Re: [Architecture] [RRT] Forcing the challenge question for Identity Server

2018-05-30 Thread Dimuthu Leelarathne 
Hi,

In the original design we are calling OSGI services from a class on the BE
server. The flow is to retrieve the questions from the OSGi service send it
to the FE. I would prefer this method over calling admin services because
it means the JSP applications needs to store Admin credentials in a config
file leading to even more concerns.

thanks,
Dimuthu


On Wed, May 30, 2018 at 2:15 PM, Rosen Silva  wrote:

> Hi,
>
> @Farasath: We can call the related OSGi services and get the challenge
> questions.
>
> It is also possible to authenticate the Admin service without a cookie by
> using the following authenticate method used in
> UserIdentityManagementAdminServiceClient  [1
> ],
> [2
> 
> ].
>
> public UserIdentityManagementAdminServiceClient() throws AxisFault {
>
> stub = new UserIdentityManagementAdminServiceStub(serviceURL);
> ServiceClient client = stub._getServiceClient();
> IdentityManagementServiceUtil.getInstance().authenticate(client);
> }
>
> public void authenticate(ServiceClient client) {
> Options option = client.getOptions();
> HttpTransportProperties.Authenticator auth = new 
> HttpTransportProperties.Authenticator();
> auth.setUsername(accessUsername);
> auth.setPassword(accessPassword);
> auth.setPreemptiveAuthentication(true);
> 
> option.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE,
>  auth);
> option.setManageSession(true);
> }
>
> Is it a good idea to use a similar authentication method as above
> UserIdentityManagementAdminServiceClient to retrieve challenge questions?
>
>
> [1] https://github.com/wso2/carbon-identity-framework/
> blob/master/components/identity-mgt/org.wso2.carbon.
> identity.mgt.endpoint/src/main/java/org/wso2/carbon/identity/mgt/endpoint/
> serviceclient/UserIdentityManagementAdminServiceClient.java
> [2]  https://github.com/wso2/carbon-identity-framework/
> blob/master/components/identity-mgt/org.wso2.carbon.
> identity.mgt.endpoint/src/main/java/org/wso2/carbon/identity/mgt/endpoint/
> IdentityManagementServiceUtil.java
>
> Thanks and regards,
>
> On Wed, May 30, 2018 at 5:23 AM Farasath Ahamed 
> wrote:
>
>>
>>
>> On Tuesday, May 29, 2018, Rosen Silva  wrote:
>>
>>> Hi All,
>>>
>>> I'm implementing a feature for IS 5.5.0 to force users to add answers to
>>> challenge questions.
>>> This feature is implemented using PostAuthenticationHandler.
>>>
>>>  The logic executes in the following order,
>>> * Check whether the user has already added the answers from the post
>>> authenticator
>>> * If not, redirect users to a webpage (JSP file) to get the answers to
>>> the challenge questions
>>> * Check whether users have added the challenge questions
>>> * Let users log in to sp if the user has filled the answers to challenge
>>> questions
>>>
>>>
>>> Clarifications with implementing the JSP page for retrieving and
>>> updating answers to challenge questions
>>>
>>> AFAIK we can't use admin service for retrieve and update security
>>> questions since we don't have the cookie while in the post-authentication
>>> flow.
>>> One possibility is to send the challenge questions to the webpage with
>>> the HTTP serverlet request and get the answers back to post authentication
>>> handler through serverlet response and add the answers to the challenge
>>> questions.
>>>
>> Can you explain how we plan to retrieve the available challenge questions
>> of the tenant in this approach?
>>
>>>
>>> Your input is appreciated.
>>>
>>> Thanks and regards,
>>> --
>>>
>>> *Rosen Silva*
>>> Software Engineer - WSO2
>>>
>>> Email: ros...@wso2.com
>>> Mobile: +94770677418
>>> Web: https://wso2.com/
>>>
>>
>>
>> --
>> Farasath Ahamed
>> Senior Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>> 
>>
>>
>>
>>
>>
>
> --
>
> *Rosen Silva*
> Software Engineer - WSO2
>
> Email: ros...@wso2.com
> Mobile: +94770677418
> Web: https://wso2.com/
>



-- 
Dimuthu Leelarathne
Director, Rapid Response Team

WSO2, Inc. (http://wso2.com)
email: dimut...@wso2.com
Mobile: +94773661935
Blog: http://muthulee.blogspot.com

Lean . Enterprise . Middleware
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Handling custom claims when generating JWT token using JWT grant type

2018-05-30 Thread Megala Uthayakumar 
*Hi,*

*As per the offline discussion with IAM team, following is the agreed
design.*



*Darshana/Maduranga/Farasath/IAM Team - Please do correct me if I have
misunderstood regarding this.*

*Thanks.*

Regards,
Megala

On Thu, May 24, 2018 at 9:41 AM, Megala Uthayakumar  wrote:

> Hi,
>
> As per the meeting held offline, it was decide to only send the custom
> claims when the scope is given as "openid". Sending custom claims that are
> not defined in dialect can be supported by adding new claims to openid
> dialect and by appending the relevant scopes to "/oidc" resource in config
> registry.
>
> Thanks.
>
> Regards,
> Megala
>
> On Wed, May 23, 2018 at 2:41 PM, Bhathiya Jayasekara 
> wrote:
>
>> Thanks, I just understood the scenario.
>>
>> Thanks,
>> Bhathiya
>>
>> On Wed, May 23, 2018 at 2:36 PM, Megala Uthayakumar 
>> wrote:
>>
>>> Hi Bhathiya,
>>>
>>> On Wed, May 23, 2018 at 1:05 PM, Bhathiya Jayasekara 
>>> wrote:
>>>
 Hi Megala,

 On Wed, May 23, 2018 at 10:11 AM, Megala Uthayakumar 
 wrote:

> Hi All,
>
> I am working on $subject for IS 5.5.0.
>
> When handling custom claims, we do have two options.
>
>1. Handling custom claims as we have handled it in the
>SAML2BearerGrantHandler.
>   - Current SAML2BearerGrantHandler converts the claims coming
>   from IDP to local claims and then filter out oidc claims only, 
> given that
>   scope is given as openid.
>   2. Handle relevant custom claims as it is when scope is not
>openid and if the scope is openid filter out the openid scopes as we 
> do for
>SAML2BearerGrantHandler
>   - If the scope is not openid, add all the custom claims with
>   the access token.
>   - If the scope is openid, follow the same approach followed by
>   SAML2BearerGrantHandler.
>
> I think option 2 is better way to handle this, becuase,
>
> JWT do not restrict the collection of custom claims, hence if we go
> with option 1, customer is expected to select one of the open id claims to
> get his claims back in original incoming JWT.
>

 Could you please explain this line further?

>>> In our wso2 IS server, we have predefined list of oidc claims[1], but in
>>> JWT we can have custom claims that are not defined in our list.
>>>
>>> For example,
>>> A thrid party identity provider may send a claim with the name
>>> "testClaim" with its JWT token and the service provider may expect the same
>>> claim with the same name, but this cannot be done in our case, as we only
>>> pass the predefined set of oidc claims to service provider.
>>>
>>>
 And in the subject you meant generating access token (but not JWT
 token) right?

>>> Self contained access token, which is a JWT token. [2]
>>>
>>>

 Thanks,
 Bhathiya

>>>
>>> [1] https://docs.wso2.com/display/IS550/Configuring+Claims+f
>>> or+an+Identity+Provider#ConfiguringClaimsforanIdentityProvid
>>> er-MappingconfiguredclaimstoanOpenIDConnectclaim
>>> [2] https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens
>>> 
>>>
>>>
>>> --
>>> Megala Uthayakumar
>>>
>>> Senior Software Engineer
>>> Mobile : 0779967122
>>>
>>
>>
>>
>> --
>> *Bhathiya Jayasekara*
>> *Associate Technical Lead,*
>> *WSO2 inc., http://wso2.com *
>>
>> *Phone: +94715478185*
>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
>> *
>> *Twitter: https://twitter.com/bhathiyax *
>> *Blog: http://movingaheadblog.blogspot.com
>> *
>>
>
>
>
> --
> Megala Uthayakumar
>
> Senior Software Engineer
> Mobile : 0779967122
>



-- 
Megala Uthayakumar

Senior Software Engineer
Mobile : 0779967122
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Handling custom claims when generating JWT token using JWT grant type

2018-05-30 Thread Megala Uthayakumar 
Resending the missing image


​​

On Wed, May 30, 2018 at 4:02 PM, Megala Uthayakumar  wrote:

> *Hi,*
>
> *As per the offline discussion with IAM team, following is the agreed
> design.*
>
>
>
> *Darshana/Maduranga/Farasath/IAM Team - Please do correct me if I have
> misunderstood regarding this.*
>
> *Thanks.*
>
> Regards,
> Megala
>
> On Thu, May 24, 2018 at 9:41 AM, Megala Uthayakumar 
> wrote:
>
>> Hi,
>>
>> As per the meeting held offline, it was decide to only send the custom
>> claims when the scope is given as "openid". Sending custom claims that are
>> not defined in dialect can be supported by adding new claims to openid
>> dialect and by appending the relevant scopes to "/oidc" resource in config
>> registry.
>>
>> Thanks.
>>
>> Regards,
>> Megala
>>
>> On Wed, May 23, 2018 at 2:41 PM, Bhathiya Jayasekara 
>> wrote:
>>
>>> Thanks, I just understood the scenario.
>>>
>>> Thanks,
>>> Bhathiya
>>>
>>> On Wed, May 23, 2018 at 2:36 PM, Megala Uthayakumar 
>>> wrote:
>>>
 Hi Bhathiya,

 On Wed, May 23, 2018 at 1:05 PM, Bhathiya Jayasekara >>> > wrote:

> Hi Megala,
>
> On Wed, May 23, 2018 at 10:11 AM, Megala Uthayakumar 
> wrote:
>
>> Hi All,
>>
>> I am working on $subject for IS 5.5.0.
>>
>> When handling custom claims, we do have two options.
>>
>>1. Handling custom claims as we have handled it in the
>>SAML2BearerGrantHandler.
>>   - Current SAML2BearerGrantHandler converts the claims coming
>>   from IDP to local claims and then filter out oidc claims only, 
>> given that
>>   scope is given as openid.
>>   2. Handle relevant custom claims as it is when scope is not
>>openid and if the scope is openid filter out the openid scopes as we 
>> do for
>>SAML2BearerGrantHandler
>>   - If the scope is not openid, add all the custom claims with
>>   the access token.
>>   - If the scope is openid, follow the same approach followed by
>>   SAML2BearerGrantHandler.
>>
>> I think option 2 is better way to handle this, becuase,
>>
>> JWT do not restrict the collection of custom claims, hence if we go
>> with option 1, customer is expected to select one of the open id claims 
>> to
>> get his claims back in original incoming JWT.
>>
>
> Could you please explain this line further?
>
 In our wso2 IS server, we have predefined list of oidc claims[1], but
 in JWT we can have custom claims that are not defined in our list.

 For example,
 A thrid party identity provider may send a claim with the name
 "testClaim" with its JWT token and the service provider may expect the same
 claim with the same name, but this cannot be done in our case, as we only
 pass the predefined set of oidc claims to service provider.


> And in the subject you meant generating access token (but not JWT
> token) right?
>
 Self contained access token, which is a JWT token. [2]


>
> Thanks,
> Bhathiya
>

 [1] https://docs.wso2.com/display/IS550/Configuring+Claims+f
 or+an+Identity+Provider#ConfiguringClaimsforanIdentityProvid
 er-MappingconfiguredclaimstoanOpenIDConnectclaim
 [2] https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens
 


 --
 Megala Uthayakumar

 Senior Software Engineer
 Mobile : 0779967122

>>>
>>>
>>>
>>> --
>>> *Bhathiya Jayasekara*
>>> *Associate Technical Lead,*
>>> *WSO2 inc., http://wso2.com *
>>>
>>> *Phone: +94715478185*
>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
>>> *
>>> *Twitter: https://twitter.com/bhathiyax *
>>> *Blog: http://movingaheadblog.blogspot.com
>>> *
>>>
>>
>>
>>
>> --
>> Megala Uthayakumar
>>
>> Senior Software Engineer
>> Mobile : 0779967122
>>
>
>
>
> --
> Megala Uthayakumar
>
> Senior Software Engineer
> Mobile : 0779967122
>



-- 
Megala Uthayakumar

Senior Software Engineer
Mobile : 0779967122
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Handling custom claims when generating JWT token using JWT grant type

2018-05-30 Thread Farasath Ahamed 
On Wed, May 30, 2018 at 4:04 PM, Megala Uthayakumar  wrote:

> Resending the missing image
>
>
>

Regarding "SP Claim Mapping exist with requested attributes" decision,
shouldn't this simply be SP requested claims since we do not care about SP
claim mapping in OIDC flow?


> ​​
>
> On Wed, May 30, 2018 at 4:02 PM, Megala Uthayakumar 
> wrote:
>
>> *Hi,*
>>
>> *As per the offline discussion with IAM team, following is the agreed
>> design.*
>>
>>
>>
>> *Darshana/Maduranga/Farasath/IAM Team - Please do correct me if I have
>> misunderstood regarding this.*
>>
>> *Thanks.*
>>
>> Regards,
>> Megala
>>
>> On Thu, May 24, 2018 at 9:41 AM, Megala Uthayakumar 
>> wrote:
>>
>>> Hi,
>>>
>>> As per the meeting held offline, it was decide to only send the custom
>>> claims when the scope is given as "openid". Sending custom claims that are
>>> not defined in dialect can be supported by adding new claims to openid
>>> dialect and by appending the relevant scopes to "/oidc" resource in config
>>> registry.
>>>
>>> Thanks.
>>>
>>> Regards,
>>> Megala
>>>
>>> On Wed, May 23, 2018 at 2:41 PM, Bhathiya Jayasekara 
>>> wrote:
>>>
 Thanks, I just understood the scenario.

 Thanks,
 Bhathiya

 On Wed, May 23, 2018 at 2:36 PM, Megala Uthayakumar 
 wrote:

> Hi Bhathiya,
>
> On Wed, May 23, 2018 at 1:05 PM, Bhathiya Jayasekara <
> bhath...@wso2.com> wrote:
>
>> Hi Megala,
>>
>> On Wed, May 23, 2018 at 10:11 AM, Megala Uthayakumar > > wrote:
>>
>>> Hi All,
>>>
>>> I am working on $subject for IS 5.5.0.
>>>
>>> When handling custom claims, we do have two options.
>>>
>>>1. Handling custom claims as we have handled it in the
>>>SAML2BearerGrantHandler.
>>>   - Current SAML2BearerGrantHandler converts the claims coming
>>>   from IDP to local claims and then filter out oidc claims only, 
>>> given that
>>>   scope is given as openid.
>>>   2. Handle relevant custom claims as it is when scope is not
>>>openid and if the scope is openid filter out the openid scopes as we 
>>> do for
>>>SAML2BearerGrantHandler
>>>   - If the scope is not openid, add all the custom claims with
>>>   the access token.
>>>   - If the scope is openid, follow the same approach followed
>>>   by SAML2BearerGrantHandler.
>>>
>>> I think option 2 is better way to handle this, becuase,
>>>
>>> JWT do not restrict the collection of custom claims, hence if we go
>>> with option 1, customer is expected to select one of the open id claims 
>>> to
>>> get his claims back in original incoming JWT.
>>>
>>
>> Could you please explain this line further?
>>
> In our wso2 IS server, we have predefined list of oidc claims[1], but
> in JWT we can have custom claims that are not defined in our list.
>
> For example,
> A thrid party identity provider may send a claim with the name
> "testClaim" with its JWT token and the service provider may expect the 
> same
> claim with the same name, but this cannot be done in our case, as we only
> pass the predefined set of oidc claims to service provider.
>
>
>> And in the subject you meant generating access token (but not JWT
>> token) right?
>>
> Self contained access token, which is a JWT token. [2]
>
>
>>
>> Thanks,
>> Bhathiya
>>
>
> [1] https://docs.wso2.com/display/IS550/Configuring+Claims+f
> or+an+Identity+Provider#ConfiguringClaimsforanIdentityProvid
> er-MappingconfiguredclaimstoanOpenIDConnectclaim
> [2] https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens
> 
>
>
> --
> Megala Uthayakumar
>
> Senior Software Engineer
> Mobile : 0779967122
>



 --
 *Bhathiya Jayasekara*
 *Associate Technical Lead,*
 *WSO2 inc., http://wso2.com *

 *Phone: +94715478185*
 *LinkedIn: http://www.linkedin.com/in/bhathiyaj
 *
 *Twitter: https://twitter.com/bhathiyax *
 *Blog: http://movingaheadblog.blogspot.com
 *

>>>
>>>
>>>
>>> --
>>> Megala Uthayakumar
>>>
>>> Senior Software Engineer
>>> Mobile : 0779967122
>>>
>>
>>
>>
>> --
>> Megala Uthayakumar
>>
>> Senior Software Engineer
>> Mobile : 0779967122
>>
>
>
>
> --
> Megala Uthayakumar
>
> Senior Software Engineer
> Mobile : 0779967122
>



-- 
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-

Re: [Architecture] Handling custom claims when generating JWT token using JWT grant type

2018-05-30 Thread Megala Uthayakumar 
Yes. I tried to explain the same thing, seems it is confusing. I will
simplify it.

Thanks.

Regards,
Megala

On Wed, May 30, 2018 at 4:12 PM, Farasath Ahamed  wrote:

>
>
> On Wed, May 30, 2018 at 4:04 PM, Megala Uthayakumar 
> wrote:
>
>> Resending the missing image
>>
>>
>>
>
> Regarding "SP Claim Mapping exist with requested attributes" decision,
> shouldn't this simply be SP requested claims since we do not care about SP
> claim mapping in OIDC flow?
>
>
>> ​​
>>
>> On Wed, May 30, 2018 at 4:02 PM, Megala Uthayakumar 
>> wrote:
>>
>>> *Hi,*
>>>
>>> *As per the offline discussion with IAM team, following is the agreed
>>> design.*
>>>
>>>
>>>
>>> *Darshana/Maduranga/Farasath/IAM Team - Please do correct me if I have
>>> misunderstood regarding this.*
>>>
>>> *Thanks.*
>>>
>>> Regards,
>>> Megala
>>>
>>> On Thu, May 24, 2018 at 9:41 AM, Megala Uthayakumar 
>>> wrote:
>>>
 Hi,

 As per the meeting held offline, it was decide to only send the custom
 claims when the scope is given as "openid". Sending custom claims that are
 not defined in dialect can be supported by adding new claims to openid
 dialect and by appending the relevant scopes to "/oidc" resource in config
 registry.

 Thanks.

 Regards,
 Megala

 On Wed, May 23, 2018 at 2:41 PM, Bhathiya Jayasekara >>> > wrote:

> Thanks, I just understood the scenario.
>
> Thanks,
> Bhathiya
>
> On Wed, May 23, 2018 at 2:36 PM, Megala Uthayakumar 
> wrote:
>
>> Hi Bhathiya,
>>
>> On Wed, May 23, 2018 at 1:05 PM, Bhathiya Jayasekara <
>> bhath...@wso2.com> wrote:
>>
>>> Hi Megala,
>>>
>>> On Wed, May 23, 2018 at 10:11 AM, Megala Uthayakumar <
>>> meg...@wso2.com> wrote:
>>>
 Hi All,

 I am working on $subject for IS 5.5.0.

 When handling custom claims, we do have two options.

1. Handling custom claims as we have handled it in the
SAML2BearerGrantHandler.
   - Current SAML2BearerGrantHandler converts the claims coming
   from IDP to local claims and then filter out oidc claims only, 
 given that
   scope is given as openid.
   2. Handle relevant custom claims as it is when scope is not
openid and if the scope is openid filter out the openid scopes as 
 we do for
SAML2BearerGrantHandler
   - If the scope is not openid, add all the custom claims with
   the access token.
   - If the scope is openid, follow the same approach followed
   by SAML2BearerGrantHandler.

 I think option 2 is better way to handle this, becuase,

 JWT do not restrict the collection of custom claims, hence if we go
 with option 1, customer is expected to select one of the open id 
 claims to
 get his claims back in original incoming JWT.

>>>
>>> Could you please explain this line further?
>>>
>> In our wso2 IS server, we have predefined list of oidc claims[1], but
>> in JWT we can have custom claims that are not defined in our list.
>>
>> For example,
>> A thrid party identity provider may send a claim with the name
>> "testClaim" with its JWT token and the service provider may expect the 
>> same
>> claim with the same name, but this cannot be done in our case, as we only
>> pass the predefined set of oidc claims to service provider.
>>
>>
>>> And in the subject you meant generating access token (but not JWT
>>> token) right?
>>>
>> Self contained access token, which is a JWT token. [2]
>>
>>
>>>
>>> Thanks,
>>> Bhathiya
>>>
>>
>> [1] https://docs.wso2.com/display/IS550/Configuring+Claims+f
>> or+an+Identity+Provider#ConfiguringClaimsforanIdentityProvid
>> er-MappingconfiguredclaimstoanOpenIDConnectclaim
>> [2] https://docs.wso2.com/display/IS550/Self-contained+Access+Tokens
>> 
>>
>>
>> --
>> Megala Uthayakumar
>>
>> Senior Software Engineer
>> Mobile : 0779967122
>>
>
>
>
> --
> *Bhathiya Jayasekara*
> *Associate Technical Lead,*
> *WSO2 inc., http://wso2.com *
>
> *Phone: +94715478185*
> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
> *
> *Twitter: https://twitter.com/bhathiyax
> *
> *Blog: http://movingaheadblog.blogspot.com
> *
>



 --
 Megala Uthayakumar

 Senior Software Engineer
 Mobile : 0779967122

>>>
>>>
>>>
>>> --
>>> Megala Uthayakumar
>>>
>>> Senior Software Engineer
>>> Mobile : 0779967122
>>>
>>
>>
>>
>> --
>> Megala Uthayakumar
>>
>>

Re: [Architecture] Handling custom claims when generating JWT token using JWT grant type

2018-05-30 Thread Farasath Ahamed 
On Wed, May 30, 2018 at 4:17 PM, Megala Uthayakumar  wrote:

> Yes. I tried to explain the same thing, seems it is confusing. I will
> simplify it.
>

Thanks for the clarification.


>
> Thanks.
>
> Regards,
> Megala
>
> On Wed, May 30, 2018 at 4:12 PM, Farasath Ahamed 
> wrote:
>
>>
>>
>> On Wed, May 30, 2018 at 4:04 PM, Megala Uthayakumar 
>> wrote:
>>
>>> Resending the missing image
>>>
>>>
>>>
>>
>> Regarding "SP Claim Mapping exist with requested attributes" decision,
>> shouldn't this simply be SP requested claims since we do not care about SP
>> claim mapping in OIDC flow?
>>
>>
>>> ​​
>>>
>>> On Wed, May 30, 2018 at 4:02 PM, Megala Uthayakumar 
>>> wrote:
>>>
 *Hi,*

 *As per the offline discussion with IAM team, following is the agreed
 design.*



 *Darshana/Maduranga/Farasath/IAM Team - Please do correct me if I have
 misunderstood regarding this.*

 *Thanks.*

 Regards,
 Megala

 On Thu, May 24, 2018 at 9:41 AM, Megala Uthayakumar 
 wrote:

> Hi,
>
> As per the meeting held offline, it was decide to only send the custom
> claims when the scope is given as "openid". Sending custom claims that are
> not defined in dialect can be supported by adding new claims to openid
> dialect and by appending the relevant scopes to "/oidc" resource in config
> registry.
>
> Thanks.
>
> Regards,
> Megala
>
> On Wed, May 23, 2018 at 2:41 PM, Bhathiya Jayasekara <
> bhath...@wso2.com> wrote:
>
>> Thanks, I just understood the scenario.
>>
>> Thanks,
>> Bhathiya
>>
>> On Wed, May 23, 2018 at 2:36 PM, Megala Uthayakumar 
>> wrote:
>>
>>> Hi Bhathiya,
>>>
>>> On Wed, May 23, 2018 at 1:05 PM, Bhathiya Jayasekara <
>>> bhath...@wso2.com> wrote:
>>>
 Hi Megala,

 On Wed, May 23, 2018 at 10:11 AM, Megala Uthayakumar <
 meg...@wso2.com> wrote:

> Hi All,
>
> I am working on $subject for IS 5.5.0.
>
> When handling custom claims, we do have two options.
>
>1. Handling custom claims as we have handled it in the
>SAML2BearerGrantHandler.
>   - Current SAML2BearerGrantHandler converts the claims
>   coming from IDP to local claims and then filter out oidc claims 
> only, given
>   that scope is given as openid.
>   2. Handle relevant custom claims as it is when scope is not
>openid and if the scope is openid filter out the openid scopes as 
> we do for
>SAML2BearerGrantHandler
>   - If the scope is not openid, add all the custom claims
>   with the access token.
>   - If the scope is openid, follow the same approach followed
>   by SAML2BearerGrantHandler.
>
> I think option 2 is better way to handle this, becuase,
>
> JWT do not restrict the collection of custom claims, hence if we
> go with option 1, customer is expected to select one of the open id 
> claims
> to get his claims back in original incoming JWT.
>

 Could you please explain this line further?

>>> In our wso2 IS server, we have predefined list of oidc claims[1],
>>> but in JWT we can have custom claims that are not defined in our list.
>>>
>>> For example,
>>> A thrid party identity provider may send a claim with the name
>>> "testClaim" with its JWT token and the service provider may expect the 
>>> same
>>> claim with the same name, but this cannot be done in our case, as we 
>>> only
>>> pass the predefined set of oidc claims to service provider.
>>>
>>>
 And in the subject you meant generating access token (but not JWT
 token) right?

>>> Self contained access token, which is a JWT token. [2]
>>>
>>>

 Thanks,
 Bhathiya

>>>
>>> [1] https://docs.wso2.com/display/IS550/Configuring+Claims+f
>>> or+an+Identity+Provider#ConfiguringClaimsforanIdentityProvid
>>> er-MappingconfiguredclaimstoanOpenIDConnectclaim
>>> [2] https://docs.wso2.com/display/IS550/Self-contained+Acces
>>> s+Tokens
>>> 
>>>
>>>
>>> --
>>> Megala Uthayakumar
>>>
>>> Senior Software Engineer
>>> Mobile : 0779967122
>>>
>>
>>
>>
>> --
>> *Bhathiya Jayasekara*
>> *Associate Technical Lead,*
>> *WSO2 inc., http://wso2.com *
>>
>> *Phone: +94715478185*
>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
>> *
>> *Twitter: https://twitter.com/bhathiyax
>> *
>> *Blog: http://movingaheadblog.blogspot.com
>

Re: [Architecture] [RRT] Forcing the challenge question for Identity Server

2018-05-30 Thread Indunil Upeksha Rathnayake 
Hi Rosen,

In the PostAuthenticationHandler, from the authentication context, you can
retrieve the authenticated user and tenant domain. From the
PostAuthenticationHandler, ChallengeQuestionManager OSGI service can be
invoked to get the challenge questions that authenticated user has not
answered.

You can refer pre and post flows in ConsentMgtPostAuthnHandler[2], which we
are currently using for retrieving and managing user consent. From that,
you will be able to get some idea on, consent page redirection from the
PostAuthenticationHandler and retrieving back the user claims for which
user has provided the consent. I think, in your case also, may be able to
use the same approach.

[1]
https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/ChallengeQuestionManager.java
[2]
https://github.com/wso2/carbon-identity-framework/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/consent/ConsentMgtPostAuthnHandler.java#L188

Thanks and Regards

On Tue, May 29, 2018 at 11:20 PM, Rosen Silva  wrote:

> Hi All,
>
> I'm implementing a feature for IS 5.5.0 to force users to add answers to
> challenge questions.
> This feature is implemented using PostAuthenticationHandler.
>
>  The logic executes in the following order,
> * Check whether the user has already added the answers from the post
> authenticator
> * If not, redirect users to a webpage (JSP file) to get the answers to the
> challenge questions
> * Check whether users have added the challenge questions
> * Let users log in to sp if the user has filled the answers to challenge
> questions
>
>
> Clarifications with implementing the JSP page for retrieving and updating
> answers to challenge questions
>
> AFAIK we can't use admin service for retrieve and update security
> questions since we don't have the cookie while in the post-authentication
> flow.
> One possibility is to send the challenge questions to the webpage with the
> HTTP serverlet request and get the answers back to post authentication
> handler through serverlet response and add the answers to the challenge
> questions.
>
> Your input is appreciated.
>
> Thanks and regards,
> --
>
> *Rosen Silva*
> Software Engineer - WSO2
>
> Email: ros...@wso2.com
> Mobile: +94770677418
> Web: https://wso2.com/
>



-- 
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile   0772182255
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture