Re: [Architecture] [Iam-dev] [Dev] [VOTE] Release WSO2 Identity Server 5.11.0 RC1
Hi all, Tested the following without any blockers, - Session management REST API. - Me api - List sessions, Terminate sessions by sessionId, terminate all sessions - UserId api - List sessions, Terminate sessions by sessionId, terminate all sessions - DCR create/get - OIDC Federated authentication SSO - User self-registration - Username recovery [+] Stable - go ahead and release Regards, Piraveena -- *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* pirave...@wso2.com ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.9.0 RC2
Hi All, Thanks for testing WSO2 Identity Server 5.9.0-RC2. Since this vote has passed with 22 [+1]s and 0 [-1]s, we’re hereby closing this vote and proceeding with the WSO2 Identity Server 5.9.0 GA release. Best Regards, - WSO2 Identity Server Team - *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* pirave...@wso2.com On Fri, Oct 4, 2019 at 6:01 AM Kanapriya Kuleswararajan wrote: > Hi All, > I have tested the following scenarios and it works as expected, +1 to go > ahead and release. > > - Basic functionality with EmailOTP (Basic authenticator/Federated > Authenticator as first step and EmailOTP as the second step) with secondary > user stores. > - EmailOTP with Email Templates > - X509 with basic functionality > - Account locking by failed login attempts > - User Self Registration > > Thanks > Kanapriya Kuleswararajan > Senior Software Engineer > Mobile : - 0774894438 > Mail : - kanapr...@wso2.com > LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/ > WSO2, Inc. > lean . enterprise . middleware > > > > On Fri, Oct 4, 2019 at 1:21 AM Pamoda Wimalasiri wrote: > >> Hi all, >> >> I tested the following scenarios on IS-5.9.0-RC2 with MySQL database. >> >>- Viewing, terminating sessions from the user portal >>- Create a service provider, configure SAML SSO, authenticate with >>Basic Authenticator for travelocity app >>- Create, retrieve and delete Oauth2 app using dcr endpoint >>- Configure a federated Identity provider with facebook configuration >>- Federated Authentication with facebook >>- JIT provisioning with facebook as federated IdP >>- Multi option login with basic authenticator and facebook IdP >>- Multi-step login with basic authenticator and facebook IdP >>- Role-based adaptive authentication >> >> No blocking issues found. >> >> [+] Stable - Go ahead and release >> >> Thanks, >> Pamoda >> >> On Fri, Oct 4, 2019 at 12:24 AM Ayesha Dissanayaka >> wrote: >> >>> Hi, >>> >>> As I was able to perform the following tests successfully on >>> IS-5.9.0-RC2, +1 to go ahead and release. >>> >>> User self-registration with email confirmation >>> >>> Username Recovery >>> >>> Password Recovery >>> >>> Email OTP >>> >>> OIDC - auth code flow >>> User challenges - self-care REST API >>> Browsing management console >>> >>> [+] Stable - Go ahead and release >>> >>> Thanks! >>> -Ayesha >>> >>> >>> On Thu, Oct 3, 2019 at 10:51 PM Gayashan Bombuwala >>> wrote: >>> >>>> Hi all, >>>> >>>> Tested below scenarios on IS 5.9.0-RC2 pack. >>>> >>>>- SAML2 Bearer Assertion Profile for OAuth 2.0 >>>>- Federated authentication with a second instance of IS as the >>>>Identity Provider. >>>>- JIT provisioning with a second instance of IS as the Identity >>>>Provider. >>>> >>>> No blocking issues found. >>>> >>>> [+] Stable - Go ahead and release >>>> >>>> Best regards, >>>> Gayashan. >>>> >>>> On Thu, Oct 3, 2019 at 9:16 PM Vihanga Liyanage >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> Tested below scenarios on IS 5.9.0-RC2 pack using the Postgresql >>>>> database. >>>>> >>>>>- Add service provider, configured SAML SSO, authenticate with *the >>>>>dispatch *sample web app. >>>>>- Add new SP with Open ID OAuth/OpenID Connect Configuration and >>>>>authenticate with *the playground *sample web app. >>>>>- Tested all OAuth/OIDC grant types. >>>>>- Manipulated email templates with I18nEmailMgtConfigService admin >>>>>service. >>>>> >>>>> No blocking issues found. >>>>> >>>>> [+] Stable - Go ahead and release >>>>> >>>>> Best regards, >>>>> Vihanga. >>>>> >>>>> On Thu, Oct 3, 2019 at 3:45 PM Ashen Weerathunga >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> I have tested the following scenarios and no blocking issues found. >>>>>> >>>>>>- SSO with SAML >>>>>
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.9.0 RC2
Hi all. I have tested the following scenarios: - Scope Management REST API - XACML based scope validation for token issuing phase in the following OAuth grant types - Authorization code flow - password grant - client_credentials - Implicit flow - XACML based authorization No blocker issues found [+] Stable - go ahead and release Thanks, Piraveena *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* pirave...@wso2.com On Thu, Oct 3, 2019 at 3:45 PM Ashen Weerathunga wrote: > Hi All, > > I have tested the following scenarios and no blocking issues found. > >- SSO with SAML >- Federated authentication with Google >- Federated authentication with Facebook >- SSO with multi-option and multi-step authentication >- Role-based Adaptive authentication > > [+] Stable - go ahead and release > > Thanks, > Ashen > > > On Thu, Oct 3, 2019 at 2:34 PM Shanika Wickramasinghe > wrote: > >> Hi All, >> >> I have tested the following features and no issues found >> >> Ubuntu 16.04 | MSSQL | Embedded Ldap Primary User Store | Super Tenant >> >> >>- >> >>Manage roles with SCIM 2.0 Create Group, Delete Group, Filter Groups, >>Search Groups, Update Group - PATCH, Update Group - PUT >>- >> >>Manage users with SCIM 2.0 Create User Delete User by ID Filter Users >>Search Users Update User - PATCH Update User - PUT >>- >> >>Recover Username with dashboard >>- >> >>Recover Password with dashboard >> >> >> Ubuntu 16.04 | MSSQL | SecondaryUser Store | Super Tenant >> >> >>- >> >>SP pagination with UI >>- >> >>SP pagination with Admin Services >>- >> >>Account Lock >>- >> >>Recaptcha with Single Sign On >> >> >> Ubuntu 16.04 | H2/MSSQL | Embedded Ldap Primary User Store | Super Tenant >> >> >>- >> >>Manage Workflows >> >> >> Ubuntu 16.04 | H2 | Embedded Ldap Primary User Store | Super Tenant >> >> >>- >> >>Manage Workflows with QSG sample >>- >> >>User self-registration via REST APIs >>- >> >>User self-registration via user portal >>- >> >>User manage his own user account, Update user profile >>- >> >>OAuth 1.0 SP Creation/ Update >> >> >> +1 Go ahead and release. >> >> >> Thanks, >> >> Shanika >> >> On Thu, Oct 3, 2019 at 9:16 AM Achini Jayasena wrote: >> >>> Hi All, >>> >>> Tested and verified with performance test and long running test. Test >>> result match with the expectations. >>> >>> *Performance test* >>> >>> Summary*: *Performance has been improved comparing to the product >>> version 5.8 >>> >>> Deployment >>> >>>- OS: Ubuntu >>>- DB: Mysql >>>- Heap: 4G/2G >>>- CPU cores: 4 >>>- Concurrent users: 50, 100, 150, 300, 500 >>> >>> Scenarios: >>> >>>- Authenticate_Super_Tenant_User >>>- OAuth_AuthCode_Redirect_WithConsent >>>- OAuth_Client_Credentials_Grant >>>- OAuth_Implicit_Redirect_WithConsent >>>- OAuth_Password_Grant >>>- OIDC_AuthCode_Redirect_WithConsent >>>- OIDC_AuthCode_Request_Path_Authenticator_WithConsent >>>- OIDC_Implicit_Redirect_WithConsent >>>- OIDC_Password_Grant >>>- SAML2_SSO_Redirect_Binding >>>- Challenge questions by super tenant users >>>- Refresh token refresh grant - Renewal false >>> >>> *Long running test* >>> >>> Summery*: *No issue reported. >>> >>> Deployment : >>> >>>- IS node >>>- Instance type: c5.xlarge >>> - vCPU:4 >>> - RAM: 8GB >>> - Heap: 2G allocated for IS >>> >>> >>>- RDS as the MySQL DB >>>- Mysql engine version : 5.7.22 >>> - vCPU: 4 >>> - Instance class : db.m4.xlarge >>> - RAM: 16 GB >>> - Storage: 100 GiB >>>- Executing test scenarios: >>>- Authenticate_Super_Tenant_User >>> - OAuth_AuthCode_Redirect_WithConsent >>> - OAuth_Password_Grant >>> - OIDC_AuthCode_Redirect_WithConsent >>>
[Architecture] [VOTE] Release WSO2 Identity Server 5.9.0 RC2
Hi all, We are pleased to announce the second release candidate of WSO2 Identity Server 5.9.0. New Features - An improved, simpler configuration model - RESTful APIs for user self-services - Passwordless authentication with WebAuthn - Reusable script library for adaptive authentication - Cross-protocol single logout capability - Inbuilt support to view and revoke user sessions - Azure AD/Office365 multi-domain federation support Fixes This release includes the following issue fixes and improvements: - 5.9.0-m1 <https://github.com/wso2/product-is/milestone/85?closed=1> - 5.9.0-m2 <https://github.com/wso2/product-is/milestone/86?closed=1> - 5.9.0-m3 <https://github.com/wso2/product-is/milestone/87?closed=1> - 5.9.0-m4 <https://github.com/wso2/product-is/milestone/88?closed=1> - 5.9.0-m5 <https://github.com/wso2/product-is/milestone/90?closed=1> - 5.9.0-m6 <https://github.com/wso2/product-is/milestone/91?closed=1> - 5.9.0-alpha <https://github.com/wso2/product-is/milestone/89?closed=1> - 5.9.0-beta <https://github.com/wso2/product-is/milestone/93?closed=1> - 5.9.0-GA <https://github.com/wso2/product-is/milestone/83?closed=1> Source and Distribution The source and distribution <https://github.com/wso2/product-is/releases/download/v5.9.0-rc2/wso2is-5.9.0-rc2.zip> are available at https://github.com/wso2/product-is/releases/tag/v5.9.0-rc2 Please download the product, test it, and vote using the following convention. [+] Stable - go ahead and release [-] Broken - do not release (explain why) Thanks, WSO2 Identity and Access Management Team *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* pirave...@wso2.com ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [VOTE] Release WSO2 Identity Server 5.9.0 RC1
Hi All, We are closing the vote as we are working on this issue [1]. We will fix the issue and release another release candidate as soon as possible. [1]https://github.com/wso2/product-is/issues/6399 Thanks, Piraveena *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* pirave...@wso2.com On Sat, Sep 28, 2019 at 9:29 PM Piraveena Paralogarajah wrote: > Hi all, > > > We are pleased to announce the first release candidate of WSO2 Identity > Server 5.9.0. > > > > New features: > >- > >Less complex and more simplified new configuration model >- > >Support for Restful APIs >- > >Passwordless authentication with Webauthn >- > >Federating multiple Azure AD/Office365 domains to a single tenant >- > >Cross protocol log out >- > >Functionality to view and revoke sessions of a user >- > >Adaptive authentication function library. > > > This release fixes the following issues, > > Fixes: > >- > >5.9.0-m1 <https://github.com/wso2/product-is/milestone/85?closed=1> >- > >5.9.0-m2 <https://github.com/wso2/product-is/milestone/86?closed=1> >- > >5.9.0-m3 <https://github.com/wso2/product-is/milestone/87?closed=1> >- > >5.9.0-m4 <https://github.com/wso2/product-is/milestone/88?closed=1> >- > >5.9.0-m5 <https://github.com/wso2/product-is/milestone/90?closed=1> >- > >5.9.0-m6 <https://github.com/wso2/product-is/milestone/91?closed=1> >- > >5.9.0-alpha <https://github.com/wso2/product-is/milestone/89?closed=1> >- > >5.9.0-beta <https://github.com/wso2/product-is/milestone/93?closed=1> >- > >5.9.0-GA <https://github.com/wso2/product-is/milestone/83?closed=1> > > > > Download the product from here > <https://github.com/wso2/product-is/releases/tag/v5.9.0-rc1> > > > > The Tag to be voted upon is > https://github.com/wso2/product-is/releases/download/v5.9.0-rc1 > <https://github.com/wso2/product-is/releases/download/v5.9.0-rc1/wso2is-5.9.0-rc1.zip> > > > Please download, test the product and vote. > > [+] Stable - go ahead and release > > [-] Broken - do not release (explain why) > > Thanks, > > - WSO2 Identity and Access Management Team > > *Piraveena Paralogarajah* > Software Engineer | WSO2 Inc. > *(m)* +94776099594 | *(e)* pirave...@wso2.com > > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] [VOTE] Release WSO2 Identity Server 5.9.0 RC1
Hi all, We are pleased to announce the first release candidate of WSO2 Identity Server 5.9.0. New features: - Less complex and more simplified new configuration model - Support for Restful APIs - Passwordless authentication with Webauthn - Federating multiple Azure AD/Office365 domains to a single tenant - Cross protocol log out - Functionality to view and revoke sessions of a user - Adaptive authentication function library. This release fixes the following issues, Fixes: - 5.9.0-m1 <https://github.com/wso2/product-is/milestone/85?closed=1> - 5.9.0-m2 <https://github.com/wso2/product-is/milestone/86?closed=1> - 5.9.0-m3 <https://github.com/wso2/product-is/milestone/87?closed=1> - 5.9.0-m4 <https://github.com/wso2/product-is/milestone/88?closed=1> - 5.9.0-m5 <https://github.com/wso2/product-is/milestone/90?closed=1> - 5.9.0-m6 <https://github.com/wso2/product-is/milestone/91?closed=1> - 5.9.0-alpha <https://github.com/wso2/product-is/milestone/89?closed=1> - 5.9.0-beta <https://github.com/wso2/product-is/milestone/93?closed=1> - 5.9.0-GA <https://github.com/wso2/product-is/milestone/83?closed=1> Download the product from here <https://github.com/wso2/product-is/releases/tag/v5.9.0-rc1> The Tag to be voted upon is https://github.com/wso2/product-is/releases/download/v5.9.0-rc1 <https://github.com/wso2/product-is/releases/download/v5.9.0-rc1/wso2is-5.9.0-rc1.zip> Please download, test the product and vote. [+] Stable - go ahead and release [-] Broken - do not release (explain why) Thanks, - WSO2 Identity and Access Management Team *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* pirave...@wso2.com ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [APIM] Mutual SSL with Load Balancer
Hi Gayan, Once the Load balancer passes the certificate in the header to the server, the tomcat valve will read that and set it as request attribute. You can find the code related to this here[1] [1] https://github.com/wso2-extensions/identity-x509-commons/blob/master/components/valve/src/main/java/org/wso2/carbon/extension/identity/x509Certificate/valve/X509CertificateAuthenticationValve.java#L44 Thanks, Piraveena *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* pirave...@wso2.com On Thu, Sep 26, 2019 at 7:44 PM gayan gunawardana wrote: > Hi Piraveena, > > Thanks for detail response. > However I am referring to APIM synapse endpoints and API authentication > handlers. Having x509 authenticator is great, probably I will extract x509 > authenticator code for custom API authentication handler. > > Thanks, > Gayan > > On Thu, Sep 26, 2019 at 7:52 AM Piraveena Paralogarajah < > pirave...@wso2.com> wrote: > >> Hi Gayan, >> >> During SSL termination, the load balancer will drop the client's >> certificate. From the load balancer, you can send the client's >> certificate as HTTP header. x509 authenticator in IS already supports SSL >> termination. You can check the blog [1] and the doc [2] for the configs >> >> [1] >> https://medium.com/@piraveenaparalogarajah/configuring-x509-authenticator-in-wso2-identity-server-using-ssl-termination-with-nginx-1c21c6e5f27a >> [2] >> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509+Authenticator+with+SSL+Termination >> >> Thanks, >> Piraveena >> *Piraveena Paralogarajah* >> Software Engineer | WSO2 Inc. >> *(m)* +94776099594 | *(e)* pirave...@wso2.com >> >> >> >> On Wed, Sep 25, 2019 at 11:47 AM gayan gunawardana < >> gmgunaward...@gmail.com> wrote: >> >>> >>> >>> On Wed, Sep 25, 2019 at 6:49 AM Asela Pathberiya wrote: >>> >>>> >>>> >>>> On Wed, Sep 25, 2019 at 10:47 AM gayan gunawardana < >>>> gmgunaward...@gmail.com> wrote: >>>> >>>>> Hi APIM team, >>>>> >>>>> Is there any recommended deployment pattern to implement [1] if SSL >>>>> termination happen from load balancer ? >>>>> >>>> >>>> One option is that sending the client certificate's data using HTTP >>>> header. Also it can be done at the SSL termination point as it has access >>>> to the client certificate. >>>> >>>> I assume that we have implemented such sample handler to GW. >>>> >>> Thanks a lot for quick reply. >>> I suppose sending the client certificate's data using HTTP header is >>> much convenient. >>> Having it on SSL termination point is also a good option but the problem >>> is when we have multiple APIs with multiple certificates how to maintain >>> API to certificate mapping in SSL termination point. >>> >>>> >>>> Thanks, >>>> Asela. >>>> >>>> >>>>> >>>>> [1] https://docs.wso2.com/display/AM260/Securing+APIs+with+Mutual+SSL >>>>> >>>>> -- >>>>> Gayan >>>>> ___ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Asela >>>> >>>> Mobile : +94 777 625 933 >>>> >>>> http://soasecurity.org/ >>>> http://xacmlinfo.org/ >>>> ___ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> Gayan >>> ___ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> > > -- > Gayan > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [APIM] Mutual SSL with Load Balancer
Hi Gayan, During SSL termination, the load balancer will drop the client's certificate. From the load balancer, you can send the client's certificate as HTTP header. x509 authenticator in IS already supports SSL termination. You can check the blog [1] and the doc [2] for the configs [1] https://medium.com/@piraveenaparalogarajah/configuring-x509-authenticator-in-wso2-identity-server-using-ssl-termination-with-nginx-1c21c6e5f27a [2] https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509+Authenticator+with+SSL+Termination Thanks, Piraveena *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* pirave...@wso2.com On Wed, Sep 25, 2019 at 11:47 AM gayan gunawardana wrote: > > > On Wed, Sep 25, 2019 at 6:49 AM Asela Pathberiya wrote: > >> >> >> On Wed, Sep 25, 2019 at 10:47 AM gayan gunawardana < >> gmgunaward...@gmail.com> wrote: >> >>> Hi APIM team, >>> >>> Is there any recommended deployment pattern to implement [1] if SSL >>> termination happen from load balancer ? >>> >> >> One option is that sending the client certificate's data using HTTP >> header. Also it can be done at the SSL termination point as it has access >> to the client certificate. >> >> I assume that we have implemented such sample handler to GW. >> > Thanks a lot for quick reply. > I suppose sending the client certificate's data using HTTP header is much > convenient. > Having it on SSL termination point is also a good option but the problem > is when we have multiple APIs with multiple certificates how to maintain > API to certificate mapping in SSL termination point. > >> >> Thanks, >> Asela. >> >> >>> >>> [1] https://docs.wso2.com/display/AM260/Securing+APIs+with+Mutual+SSL >>> >>> -- >>> Gayan >>> ___ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> >> >> -- >> Thanks & Regards, >> Asela >> >> Mobile : +94 777 625 933 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > Gayan > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] [IS] Supplementary OSGi service for adding new claims to ID Token
Hi all, According to the current implementation, there is no way to inject claims into ID Token without changing the existing code base. So there are some case where we need to insert claims to ID token for some specific purposes. For an example, In OpenID Connect Back-channel logout, sid claim needs to be injected into ID Token. So I have implemented a supplementary OSGi service to add new claims to ID Token. So anyone can implement this service and insert new claims into ID Token without changing the code base. The diagram below shows how this works I have attached my PR also here [1]. This blog can be referred for further details [2]. Any feedback is appreciated. [1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/621 [2] https://medium.com/@piraveenaparalogarajah/how-to-add- new-claims-to-id-token-by-implementing-supplementary-osgi- service-in-wso2-identity-626d19cfecab Thanks, -- *Piraveena Paralogarajah* Intern- Software Engineering | WSO2 *Email *: pirave...@wso2.com *Blog* : https://medium.com/@piraveenaparalogarajah *Mobile* : +94776099594 <+94%2077%20609%209594> <http://wso2.com/signature> ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] OpenID Connect Back-channel Logout
Hi all, Currently I'm working on OpenID Connect BackChannel Logout project. *Objective:* OpenID Connect specifies 3 mechanisms for logout and WSO2 Identity Server support only one of those mechanism (OpenID Connect Session Management). 1. Front-channel 2. Back channel 3. Session management Currently IS supports SLO using OpenID Connect Session management. Objective of this project is to implement the OpenID Connect Back-Channel Logout specification for Identity Server. Advantages of: Back-channel communication can be more reliable than communication through the User Agent. This back-channel logout should be an OP initiated logout. So the diagram below shows how it should work. *Steps: * 1. RP registers a back-channel logout uri. 2. Insert sid claim in ID token which indicates the session of that RP. 3. Store sid value which is same for a particular browser session. 4. When logout request comes from a particular browser session, create a logout token with sid claim. 5. Send the logout token to RP's logout endpoint. 6. RP needs to validate the logout token. *How it works* *ID Token building process in OIDC Back-Channel Logout* Here I have implemented a supplementary OSGI service to add claims to ID token. *Back-Channel Logout mechanism for Implicit flow* ** **In back-channel logout implicit flow, I'm storing sid claim in OIDCSession Store in such a way that all RPs belong to same browser session will have the same sid value. When logout request comes from a RP, then OP will find the sid value belongs to that session. Then OP will generate Logout token for all RPs belong to the same browser session by inserting sid claim. After logout token is generated, OP will send logout token to the registered logout endpoint of all RPs. Back-Channel Logout mechanism for Authorization Code flow is currently in progress. Feedback on this progress is appreciated. Reference: http://openid.net/specs/openid-connect-backchannel-1_0.html Thanks, -- *Piraveena Paralogarajah* Intern- Software Engineering | WSO2 *Email *: pirave...@wso2.com *Blog* : https://medium.com/@piraveenaparalogarajah *Mobile* : +94776099594 <http://wso2.com/signature> ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Cross Protocol Single Logout
Hi Maninda, In OpenID Connect, there are three ways for SLO. 1. OIDC Session management (see spec <http://openid.net/specs/openid-connect-session-1_0.html>) 2. OIDC Front-channel logout (see spec <http://openid.net/specs/openid-connect-frontchannel-1_0.html>) 3. OIDC Back-channel logout (see spec <http://openid.net/specs/openid-connect-backchannel-1_0.html>) In federated authentication, WSO2-IS will act as an RP and also it will act as an OP to the downstream RPs and logout the the downstream logged-in sessions. You can refer these specifications. But Facebook is not an OpenID provider. It uses its own OpenID-like system called Facebook connect. You can refer this stackoverflow question [1] <https://stackoverflow.com/questions/1827997/is-facebook-an-openid-provider> Regards, Piraveena *Piraveena Paralogarajah* Intern- Software Engineering | WSO2 *Email *: pirave...@wso2.com *Mobile* : +94776099594 <http://wso2.com/signature> On Mon, Aug 14, 2017 at 5:37 PM, Maninda Edirisooriya <mani...@wso2.com> wrote: > Hi Sugirjan, > > How the SLO works with sessions logged in with federated authentication? > For example if a user has logged in with Facebook authentication how that > user be logged out from the Authentication framework when the user is > logged out from Facebook? Does OIDC has some spec to notify the WSO2 IDP > that the Facebook was logged out? > > Thanks. > > > *Maninda Edirisooriya* > Senior Software Engineer > > *WSO2, Inc.*lean.enterprise.middleware. > > *Blog* : http://maninda.blogspot.com/ > *E-mail* : mani...@wso2.com > *Skype* : @manindae > *Twitter* : @maninda > > On Thu, Aug 10, 2017 at 5:53 PM, Sugirjan Ragunaathan <sugir...@wso2.com> > wrote: > >> Hi Kasun, >> >> On Thu, Aug 10, 2017 at 12:11 PM, KasunG Gajasinghe <kas...@wso2.com> >> wrote: >> >>> >>> Can you list possible customer usecases on why they want to use this? >>> >> >> The main usecases are >> >> 1. If user using multiple applications which supports different >> authentication protocols on same browser session and user gets logout from >> one application, then he will be automatically logged out from all other >> applications. For example if user user use SAML based application and OIDC >> based Application on same browser session and if he logs out from SAML >> based application then automatically he will be logged out from OIDC based >> application. >> Currently Identity Server supports only for Cross protocol Single Login >> only. >> >> 2. If user administrator wants to logout from all the applications which >> are emerged with Identity Server on same browser session, he can do force >> logout from all those applications without regard to authentication >> protocols that are supported. For example if any security breaches is >> happened and admin user want to logout from all the applications he can >> initiate a force logout request for them. >> >> >> On Thu, Aug 10, 2017 at 11:47 AM, Sugirjan Ragunaathan <sugir...@wso2.com >> > wrote: >> >>> Hi, >>> >>> Currently I’m working on a project 'Cross protocol single logout'. WSO2 >>> Identity Server provides Single LogOut over applications, participating on >>> the same session over the same authentication protocol and Single SignOn >>> over the different protocols. >>> >>> [image: 1.png] >>> >>> Objective: >>> >>> Design and provide a solution to support cross protocol SLO >>> >>> Problem : >>> >>> WSO2 Identity Server supports multiple applications which are using >>> different authentication protocols. It does not provide cross protocol >>> Single Logout. For example, Assume that you are using SAML based >>> application and OIDC based application is same browser session. when you >>> logout from a SAML based application it will only log you out from other >>> SAML applications not from OIDC based application with the same session. >>> >>> Solution: >>> >>> The proposed solution for this problem is implementing a common event >>> handler over different protocols. When a session is terminated because of >>> user logout, an event should be published to invoke the ‘SLO Event >>> Handler’.So 'SLO Event Handler' notifies all the inbound authenticators and >>> the authenticators handle respective logout actions. In order to listen >>> the logout event, all the respective authenticators have to be subscribed >>> in the ‘SLO event handler’ and have own separate