Hi Isura\Sarubi, Why do we need to remove OIDC scopes from being validated?
How can we do role base scope validation, for a OIDC scope, if we needed, in case? Thanks, On Mon, Feb 17, 2020 at 4:29 PM Isura Karunaratne <is...@wso2.com> wrote: > > > On Mon, Feb 17, 2020 at 2:59 PM Sarubi Thillainathan <sar...@wso2.com> > wrote: > >> Hi All, >> >> When the role-based scope validator enabled we are granting the access >> token upon validated scope. In the OpenID flow, when we are reqesting for >> an ID token we can try the following for an example, where 'scope1' is bind >> with role 'login-sp'. >> >> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d >> "grant_type=password&username=kim&password=12345&*scope=openid scope1*" >> -H "Content-Type:application/x-www-form-urlencoded" >> https://localhost:9443/oauth2/token >> >> This will respond with an ID token if the user Kim is a member of the >> role 'login-sp'. >> >> But when we try to obtain a custom claim value via ID token, we can pass >> the OIDC scopes which are mapped with the corresponding user claims. As >> example profile, email scopes. >> >> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d >> "grant_type=password&username=kim&password=12345&*scope=openid scope1 >> email*" -H "Content-Type:application/x-www-form-urlencoded" >> https://localhost:9443/oauth2/token -v >> >> When we are passing those OIDC scopes with the role-based scope validator >> enabled, we are getting an error message as, >> >> {"error_description":"Invalid Scope!","error":"invalid_scope"} >> >> for the OIDC scopes except the scope named 'openid'. >> >> The reason is we have only removed the 'openid' scope from the list [1]. >> Then we try to validate, the scope is registered or not by only calling the >> OAuth2 scopes binding service. Since we can't view the OIDC scopes >> via OAuth2 scopes binding service we are resulting with an Invalid scope >> error. >> >> To resolve this issue, we may need to remove the OIDC scopes from the >> scope list before we validating the OAuth2 scopes. >> >> Appreciate your thoughts to tackle this issue with a better solution. >> > +1 to remove all the OIDC scopes since we can't register OAuth scopes with > the same name. > > Cheers, > Isura. > >> >> [1] >> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/c4a33c5cb4914d5b803878c8962a6d4a6f35995d/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L206-L220 >> >> >> Thanks, >> Sarubi. >> -- >> *Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc. >> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com >> >> *[image: https://wso2.com/signature] <https://wso2.com/signature>* >> > > > -- > > *Isura Dilhara Karunaratne* > Technical Lead | WSO2 <http://wso2.com/> > *lean.enterprise.middleware* > Email: is...@wso2.com > Mob : +94 772 254 810 > Blog : https://medium.com/@isurakarunaratne > > > > -- Regards, *Darshana Gunawardana*Technical Lead WSO2 Inc.; http://wso2.com *E-mail: darsh...@wso2.com <darsh...@wso2.com>* *Mobile: +94718566859*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev