Hi Sathya, I do not see any issue adding the info-set to the id-token, as conceptually it carries more information about the users identity. Did we checked if there an standard claims in id token we could use, instead of "realm", "tenant_domain", etc.
Cheers, Ruwan A On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara <sat...@wso2.com> wrote: > Hi all, > > In OIDC logout flow, we send the ID token as a user identification method > similar to following request. > > https://localhost:9443/oidc/logout?id_token_hint= > <id_token>&post_logout_redirect_uri= > http://localhost:8080/playground2/oauth2client&state=1 > > when validating the ID token, we are trying to get tenant domain from > subject claim of the id token hint [1] in the default flow. This will only > work if '*append tenant domain to subject identifier'* is selected in the > SP configuration. In other scenarios it fails with the error "access_denied > ID token signature validation failed." This is because if subject does not > contain the tenant domain, we try to validate the id token with super > tenant's keystore. Further this fails when subject identifier is set as > email claim, and email contains a different domain such as sat...@wso2.com > <sat...@gmail.com> > > We have a config to enable/disable signing ID token with SP's keystore > identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by > default, ID token will be signed and validated using user's tenant domain > leading to above issue. > > As a possible solution, we have decided to include user tenant domain and > userstore domain as claims in the id token generated by IS. This can be > disabled by a config however in the default pack it will be enabled by > default. Sample id token will be as follows. > > { > "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ", > "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa", > "sub": "sathya", > > > > * "realm": { "tenant_domain: "wso2.com <http://wso2.com>", > "userstore_domain: "PRIMARY" }*, > "iss": "https://localhost:9443/oauth2/token", > "exp": 1554367465, > "iat": 1554363865, > } > > Also 'SignJWTWithSPKey' property will be enabled by default in the > product, honoring service provider's tenant domain when obtaining keys for > signing and validating id tokens. > > Highly appreciate your suggestions and concerns on this. > > [1] > https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331 > Thanks, > Sathya > -- > Sathya Bandara > Senior Software Engineer > Blog: https://medium.com/@technospace > WSO2 Inc. http://wso2.com > Mobile: (+94) 715 360 421 <+94%2071%20411%205032> > > <+94%2071%20411%205032> > -- *Ruwan Abeykoon* *Associate Director/Architect**,* *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * *lean.enterprise.middleware.*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev