'. There should be a way to control the >>> claims that are sent out based on the application. This is because the >>> sensitive nature of a claim depends on the application and other factors as >>> well. For example, 'phone number' might be a sensitive claim for some apps. >>> Therefore for such apps, we need to have a way to control a client from >>> getting hold of that claim using scope 'phone'. >>> >>> So we can consider "requested claims" in Service Provider config as our >>> way of allowing an application admin to decide what claims an external >>> client can retrieve and what not. >>> >>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>> >>> >>>> Thanks, >>>> Bhathiya >>>> >>>> >>>> >>>> On Sat, May 13, 2017 at 1:09 PM, Farasath Ahamed <farasa...@wso2.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Yes. We do support openid scopes (address, email, phone, profile). >>>>> (Refer [1]) >>>>> But as Tharindu has mentioned this too requires the relevant claims >>>>> that fall under these scopes to be configured as requested claims in the >>>>> Service Provider. >>>>> >>>>> For example, >>>>> OIDC scope 'address' would return "address" and "street" claims. But >>>>> unless you have these claims as requested claims in the claim >>>>> configuration >>>>> of the SP. These claims won't be returned although you requested the token >>>>> with a scope value of "openid address" >>>>> >>>>> The idea here is Service Provider requested claims takes priority over >>>>> claims defined for scopes. >>>>> >>>>> >>>>> [1] https://docs.wso2.com/display/IS530/Configuring+Claims+f >>>>> or+a+Service+Provider (Click to view vital information when >>>>> configuring claims for an OpenID Connect Service Provider) >>>>> >>>>> >>>>> Thanks, >>>>> Farasath Ahamed >>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>> Mobile: +94777603866 >>>>> Blog: blog.farazath.com >>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>> <http://wso2.com/signature> >>>>> >>>>> >>>>> >>>>> On Sat, May 13, 2017 at 11:36 AM, Bhathiya Jayasekara < >>>>> bhath...@wso2.com> wrote: >>>>> >>>>>> @IS team: Do we support these in our current implementation? >>>>>> >>>>>> Thanks, >>>>>> Bhathiya >>>>>> >>>>>> On Sat, May 13, 2017 at 11:34 AM, Bhathiya Jayasekara < >>>>>> bhath...@wso2.com> wrote: >>>>>> >>>>>>> Hi Tharindu, >>>>>>> >>>>>>> In OIDC there are other standard scopes[1] in addition to 'openid'. >>>>>>> These scopes are there to request specific user claims. I think we can >>>>>>> use >>>>>>> them here. So when generating tokens, these scopes should be used as per >>>>>>> the requirement. >>>>>>> >>>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>>>>>> >>>>>>> Thanks, >>>>>>> Bhathiya >>>>>>> >>>>>>> On Sat, May 13, 2017 at 12:18 AM, Tharindu Dharmarathna < >>>>>>> tharin...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> We had a use case on APIM to send the user claims in the JWT Header >>>>>>>> to the backend server. >>>>>>>> >>>>>>>> Currently APIM C4 architecture was Getting the user claims and >>>>>>>> generate JWT from Key manager node. >>>>>>>> >>>>>>>> As in C5 architecture, we have to get the user claims from the IS >>>>>>>> or the third party key manager. >>>>>>>> >>>>>>>> I had observed below two ways of getting user claims into the >>>>>>>> Gateway from IS. >>>>>>>> >>>>>>>> 1. Generate token with OpenID scope. >>>>>>>> 2. Call userinfo endpoint with above generated token >>>>>>>> 3. Call OAuth2TokenValidation Service and get the token. >>>>>>>> >>>>>>>> When considering [2] in order to receive user info we have to set >>>>>>>> the requested claims in service provider according to the App. >>>>>>>> >>>>>>>> And from Current C4 architecture, we don't mandate to send openid >>>>>>>> token as a scope. >>>>>>>> >>>>>>>> Is there any other alternative ways to achieve above task. >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> *Tharindu Dharmarathna*Senior Software Engineer >>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> mobile: *+94779109091 <077%20910%209091>* >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Bhathiya Jayasekara* >>>>>>> *Associate Technical Lead,* >>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>> >>>>>>> *Phone: +94715478185 <071%20547%208185>* >>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>> <https://twitter.com/bhathiyax>* >>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Bhathiya Jayasekara* >>>>>> *Associate Technical Lead,* >>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>> >>>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>> <https://twitter.com/bhathiyax>* >>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> *Bhathiya Jayasekara* >>>> *Associate Technical Lead,* >>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>> >>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>> <http://www.linkedin.com/in/bhathiyaj>* >>>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>>> *Blog: http://movingaheadblog.blogspot.com >>>> <http://movingaheadblog.blogspot.com/>* >>>> >>> >>> >> >> >> -- >> *Bhathiya Jayasekara* >> *Associate Technical Lead,* >> *WSO2 inc., http://wso2.com <http://wso2.com>* >> >> *Phone: +94715478185 <+94%2071%20547%208185>* >> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >> <http://www.linkedin.com/in/bhathiyaj>* >> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >> *Blog: http://movingaheadblog.blogspot.com >> <http://movingaheadblog.blogspot.com/>* >> > > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: ga...@wso2.com > Mobile: +94 (71) 8020933 > -- *Bhathiya Jayasekara* *Associate Technical Lead,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev