Hi Ishara, On Sun, May 14, 2017 at 8:51 AM, Ishara Karunarathna <isha...@wso2.com> wrote:
> Hi, > > On Sun, May 14, 2017 at 8:42 AM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Bhathiya, >> >> On Sun, May 14, 2017 at 8:18 AM, Bhathiya Jayasekara <bhath...@wso2.com> >> wrote: >> >>> Hi Ishara, >>> >>> On Sun, May 14, 2017 at 7:16 AM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi, >>>> >>>> In the current implementations you get a JWT token from token >>>> validation service regardless of the grant types. >>>> But this would be a problem when you go with standards only. For >>>> example you may not be able to get and ID token from IDP if its only >>>> supporting specifications. >>>> >>> >>> We thought of using "openid" scope when generating token and then call >>> userinfo after validating (introspect) the token. I expect that should work >>> if the IDP is complient with the specs. WDYT? >>> >> What I'm saying is for all the oauth grant types does not work with OIDC >> For example in password grant type you can't use OIDC. OIDC define only >> authorization code and implicit grant types (it has a hybrid flow as well ) >> In that case you can't expect to get ID token for all grant types. >> > Oh that's going to be a problem. > So do you need this user information in all the cases ?? > Yes we may need, specially in passwrod grant type. If this is not going to work, we will have to think of a different solution (like the SCIM one you suggested.) Thanks, Bhathiya > > one option that come to my mind is. > in the token introspection response get the user name. > And then call a SCIM endpoint (or any other api to get the user > information) to get user information. > > But this also has a issue, this username is a optional parameter > > >> >> So do you need this user information in all the cases ?? >> >> >>> Thanks, >>> Bhathiya >>> >>> >>>> >>>> so this has to be address case by case. >>>> -Ishara >>>> >>>> On Sat, May 13, 2017 at 10:40 PM, Bhathiya Jayasekara < >>>> bhath...@wso2.com> wrote: >>>> >>>>> Thanks for the explanation Farasath. >>>>> >>>>> So this means we have to do a DCR call and another service call to >>>>> register claims to SP. @Tharindu: looks like we don't have a choice here. >>>>> >>>>> Thanks, >>>>> Bhathiya >>>>> >>>>> On Sat, May 13, 2017 at 1:49 PM, Farasath Ahamed <farasa...@wso2.com> >>>>> wrote: >>>>> >>>>>> >>>>>> On Sat, May 13, 2017 at 1:15 PM, Bhathiya Jayasekara < >>>>>> bhath...@wso2.com> wrote: >>>>>> >>>>>>> Hi Farasath, >>>>>>> >>>>>>> That's going to be a problem when we use DCR, I guess. Shouldn't we >>>>>>> send the claims given in the spec for each scope by default, without any >>>>>>> special configurations in SP? >>>>>>> >>>>>> >>>>>> Not really. >>>>>> >>>>>> Even the spec says[1], >>>>>> >>>>>> In some cases, the End-User will be given the option to have the >>>>>>> OpenID Provider decline to provide some or all information requested by >>>>>>> RPs. To minimize the amount of information that the End-User is being >>>>>>> asked >>>>>>> to disclose, an RP can elect to only request a subset of the information >>>>>>> available from the UserInfo Endpoint. >>>>>> >>>>>> >>>>>> Simply put we are not bound to provide all the claims a >>>>>> client(Relying party) asks for using a 'scope'. There should be a way to >>>>>> control the claims that are sent out based on the application. This is >>>>>> because the sensitive nature of a claim depends on the application and >>>>>> other factors as well. For example, 'phone number' might be a sensitive >>>>>> claim for some apps. Therefore for such apps, we need to have a way to >>>>>> control a client from getting hold of that claim using scope 'phone'. >>>>>> >>>>>> So we can consider "requested claims" in Service Provider config as >>>>>> our way of allowing an application admin to decide what claims an >>>>>> external >>>>>> client can retrieve and what not. >>>>>> >>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims >>>>>> >>>>>> >>>>>>> Thanks, >>>>>>> Bhathiya >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Sat, May 13, 2017 at 1:09 PM, Farasath Ahamed <farasa...@wso2.com >>>>>>> > wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Yes. We do support openid scopes (address, email, phone, profile). >>>>>>>> (Refer [1]) >>>>>>>> But as Tharindu has mentioned this too requires the relevant claims >>>>>>>> that fall under these scopes to be configured as requested claims in >>>>>>>> the >>>>>>>> Service Provider. >>>>>>>> >>>>>>>> For example, >>>>>>>> OIDC scope 'address' would return "address" and "street" claims. >>>>>>>> But unless you have these claims as requested claims in the claim >>>>>>>> configuration of the SP. These claims won't be returned although you >>>>>>>> requested the token with a scope value of "openid address" >>>>>>>> >>>>>>>> The idea here is Service Provider requested claims takes priority >>>>>>>> over claims defined for scopes. >>>>>>>> >>>>>>>> >>>>>>>> [1] https://docs.wso2.com/display/IS530/Configuring+Claims+f >>>>>>>> or+a+Service+Provider (Click to view vital information when >>>>>>>> configuring claims for an OpenID Connect Service Provider) >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Farasath Ahamed >>>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>> Mobile: +94777603866 >>>>>>>> Blog: blog.farazath.com >>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sat, May 13, 2017 at 11:36 AM, Bhathiya Jayasekara < >>>>>>>> bhath...@wso2.com> wrote: >>>>>>>> >>>>>>>>> @IS team: Do we support these in our current implementation? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Bhathiya >>>>>>>>> >>>>>>>>> On Sat, May 13, 2017 at 11:34 AM, Bhathiya Jayasekara < >>>>>>>>> bhath...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Tharindu, >>>>>>>>>> >>>>>>>>>> In OIDC there are other standard scopes[1] in addition to >>>>>>>>>> 'openid'. These scopes are there to request specific user claims. I >>>>>>>>>> think >>>>>>>>>> we can use them here. So when generating tokens, these scopes should >>>>>>>>>> be >>>>>>>>>> used as per the requirement. >>>>>>>>>> >>>>>>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#ScopeCl >>>>>>>>>> aims >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Bhathiya >>>>>>>>>> >>>>>>>>>> On Sat, May 13, 2017 at 12:18 AM, Tharindu Dharmarathna < >>>>>>>>>> tharin...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi All, >>>>>>>>>>> >>>>>>>>>>> We had a use case on APIM to send the user claims in the JWT >>>>>>>>>>> Header to the backend server. >>>>>>>>>>> >>>>>>>>>>> Currently APIM C4 architecture was Getting the user claims and >>>>>>>>>>> generate JWT from Key manager node. >>>>>>>>>>> >>>>>>>>>>> As in C5 architecture, we have to get the user claims from the >>>>>>>>>>> IS or the third party key manager. >>>>>>>>>>> >>>>>>>>>>> I had observed below two ways of getting user claims into the >>>>>>>>>>> Gateway from IS. >>>>>>>>>>> >>>>>>>>>>> 1. Generate token with OpenID scope. >>>>>>>>>>> 2. Call userinfo endpoint with above generated token >>>>>>>>>>> 3. Call OAuth2TokenValidation Service and get the token. >>>>>>>>>>> >>>>>>>>>>> When considering [2] in order to receive user info we have to >>>>>>>>>>> set the requested claims in service provider according to the App. >>>>>>>>>>> >>>>>>>>>>> And from Current C4 architecture, we don't mandate to send >>>>>>>>>>> openid token as a scope. >>>>>>>>>>> >>>>>>>>>>> Is there any other alternative ways to achieve above task. >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>>> *Tharindu Dharmarathna*Senior Software Engineer >>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>> >>>>>>>>>>> mobile: *+94779109091 <077%20910%209091>* >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Bhathiya Jayasekara* >>>>>>>>>> *Associate Technical Lead,* >>>>>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>>>>> >>>>>>>>>> *Phone: +94715478185 <071%20547%208185>* >>>>>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>>>>> <https://twitter.com/bhathiyax>* >>>>>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Bhathiya Jayasekara* >>>>>>>>> *Associate Technical Lead,* >>>>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>>>> >>>>>>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>>>> <https://twitter.com/bhathiyax>* >>>>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> Dev@wso2.org >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Bhathiya Jayasekara* >>>>>>> *Associate Technical Lead,* >>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>> >>>>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>> <https://twitter.com/bhathiyax>* >>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Bhathiya Jayasekara* >>>>> *Associate Technical Lead,* >>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>> >>>>> *Phone: +94715478185 <+94%2071%20547%208185>* >>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>> *Twitter: https://twitter.com/bhathiyax >>>>> <https://twitter.com/bhathiyax>* >>>>> *Blog: http://movingaheadblog.blogspot.com >>>>> <http://movingaheadblog.blogspot.com/>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 <071%20799%206791> >>>> >>>> >>>> >>> >>> >>> -- >>> *Bhathiya Jayasekara* >>> *Associate Technical Lead,* >>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>> >>> *Phone: +94715478185 <+94%2071%20547%208185>* >>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>> <http://www.linkedin.com/in/bhathiyaj>* >>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>> *Blog: http://movingaheadblog.blogspot.com >>> <http://movingaheadblog.blogspot.com/>* >>> >> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 <071%20799%206791> > > > -- *Bhathiya Jayasekara* *Associate Technical Lead,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
