Adding lakmal and sanjeewa On Wed, Jun 14, 2017 at 7:28 PM, Indunil Upeksha Rathnayake < indu...@wso2.com> wrote:
> Hi, > > Thanks all of your valuable feedbacks. Currently we are implementing > following REST endpoints. We have modeled the the rest API using swagger > and you can find the attached swagger definition as well. Really appreciate > your comments and suggestions on the specified endpoints, please mention if > there are other required endpoints. > > > Endpoint Method Usage Request Body Response > /scopes POST Create Scopes [{"key": "openid", "name": "openid", > "description": "openid scope", "bindings": ["role1", "role2"]}] "HTTP/1.1 > 201 Created" > > DELETE Delete Scopes ["key1", "key2"] "HTTP/1.1 201 Deleted" > > PUT Update Scopes [{"key": "openid", "name": "openid", "description": > "openid scope", "bindings": ["role3"]}] "HTTP/1.1 201 Updated" > /scopes?filter=maxResults+Eq+100 GET Get all available Scopes > [{"key": "openid", "name": "openid", "description": "openid scope", > "bindings": []}] > > /scopes/by-bindings GET Get Scopes by Binding/s {"bindings": ["role1", > "role2"]} [{"key": "openid", "name": "openid", "description": "openid > scope", "bindings": ["role1", "role2"]}] > > /scopes/keys GET Get all the available > Scope Keys > ["key1", "key2"] > > /scopes/keys/by-bindings GET Get Scope keys > by Binding/s {"bindings": ["role1", "role2"]} ["key1", "key2"] > > /scopes/{scope_key} GET Get a Scope by Scope Key > {"key": "openid", "name": "openid", "description": "openid scope", > "bindings": []} > > DELETE Delete a Scope by > Scope Key > "HTTP/1.1 201 Deleted" > > PUT Update a Scope by > Scope Key {"key": "openid", "name": "openid", "description": "openid > scope", "bindings": ["role3", "role4"]} "HTTP/1.1 201 Updated" > > > @Nuwan: We have a suggestion to modified the database schema as follows to > properly store bindings (considering the performance issues in using comma > separated values and renaming the "ROLES" field to a generic name), but > need to discuss about this and finalize. > > > > Appreciate your comments and suggestions and I will arrange a meeting > tomorrow to have a further discussion on this. > > Thanks and Regards > > > On Mon, Jun 12, 2017 at 2:53 AM, Nuwan Dias <nuw...@wso2.com> wrote: > >> >> On Fri, Jun 9, 2017 at 5:46 AM Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi, >>> >>> We are currently working on implementing following features which are >>> needed for APIM 3.0. You can find the initial discussion details in [1]. >>> >>> 1. Sign UserInfo JWT response >>> 2. Scope registration and Scope binding >>> 3. DCRM >>> >>> >>> *Sign UserInfo JWT response:* >>> JWT user info response signing implementation is in [1]. >>> >>> Currently in APIM, there is a key manager global wise configuration to >>> configure needed claims which needed to be send in user info response. We >>> need to consider, when no SP wise requested claims are configured as in >>> APIM, whether we need to send all the claims bound for a specific scope in >>> oidc-scope-config.xml. >>> Currently in IS, we are sending only those claims which are common in >>> both OIDC scope config and SP claim configuration (ie. intersection of >>> claim in both these configs). >>> >>> *Shall we send all the bounded claims if requested claims are not >>> defined?* >>> >>> *Scope registration and Scope binding:* >>> New endpoints will be exposed in IS 5.4.0 to handle Scope register, >>> bind, update, delete, list etc. >>> >>> As per the current implementation of APIM and IoT, following things can >>> be noticed and have following concerns. >>> >>> - Scope can be bound with roles or permissions - Uses scope to role >>> binding in APIM and uses scope to permission binding in IoT. >>> >>> >>> - Both of the above bindings are stored in "IDN_OAUTH2_SCOPE" table >>> where roles and permissions both are stored as a comma separated string >>> in >>> same column named "ROLES". AFAIU, there is no indication with a prefix in >>> scope registration, where to separate the two bindings. *There can >>> be other bindings which will be added in future, isn't it better to >>> renamed >>> the field as "BINDINGS"? There can be a situation where both set of roles >>> and permissions are bound to a scope?* >>> >>> Its better to rename but please note that this is a minor version >> upgrade and hence it's better to avoid schema changes. >> >>> >>> - >>> >>> >>> - In scope validation, currently there are validators for role based >>> and permission based. The corresponding validator will be selected based >>> on >>> the prefix (ex: Permission based scope validator only validates the scope >>> which are having "perm" as the prefix of the scopes) and if scope prefix >>> is >>> not defined, those will directly go to the default role based scope >>> validator. *How this prefix has to be considered and validated in >>> scope registration with the bindings?* >>> >>> >>> - In scope registration, AFAIU, scope key and name are the essential >>> details to be included. *What is the difference of theses and where >>> these values will be used? scope key is the unique value which need to be >>> considered in scope binding?* >>> >>> >>> 1. Scope Register and Bind >>> There can be following scenarios a scope can be registered and bound. >>> CreateScope - scope key, scope name, roles >>> CreateScope - scope key, scope name, permissions >>> CreateScope - scope key, scope name >>> >>> So that we have implemented "/api/identity/oauth2/scope/v0.9/registerScope" >>> endpoint to register set of scopes with the bindings. "key" and "name" >>> cannot be null and bindings(added a generic property rather adding two >>> properties for roles and permissions) will be stored as comma separated >>> values in IDN_OAUTH2_SCOPE table. >>> >>>> {"scope": [{"key": "openid", "name": "openid", "description": "openid >>>> scope", "bindings": ["role1", "role2"]}]} >>>> >>> >>> 2. Scope Update >>> "/updateScope" endpoint to update a set of scopes with the bindings >>> which need to be added and deleted. >>> >>>> {"scope": [{"key": "openid", "addedBindings": ["role3"], >>>> "deletedBindings": ["role2"]}]} >>>> >>> >>> 3. Scope Delete >>> "/deleteScope" endpoint to delete a set of scopes. >>> >>>> {"scope": ["scope_key_1", "scope_key_2"]} >>>> >>> >>> 4. Scope List >>> Endpoints for following scenarios. >>> 1. Get scope by key >>> 2. Get scope key list by role/s - given a role or role list, return the >>> list of scope keys that includes all of those roles >>> 3. Get scope key list by permission/s - given a permission or permission >>> list, return the list of scope keys that includes all of those permissions >>> 4. Get scopes by role/s - for a given role or role list, return the list >>> of scopes that includes all of those roles with all the details >>> 5. Get scopes by permission/s - for a given permission or permission >>> list, return the list of scopes that includes all of those permissions with >>> all the details >>> 6. Get all the available scope keys >>> 7. Get all the available scopes with their description and allocated >>> roles/permissions >>> >>> Appreciate your comments and suggestions on this. >>> >>> >>> *DCRM:* >>> Abilashini is working on this as a GSoC project and discussion is in [3]. >>> >>> >>> [1] Discussion on features which required for APIM to be incl... @ Tue >>> May 30, 2017 10:30am - 12pm (IST) (WSO2 Engineering Group) >>> [2] https://github.com/wso2-extensions/identity-inbound-auth- >>> oauth/pull/385 >>> [3] [Dev] GSOC : OAuth 2.0 Dynamic Client Registration Management >>> Protocol Support >>> >>> Thanks and Regards >>> >>> >>> -- >>> Indunil Upeksha Rathnayake >>> Software Engineer | WSO2 Inc >>> Email indu...@wso2.com >>> Mobile 0772182255 >>> >> -- >> Nuwan Dias >> >> Software Architect - WSO2, Inc. http://wso2.com >> email : nuw...@wso2.com >> Phone : +94 777 775 729 <+94%2077%20777%205729> >> > > > > -- > Indunil Upeksha Rathnayake > Software Engineer | WSO2 Inc > Email indu...@wso2.com > Mobile 0772182255 > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email indu...@wso2.com Mobile 0772182255
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev