Hi Ruwan/Sathya, There are some standard claims defined in the OIDC specification[1], none of them can be used instead of "realm", "tenant_domain". However, the spec also says that it is okay to add any other claims to id_token[2].
[1] - https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims [2] - https://openid.net/specs/openid-connect-core-1_0.html#IDToken Thank You. Hasini On Fri, Apr 5, 2019 at 6:30 AM Ruwan Abeykoon <ruw...@wso2.com> wrote: > Hi Sathya, > I do not see any issue adding the info-set to the id-token, as > conceptually it carries more information about the users identity. > Did we checked if there an standard claims in id token we could use, > instead of "realm", "tenant_domain", etc. > > Cheers, > Ruwan A > > On Thu, Apr 4, 2019 at 11:43 PM Sathya Bandara <sat...@wso2.com> wrote: > >> Hi all, >> >> In OIDC logout flow, we send the ID token as a user identification method >> similar to following request. >> >> https://localhost:9443/oidc/logout?id_token_hint= >> <id_token>&post_logout_redirect_uri= >> http://localhost:8080/playground2/oauth2client&state=1 >> >> when validating the ID token, we are trying to get tenant domain from >> subject claim of the id token hint [1] in the default flow. This will only >> work if '*append tenant domain to subject identifier'* is selected in >> the SP configuration. In other scenarios it fails with the error >> "access_denied ID token signature validation failed." This is because if >> subject does not contain the tenant domain, we try to validate the id token >> with super tenant's keystore. Further this fails when subject identifier is >> set as email claim, and email contains a different domain such as >> sat...@wso2.com <sat...@gmail.com> >> >> We have a config to enable/disable signing ID token with SP's keystore >> identity.xml ('SignJWTWithSPKey'). As this configuration is disabled by >> default, ID token will be signed and validated using user's tenant domain >> leading to above issue. >> >> As a possible solution, we have decided to include user tenant domain and >> userstore domain as claims in the id token generated by IS. This can be >> disabled by a config however in the default pack it will be enabled by >> default. Sample id token will be as follows. >> >> { >> "at_hash": "Bi9jGB-EIZ94gVzHZv5trQ", >> "aud": "b3F9IGMtm0aKGlHfG4BnI2Ypi7Qa", >> "sub": "sathya", >> >> >> >> * "realm": { "tenant_domain: "wso2.com <http://wso2.com>", >> "userstore_domain: "PRIMARY" }*, >> "iss": "https://localhost:9443/oauth2/token";, >> "exp": 1554367465, >> "iat": 1554363865, >> } >> >> Also 'SignJWTWithSPKey' property will be enabled by default in the >> product, honoring service provider's tenant domain when obtaining keys for >> signing and validating id tokens. >> >> Highly appreciate your suggestions and concerns on this. >> >> [1] >> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/servlet/OIDCLogoutServlet.java#L331 >> Thanks, >> Sathya >> -- >> Sathya Bandara >> Senior Software Engineer >> Blog: https://medium.com/@technospace >> WSO2 Inc. http://wso2.com >> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >> >> <+94%2071%20411%205032> >> > > > -- > > *Ruwan Abeykoon* > *Associate Director/Architect**,* > *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * > *lean.enterprise.middleware.* > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- *Hasini Witharana | **Software Engineer | **WSO2 Inc <https://wso2.com/>* *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com <hasi...@wso2.com>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
