[Architecture] [Dev] WSO2 IS Analytics v1.0.0-ALPHA Released

[Damith Wickramasinghe]

*WSO2 IS Analytics v1.0.0-ALPHA Released*

We are pleased to announce the alpha release of WSO2 IS Analytics v1.0.0 [1
]
which is powered by WSO2 Data Analytics Server. IS Analytics can be used to
monitor authentication related analytics for residence and federated
authentication scenarios.[2
] Please use the
nightly build IS pack [3
]
which includes necessary instruments to publish data to analytics IS.Your
feedback is highly appreciated, any bugs or issues can be reported here [4
].

This release contains the following capabilities:-

   1. View Authentication analytics for Federated Identity scenarios which
   includes viewing overall success and failure login attempts and
   authentication attempts views for multiple dimensions of Service Provider,
   Identity Providers,Users and also first time login of service Providers.
   2. View Authentication analytics for Federated scenarios which includes
   viewing
   overall success and failure login attempts and authentication attempts
   views for multiple dimensions of service provider, roles , user and
   user-stores

[1]
https://github.com/wso2/analytics-is/releases/download/v1.0.0-alpha/wso2analytics-is-1.0.0-alpha.zip
[2] https://docs.wso2.com/display/IS520/WSO2+IS+Analytics
[3] *https://svn.wso2.org/repos/wso2/people/mohan/is-5.2.0-with-analytics
*
[4] *https://wso2.org/jira/browse/ANLYIS
*


Analytics IS Team


-- 
Software Engineer
WSO2 Inc.; http://wso2.com

lean.enterprise.middleware

mobile: *+94728671315*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] Writing an ESB connector for BPMN rest API.

[Hasitha Aravinda]

Hi all,

Shall we do the $Subject for BPMN rest API [1]. Basically, connector should
cover basic functions such as

   - Start process instance
   - Receive messages (Correlation)
   - List and get process instances and their variables
   - HumanTask's related operations. etc.

With this connector, we can simply integrate other systems with BPS
Workflow engine/HumanTask engine.

Any thoughts. ?

[1] - https://docs.wso2.com/display/BPS351/BPMN+REST+API

Thanks,
Hasitha.

-- 
--
Hasitha Aravinda,
Associate Technical Lead,
WSO2 Inc.
Email: hasi...@wso2.com
Mobile : +94 718 210 200
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Writing an ESB connector for BPMN rest API.

[Nandika Jayawardana]

+1

Nandika

On Fri, Jun 3, 2016 at 3:32 PM, Hasitha Aravinda  wrote:

> Hi all,
>
> Shall we do the $Subject for BPMN rest API [1]. Basically, connector
> should cover basic functions such as
>
>- Start process instance
>- Receive messages (Correlation)
>- List and get process instances and their variables
>- HumanTask's related operations. etc.
>
> With this connector, we can simply integrate other systems with BPS
> Workflow engine/HumanTask engine.
>
> Any thoughts. ?
>
> [1] - https://docs.wso2.com/display/BPS351/BPMN+REST+API
>
> Thanks,
> Hasitha.
>
> --
> --
> Hasitha Aravinda,
> Associate Technical Lead,
> WSO2 Inc.
> Email: hasi...@wso2.com
> Mobile : +94 718 210 200
>



-- 
Nandika Jayawardana
WSO2 Inc ; http://wso2.com
lean.enterprise.middleware
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

[Gayan Gunawardana]

Hi Indunill,

Here are we talking about three things ?

*i. Regenerate Client Secret*
*ii. Regenerate Consumer Key*


*iii. Revoking an oauth app*
Specification [1] talk about revoking client secret more like revoking
oauth app. In order to use same consumer key again regenerating client
secret is essential. As previously mentioned by Farasath and Harsha could
not see any real use of regenerating consumer key. Just creating new oauth
application while revoking client secret of existing application would make
the same effect.

[1]https://tools.ietf.org/html/rfc6819#section-5.2.3.6

Thanks,
Gayan

On Fri, Jun 3, 2016 at 12:00 PM, Harsha Thirimanna  wrote:

>
> On Fri, Jun 3, 2016 at 11:51 AM, Farasath Ahamed 
> wrote:
>
>> compromised
>
>
> ​Yes, It is like when the user wants to change the user name also with or
> without changing the password.​ So in that case we have to create new
> account instead of letting to change user name.
>
>
>
>
> *Harsha Thirimanna*
> Associate Tech Lead; WSO2, Inc.; http://wso2.com
> * *
> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
> *twitter: **http://twitter.com/ *
> *harshathirimannlinked-in: **http:
> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
> *
>
> *Lean . Enterprise . Middleware*
>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

[Prabath Siriwardana]

On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
> I am working on implementing regeneration of client secret/key of an oauth
> app and revocation of an oauth app for the next milestone release of
> Identity Server. Appreciate your feedbacks on the following approaches I
> have taken.
>
> A trusted client would need to update the client secret/key, in order to
> prevent the abuse of revealed client secret/key. So for addressing that, I
> am working on adding two options as *Regenerate Client Secret *and *Regenerate
> Consumer Key* for oauth applications in IS. After a client secret/key get
> regenerated, that will immediately invalidate any active authorization
> code, access token or refresh token, issued to the respective client.
>
> *Will it be necessary to add two options for revoking client secret and
> key or better to go for a different approach?*
>

I guess (as discussed in this thread already) - having the ability to
change the consumer secret would be enough. Changing the consumer key is
bit challanging too - we would have all the analytics data against the
consumer key.

Also - consumer key is not something - someone would remember and use - so
I don't think its same as the username - so I don't see any need to change
it.


>
>
>
> And apart from that planning for the implementation of *Revoking an oauth
> app*. In there the oauth app will be revoked and that also will
> immediately invalidate any active authorization code, access token or
> refresh token, issued to the respective client. In order to activate the
> oauth app again, need to regenerate the client secret.
>
>
> *In there to activate the app, better to regenerate "both client key and
> secret" or "either client key or secret"?*
>

Revoking an app means - mostly the revoking of its consumer secret (the
previous scenario).

Another couple of use cases we can address with this:

1. Blocking an app temporary - Deactivate the App - and the Activate it
after sometime - nothing to do with the consumer secret revocation.

2. Ability to revoke an access token (s) issued on behalf of a user for a
particular app.

3. Ability to revoke all the access tokens issued on behalf of a user
across all the apps.

Thanks & regards,
-Prabath


>
>
> Really value your ideas/suggestions on improving this feature.
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +1 650 625 7950

http://facilelogin.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

[Pushpalanka Jayawardhana]

Hi All,

On Fri, Jun 3, 2016 at 5:46 PM, Prabath Siriwardana 
wrote:

>
>
> On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>> I am working on implementing regeneration of client secret/key of an
>> oauth app and revocation of an oauth app for the next milestone release of
>> Identity Server. Appreciate your feedbacks on the following approaches I
>> have taken.
>>
>> A trusted client would need to update the client secret/key, in order to
>> prevent the abuse of revealed client secret/key. So for addressing that, I
>> am working on adding two options as *Regenerate Client Secret *and 
>> *Regenerate
>> Consumer Key* for oauth applications in IS. After a client secret/key
>> get regenerated, that will immediately invalidate any active authorization
>> code, access token or refresh token, issued to the respective client.
>>
>> *Will it be necessary to add two options for revoking client secret and
>> key or better to go for a different approach?*
>>
>
> I guess (as discussed in this thread already) - having the ability to
> change the consumer secret would be enough. Changing the consumer key is
> bit challanging too - we would have all the analytics data against the
> consumer key.
>
On a side note which is not directly relevant to consumer key revocation, I
have seen occasions where customers wanted to decide the consumer key than
generating them.

Use case:
Eg: When they are already having plenty of applications(may be mobile apps)
which have embedded consumer key or/and secret, and then moving from
current authorization server to WSO2 Identity Server they need to update
consumer credentials in all these applications to use WSO2 generated ones,
which they are reluctant to do.
While we may be able to support above use case via a extension point, won't
it be good to have a highly secured API to do it?
Analytics, we may have to handle using the old to new consumer key mapping.


>
> Also - consumer key is not something - someone would remember and use - so
> I don't think its same as the username - so I don't see any need to change
>

>
>>
>>
>>
>> And apart from that planning for the implementation of *Revoking an
>> oauth app*. In there the oauth app will be revoked and that also will
>> immediately invalidate any active authorization code, access token or
>> refresh token, issued to the respective client. In order to activate the
>> oauth app again, need to regenerate the client secret.
>>
>>
>> *In there to activate the app, better to regenerate "both client key and
>> secret" or "either client key or secret"?*
>>
>
> Revoking an app means - mostly the revoking of its consumer secret (the
> previous scenario).
>
> Another couple of use cases we can address with this:
>
> 1. Blocking an app temporary - Deactivate the App - and the Activate it
> after sometime - nothing to do with the consumer secret revocation.
>
> 2. Ability to revoke an access token (s) issued on behalf of a user for a
> particular app.
>
> 3. Ability to revoke all the access tokens issued on behalf of a user
> across all the apps.
>
> Thanks & regards,
> -Prabath
>
>
>>
>>
>> Really value your ideas/suggestions on improving this feature.
>>
>> Thanks and Regards
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +1 650 625 7950
>
> http://facilelogin.com
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>

Thanks,
-- 
Pushpalanka.
-- 
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Writing an ESB connector for BPMN rest API.

[Malaka Silva]

+1

On Fri, Jun 3, 2016 at 4:02 PM, Nandika Jayawardana 
wrote:

> +1
>
> Nandika
>
> On Fri, Jun 3, 2016 at 3:32 PM, Hasitha Aravinda  wrote:
>
>> Hi all,
>>
>> Shall we do the $Subject for BPMN rest API [1]. Basically, connector
>> should cover basic functions such as
>>
>>- Start process instance
>>- Receive messages (Correlation)
>>- List and get process instances and their variables
>>- HumanTask's related operations. etc.
>>
>> With this connector, we can simply integrate other systems with BPS
>> Workflow engine/HumanTask engine.
>>
>> Any thoughts. ?
>>
>> [1] - https://docs.wso2.com/display/BPS351/BPMN+REST+API
>>
>> Thanks,
>> Hasitha.
>>
>> --
>> --
>> Hasitha Aravinda,
>> Associate Technical Lead,
>> WSO2 Inc.
>> Email: hasi...@wso2.com
>> Mobile : +94 718 210 200
>>
>
>
>
> --
> Nandika Jayawardana
> WSO2 Inc ; http://wso2.com
> lean.enterprise.middleware
>



-- 

Best Regards,

Malaka Silva
Senior Technical Lead
M: +94 777 219 791
Tel : 94 11 214 5345
Fax :94 11 2145300
Skype : malaka.sampath.silva
LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
Blog : http://mrmalakasilva.blogspot.com/

WSO2, Inc.
lean . enterprise . middleware
http://www.wso2.com/
http://www.wso2.com/about/team/malaka-silva/

https://store.wso2.com/store/

Save a tree -Conserve nature & Save the world for your future. Print this
email only if it is absolutely necessary.
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IS] User Challenge question Internationalization

[Farasath Ahamed]

Hi,

In the current implementation, challenge questions are persisted to the
registry as registry resource properties as shown below.


I had a look at the discussion[1] on how persisting email templates for
different locale should be done. I am planning to follow a similar approach
in storing challenge questions for different locale. The idea explained in
[1] is to store the template/question as a registry resource rather than as
a registry property. So I will be following a structure similar to shown
below to store the challenge questions.


​
So each question will be stored following a
*/system/config/challenge-questions///
*convention as shown above. The first step is to reuse most of the email
templates registry persistence code and make it generic (provide an
interface) to retrieve any registry resource(eg: email templates, challenge
questions, ) based on locale. The next step is to abstract the retrieval of
resources logic to support retrieval of resources from a DB, API etc.


[1] http://mail.wso2.org/mailarchive/architecture/2015-May/020188.html

Thanks,
Farasath Ahamed
Software Engineer,
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IS] User Challenge question Internationalization

[Kasun Bandara]

Hi Farasath,

+1 for storing the content of the questions as the registry resource
values. But how are you planning to store the boolean values such as "
*isPromoteQuestion*" ?. I think it's better to keep that sort of data as a
property value, so the retrieval process will be easy. WDYT ?

Thanks,
Kasun.

On Sat, Jun 4, 2016 at 12:16 AM, Farasath Ahamed  wrote:

> Hi,
>
> In the current implementation, challenge questions are persisted to the
> registry as registry resource properties as shown below.
>
>
> I had a look at the discussion[1] on how persisting email templates for
> different locale should be done. I am planning to follow a similar approach
> in storing challenge questions for different locale. The idea explained in
> [1] is to store the template/question as a registry resource rather than as
> a registry property. So I will be following a structure similar to shown
> below to store the challenge questions.
>
>
> ​
> So each question will be stored following a 
> */system/config/challenge-questions///
> *convention as shown above. The first step is to reuse most of the email
> templates registry persistence code and make it generic (provide an
> interface) to retrieve any registry resource(eg: email templates, challenge
> questions, ) based on locale. The next step is to abstract the retrieval of
> resources logic to support retrieval of resources from a DB, API etc.
>
>
> [1] http://mail.wso2.org/mailarchive/architecture/2015-May/020188.html
>
> Thanks,
> Farasath Ahamed
> Software Engineer,
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
>



-- 
Kasun Bandara
*Software Engineer*
Mobile : +94 (0) 718 338 360
<%2B94%20%280%29%20773%20451194>
kas...@wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Data Bridge Agent Publisher for C5 products

[Mohanadarshan Vivekanandalingam]

On Thu, Jun 2, 2016 at 9:43 PM, Isuru Perera  wrote:

> Hi Suho,
>
> In Metrics, I have written the DAS Reporter using the data publisher. Do
> you think I should change the implementation to use an HTTP client?
>

We don't need to change from Thrift to HTTP, rather we need to have an
intermediate (high-level) layer which does not depend on underneath
transport protocol and relevant transport can be configured using a config
file (Like we have stream terminology for CEP publisher) .


>
> We also need to release Metrics soon. So, if we are going to change the
> implementation, we need to decide soon. However I think it'll have an
> impact on the release schedule for Metrics.
>
> In Metrics, the DAS reporter is used to store the historical metrics data
> in DAS. The reporter will send events periodically (1 minute, by default).
> So, do you think we will encounter any issue with current Data Publisher.
>

Theoretically, I don't think there are any issues but we need tryout..


>
> Please let me know.
>
> Thanks!
>
> On Thu, Jun 2, 2016 at 3:18 PM, Sriskandarajah Suhothayan 
> wrote:
>
>> Are we going to use data bridge in C5 ?
>> C5 have Netty based transports, cant we use one of them to publish events
>> to DAS, since DAS have the capability to receiving from any transport
>> protocol via extensions this will not be a problem.
>>
>> In my opinion we should not be depending on data publisher as it have
>> several issues like events can get out of ordered, dropped and its not
>> reliable. We should have a publishing framework which is independent of the
>> transport, so users can pic Thrift, HTTP or AMQP based on their use cases.
>>
>> WDYT?
>>
>> Suho
>>
>> On Thu, Jun 2, 2016 at 2:35 PM, Kishanthan Thangarajah <
>> kishant...@wso2.com> wrote:
>>
>>> A separate point to note.
>>>
>>> Thinking along the AS 6.0 and C5 aspect, what we need is a library,
>>> where we could use that in both OSGi env and non-OSGi environments. It
>>> should not have any direct dependency on carbon API's. Currently, with AS
>>> 6.0, we are using the data publisher from C4 without any code changes and
>>> removing unwanted dependencies. If we planning to write this again, we
>>> should come up with the minimum library that could be used in a OSGi and
>>> non-OSGi env.
>>>
>>>
>>> On Thu, Jun 2, 2016 at 1:40 PM, Isuru Perera  wrote:
>>>
 Hi,

 On Thu, Jun 2, 2016 at 1:10 PM, Sinthuja Ragendran 
 wrote:

> Hi IsuruP,
>
> Please find the comments inline.
>
> On Thu, Jun 2, 2016 at 12:18 PM, Isuru Perera  wrote:
>
>> Hi,
>>
>> This is regarding $subject and the main problem we have is that there
>> is no Carbon 5 compatible feature for data bridge agent.
>>
>
> Data bridge agent publisher is not depends on carbon, and it has some
> dependencies for carbon utils, and carbon base, which we can eliminate by
> passing proper configurations in data-agent-config.xml.
>
 Yes. This is what should be done.

 I think we should avoid carbon dependencies in data publisher. We can
 have some Carbon specific component to initialize data publisher in Carbon
 (OSGi) environment.

> In that case, what do you mean by it's not compatible by Carbon 5 as
> it's anyhow doesn't depend on carbon features?
>
 As I mentioned earlier, the publisher has Carbon 4.x dependencies. So,
 we need to workaround problems like NoClassDefFoundError for
 CarbonUtils etc.

>
>
>>
>> Since Data Bridge Agent is already an OSGi bundle, we can use it
>> within C5 products. But we have to include it with some feature.
>>
>> For example, Carbon Metrics needs to publish events to DAS. So, is it
>> okay if I keep data bridge agent in Metrics feature?
>>
>
> No, I don't think that is a good option. Because the publisher is a
> generic feature, and it doesn't have any relation ship to metrics feature
> other then metrics feature is using data publisher feature. In that case,
> you need to have just importFeature defn for the datapublisher feature 
> form
> the metrics feature.
>
 Yes. The correct way is to import data publisher feature. However there
 is no such feature available now. Since Metrics needs the publisher
 dependencies, I thought we can include those dependencies until we have a
 data publisher designed to work with C5. When someone wants to install
 metrics feature, it should work without any issue. Right now, I cannot do a
 release of Carbon Metrics till I have answers to the questions raised in
 this mail thread.

>
>
>>
>> Other problem is that the current Data Bridge Agent is written for
>> Carbon 4.x based products. For example it uses CarbonUtils to find the
>> location of data-agent-config.xml. The CarbonUtils class used by the 
>> agent
>> is only available in C4.
>>
>> We can avoid this by g