Re: [Architecture] Grouping Identity server configurations.
Hi All, As I could deduce from the discussion so far, we are looking for 2 main purposes to be achieved with security circles. 1. Bulk configuration of service providers 2. Limiting the session sharing between service providers *Bulk configuration of service providers* This will be beneficial in cases, Many service providers are present in the environment while all have similar configurations to be applied In updating of service provider configurations which needs same modification . Value addition will be less in below cases, Service provider configuration not a frequent operation Most use cases having ~10 service providers If service providers does not share similar configurations If we are moving forward with file based configuration of service providers, bulk configuration/update means file modification applied to several files. We can loosen the requirement for service providers to have same configuration, by letting service providers override it as IsharaK mentioned. Another option is to treat claim config, provisioning config, authentication flow as different small circles. Depending on the configuration patterns, we may create new bigger circles using these small circles. With this granularity re-usability of a one set of configuration will be high, but only beneficial if there is a big number of service providers. In this sense IDP can also be treated within a circle. *Limiting the session sharing between service providers* Assume a service provider is no allowed to be present in two security circles as that would violate the session sharing limitation for rest of the service providers in the related circles. Let's take 3 service providers A.B and C. B needs to share the session with A C needs to share the session with A But B and C should not share the session. (not transitive) As I understood so far, this is not possible with security circles. Thanks, Pushpalanka On Mon, Nov 7, 2016 at 10:59 AM, Dimuthu Leelarathne wrote: > > > On Sun, Oct 16, 2016 at 11:37 AM, Ishara Karunarathna > wrote: > >> Hi All, >> >> With the current IS implementation We have individual SP configurations >> and we associate authentication chains, claim, provisioning configurations >> etc.. to that service provider configuration. >> As a improvement to this we can group these configurations lets say a >> security circle. >> >> For a security circle [SC]. >> We can configure set of service providers within a SC. >> Associate Userstores to that SC >> Define Authentication chain, Provision config etc.. >> Configre Administration policies Ex: only users in wso2admin can manage >> the wso2 security circle. >> > > According to new security model, I hope we can associate admins for SCs to > achieve the exact Enterprise usecase defined in "[C5 IS] Multi-tenancy in > C5 based IS". > > thanks, > Dimuthu > > >> Group authorization policies belong to this circle. >> Once we configure those it will be applicable to all service providers >> and can override with SP level configurations. >> We can have different login sessions to each circle. >> >> How can we use this. >> Achieve Enterprise SaaS application use case discussed in [1] >> No need to configure same configurations in each SP level can inherit >> from SC configurations. >> Since we are going with container base Multi tenancy in C5, If a user >> does not like, that can be handle with this security circle. >> >> Thanks, >> Ishara >> [1] "[C5 IS] Multi-tenancy in C5 based IS" >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> >> >> >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Dimuthu Leelarathne > Director, Solutions Architecture > > WSO2, Inc. (http://wso2.com) > email: dimut...@wso2.com > Mobile: +94773661935 > Blog: http://muthulee.blogspot.com > > Lean . Enterprise . Middleware > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [C5] Different user profiles for different domains
t;> false >>> " >>> ) >>> will remove it even though other >>> >>> >>> claim meta >>> data that belong to other >>> >>> domain >>> ( >>> "required=true" >>> >>> ) >>> . >>> Please make me correct if i am wrong here. >>> >>> >> But the question is. In C5 we map all other dialects to wso2 local > dialect in that case if in a given dialect if we configure an attribute is > required (SCIM dialect given name "required=true" ) in local dialect ( > Local dialect given name "required=false" ) and we map SCIM given name > to Local given name in that case we need to decide the priority. > > -Ishara > >> >>> >>>> WDYT? >>>> >>>> Thanks. >>>> >>>> -- >>>> *Thanuja Lakmal* >>>> Senior Software Engineer >>>> WSO2 Inc. http://wso2.com/ >>>> *lean.enterprise.middleware* >>>> Mobile: +94715979891 +94758009992 >>>> >>> >>> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+9476950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 > > > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Dev] Username Recovery Feature in IS 6.0.0
Hi All, On Sat, Jan 21, 2017 at 1:35 PM, Isura Karunaratne wrote: > Hi Dinali, > > On Sat, Jan 21, 2017 at 12:33 PM, Dinali Dabarera wrote: > >> Hi all, >> >> We are working on implementing username recovery feature for IS 6.0.0 >> >> *The admin has to enable the Username Recovery* >> >> >> *When Username Recovery enabled:* >> >>- User portal user can click on the forget username option. >>- The User can enter his details of the default profile. >>- The System will match the entered details with the claims available >>and if they matched, the relevant username will email to his email address >>and prompt a notification saying that an email is sent to his mail. >>- If it doesn't match, the user will notify telling that relevant >>user is not registered in the system. >> >> We need to inform user, if multiple users matching to the given criteria. > Then the user can fiill additional details to recover username. > We should have a mechanism like captcha verification here, to avoid possible brute force attack. > > >> *When Username Recovery is disabled:* >> >>- User portal user may not be able to recover his username. >>- The User needs to contact the admin of the system to recover his >>username. >> >> The admin enables the username recovery in the identity.yaml file for >> the users in the domain. Since we have different user stores available in >> IS 6.0.0, >> *Does the admin need to enable username recovery in user store >> wise or Does he need to configure it for the whole domain at once?* >> >> > We need to have a global configuration identity.yaml file for all the > domains. It is better to have domain/roles/group wise configuration for all > the identity managment scenarios like account lock, password policy, > password recovery, idle account suspenstion, force password reset, user > onbording with ask paassword. > > > Thanks > Isura. > >> >> Please provide us your comments on this point. >> >> Thanks, >> >> Dina. >> -- >> *Dinali Rosemin Dabarera* >> Software Engineer >> WSO2 Lanka (pvt) Ltd. >> Web: http://wso2.com/ >> Email : gdrdabar...@gmail.com >> LinkedIn <https://lk.linkedin.com/in/dinalidabarera> >> Mobile: +94770198933 <+94%2077%20019%208933> >> >> >> >> >> <https://lk.linkedin.com/in/dinalidabarera> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] [C5][IS 6.0.0] Add and Update Group UI for IS 6.0.0
Hi All, I am working on implementing 'add group' and 'update group' UIs for IS 6.0.0 as per the wire-frames [1] and [2]. In group addition, user experience will be as, in the 'General' tab user provides name and description of the role. User can either conclude the group addition flow here or go to 'Users' tab to select users who will be in this group. User can either conclude the flow here or go to 'Roles' tab to select the roles to be assigned to all the users in the newly added group. Same goes with the update flow. Claims will be defined for the group, to keep track of the attributes of the group, such as group description. Any thoughts are welcome to improve the flow or design. [1] - https://github.com/wso2-dev-ux/product-is/blob/master/Wireframes/admin-portal/v3/4.2%20Add%20group%20-%20general%20info.png [2] - https://github.com/wso2-dev-ux/product-is/blob/master/Wireframes/admin-portal/v3/4.8%20Edit%20group%20-%20general%20info.png Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [C5][IS 6.0.0] Add and Update Group UI for IS 6.0.0
On Thu, Mar 16, 2017 at 8:46 AM, Pushpalanka Jayawardhana wrote: > Hi All, > > I am working on implementing 'add group' and 'update group' UIs for IS > 6.0.0 as per the wire-frames [1] and [2]. > > In group addition, user experience will be as, in the 'General' tab user > provides name and description of the role. > User can either conclude the group addition flow here or go to 'Users' tab > to select users who will be in this group. > User can either conclude the flow here or go to 'Roles' tab to select the > roles to be assigned to all the users in the newly added group. > At initial phase, only general and user tabs will be there as role management features are still to be reviewed. > > Same goes with the update flow. > > Claims will be defined for the group, to keep track of the attributes of > the group, such as group description. > Any thoughts are welcome to improve the flow or design. > > [1] - https://github.com/wso2-dev-ux/product-is/blob/master/ > Wireframes/admin-portal/v3/4.2%20Add%20group%20-%20general%20info.png > [2] - https://github.com/wso2-dev-ux/product-is/blob/master/ > Wireframes/admin-portal/v3/4.8%20Edit%20group%20-%20general%20info.png > > Thanks, > -- > Pushpalanka. > -- > Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). > Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ > Mobile: +94779716248 > Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/ > pushpalanka/ | Twitter: @pushpalanka > > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Define Username Claim in Domain Level
Hi Thanuja,
On Tue, Mar 21, 2017 at 11:47 AM, Thanuja Jayasinghe
wrote:
>
>
> On Sun, Mar 19, 2017 at 2:10 PM, Gayan Gunawardana wrote:
>
>>
>>
>> On Wed, Mar 15, 2017 at 6:50 AM, Thanuja Jayasinghe
>> wrote:
>>
>>> Hi Nuwandi,
>>>
>>> On Tue, Mar 14, 2017 at 1:54 PM, Nuwandi Wickramasinghe <
>>> nuwan...@wso2.com> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Mar 14, 2017 at 12:42 PM, Thanuja Jayasinghe
>>>> wrote:
>>>>
>>>>> Hi Gayan,
>>>>>
>>>>> Yes. We need to specially handle username claim("
>>>>> http://wso2.org/claims/username";).
>>>>>
>>>> So, it will always be http://wso2.org/claims/username, not
>>>> configurable?
>>>>
>>>
>>> I see following performance related concerns if we marked some claim as
>>> the username claim using a property,
>>>
>>>
>>>
>>>- In every operation which we are going to specially handle for
>>>username claim, we need to check that property
>>>- If we want to get the username claim value, first we need to go
>>>through claims to identify the username claim and then retrieve the value
>>>for that claim
>>>
>>> Also, it will be much easier for the User object to retrieve username
>>> claim from a claim URI rather than a property. (We don't have the API
>>> support for retrieving claim value from a property)
>>>
>>> In a case like "email as username", we can still map the username claim
>>> to the email attribute. Then we can map the same email attribute to email
>>> claim to avoid the confusion.
>>>
>> if "http://wso2.org/claims/username"; represent username claim always we
>> do not need to define it separately in domain-config.yaml right ?
>>
> Yes.
>
> @Pushpalanka: Are we planning to provide the capability to change root
> claim dialect?
>
This is still under consideration at thread'[IS 6.0.0] Making native claim
dialect configurable'.
If that answers yes, still can we interpret this as 'root claim dialect
claim URI+* username*'? Still, with little medications, we can have the
mentioned optimizations, as I see.
>
>>>
>>>>> Shall we add a method to User[1] class to retrieve username?
>>>>>
>>>> +1 to have a method in User.java
>>>>
>>>>>
>>>>> [1] - https://github.com/wso2/carbon-identity-mgt/blob/master/com
>>>>> ponents/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/
>>>>> carbon/identity/mgt/User.java
>>>>>
>>>>> Thanks,
>>>>> Thanuja
>>>>>
>>>>> On Tue, Mar 14, 2017 at 12:12 PM, Gayan Gunawardana
>>>>> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> Don't we have to provide an API to get username claim from domain
>>>>>> level.
>>>>>> I am suggesting to have some thing like
>>>>>>
>>>>>> org.wso2.carbon.identity.mgt.User userStoreUser = identityStore.
>>>>>> getUser(userId);
>>>>>> userStoreUser.getUsernameClaim();
>>>>>>
>>>>>> Currently we handle username claim as just an another claim but it
>>>>>> should be treated as special claim because username is the human friendly
>>>>>> unique identifier for users.
>>>>>>
>>>>>> In domain-config.yaml we can define username claim for each domain.
>>>>>>
>>>>>> Also another requirement is when we get username from out side
>>>>>> application, we need to retrieve corresponding user from identity store
>>>>>> so
>>>>>> we need to set value got from out side to appropriate claim. In that case
>>>>>> there should be a way to identify username claim.
>>>>>>
>>>>>> WDYT?
>>>>>>
>>>>>> Thanks,
>>>>>> Gayan
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Gayan Gunawardana
>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>>>>> Email: ga...@wso2.com
>>>>>> Mobile: +94 (71) 8020933
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Thanuja Lakmal*
>>>>> Senior Software Engineer
>>>>> WSO2 Inc. http://wso2.com/
>>>>> *lean.enterprise.middleware*
>>>>> Mobile: +94715979891 +94758009992
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Best Regards,
>>>>
>>>> Nuwandi Wickramasinghe
>>>>
>>>> Software Engineer
>>>>
>>>> WSO2 Inc.
>>>>
>>>> Web : http://wso2.com
>>>>
>>>> Mobile : 0719214873 <071%20921%204873>
>>>>
>>>
>>> Thanks,
>>> Thanuja
>>>
>>> --
>>> *Thanuja Lakmal*
>>> Senior Software Engineer
>>> WSO2 Inc. http://wso2.com/
>>> *lean.enterprise.middleware*
>>> Mobile: +94715979891 +94758009992
>>>
>>
>>
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
> *Thanuja Lakmal*
> Senior Software Engineer
> WSO2 Inc. http://wso2.com/
> *lean.enterprise.middleware*
> Mobile: +94715979891 +94758009992
>
--
Pushpalanka.
--
Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/
Mobile: +94779716248
Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] Distinguish between local and federated users in oauth tables
Hi All, We have below 3 issues that are caused mainly because we don't have a clear way to distinguish local and federated users in oauth related tables (authorization code and access token storage). There are few more issues related to sending subject claim in proper format in IDtoken, that needs to identify the user as federated or local. In order to address these issues we need to check whether user is from a federated IDP. To fix this without having DB schema changes, IsharaK came up with this idea to use 'UserStoreDomain' column, to store the value 'FEDERATED' as user store domain for tokens and authorization codes issued to federated users. The relevant authenticators and grant handlers are responsible to set 'isFederatedUser' flag to true, whenever they are creating and passing an authenticated user to messageContext. OAuth storage will read and store it as the userStoreDomain value with 'FEDERATED'. This domain is never expected to be sent out from server as a user attribute or property or as part of username. In order to avoid any conflicts, we will avoid users from creating user store domains with the name 'FEDERATED'. If you see any pitfalls with this approach, please raise. We are proceeding with implementation as above. [1] - https://wso2.org/jira/browse/IDENTITY-5939 [2] - https://wso2.org/jira/browse/IDENTITY-4880 [3] - https://wso2.org/jira/browse/IDENTITY-4512 Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Distinguish between local and federated users in oauth tables
On Tue, May 16, 2017 at 10:19 PM, Nuwan Dias wrote: > How is this going to impact migrating clients? For the data that's already > available in the DB, I guess we won't be changing their user store domains. > So I guess they will still be treated in the old way? > Yes, as of now we save domain as PRIMARY for externally authenticated users as well. We won't be migrating those, hence treated in old way. If there are authenticators that has been already setting this flag ' isFederatedUser' to true, now on their user store domain will be saved as FEDERATED, fixing the mentioned bugs we had in the flow. > > On Tue, May 16, 2017 at 7:53 PM, Pushpalanka Jayawardhana > wrote: > >> Hi All, >> >> We have below 3 issues that are caused mainly because we don't have a >> clear way to distinguish local and federated users in oauth related tables >> (authorization code and access token storage). >> There are few more issues related to sending subject claim in proper >> format in IDtoken, that needs to identify the user as federated or local. >> >> In order to address these issues we need to check whether user is from a >> federated IDP. To fix this without having DB schema changes, IsharaK came >> up with this idea to use 'UserStoreDomain' column, >> to store the value 'FEDERATED' as user store domain for tokens and >> authorization codes issued to federated users. The relevant authenticators >> and grant handlers are responsible to set 'isFederatedUser' flag to true, >> whenever they are creating and passing an authenticated user to >> messageContext. OAuth storage will read and store it as the userStoreDomain >> value with 'FEDERATED'. This domain is never expected to be sent out from >> server as a user attribute or property or as part of username. >> >> In order to avoid any conflicts, we will avoid users from creating user >> store domains with the name 'FEDERATED'. >> If you see any pitfalls with this approach, please raise. We are >> proceeding with implementation as above. >> >> [1] - https://wso2.org/jira/browse/IDENTITY-5939 >> [2] - https://wso2.org/jira/browse/IDENTITY-4880 >> [3] - https://wso2.org/jira/browse/IDENTITY-4512 >> >> Thanks, >> -- >> Pushpalanka. >> -- >> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >> Mobile: +94779716248 >> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >> ushpalanka/ | Twitter: @pushpalanka >> >> > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : nuw...@wso2.com > Phone : +94 777 775 729 <077%20777%205729> > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Distinguish between local and federated users in oauth tables
On Tue, May 16, 2017 at 11:15 PM, Ishara Karunarathna wrote: > > > On Tue, May 16, 2017 at 10:25 PM, Prabath Siriwardena > wrote: > >> How do you figure out users from different idps? >> > In this way we can only identify whether use is federated or local user. > > But we can use a convention to keep IDP name as well if we need to go > without schema changes > Ex FEDERATED:IDP1 > Is this to address any future issues or cater for features? I can see a conceptual fault saving same domain name for different IDPs, along with the unique key constraint we have. This can lead to treat two identities as same, since we will only know they are federated. CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID, *USER_DOMAIN*,USER_TYPE,TOKEN_SCOPE_HASH, TOKEN_STATE,TOKEN_STATE_ID) What will be the places we will make use of the knowledge of authenticated IDP? > > -Ishara > >> >> Thanks & regards, >> -Prabath >> >> On Tue, May 16, 2017 at 7:23 AM, Pushpalanka Jayawardhana > > wrote: >> >>> Hi All, >>> >>> We have below 3 issues that are caused mainly because we don't have a >>> clear way to distinguish local and federated users in oauth related tables >>> (authorization code and access token storage). >>> There are few more issues related to sending subject claim in proper >>> format in IDtoken, that needs to identify the user as federated or local. >>> >>> In order to address these issues we need to check whether user is from >>> a federated IDP. To fix this without having DB schema changes, IsharaK came >>> up with this idea to use 'UserStoreDomain' column, >>> to store the value 'FEDERATED' as user store domain for tokens and >>> authorization codes issued to federated users. The relevant authenticators >>> and grant handlers are responsible to set 'isFederatedUser' flag to true, >>> whenever they are creating and passing an authenticated user to >>> messageContext. OAuth storage will read and store it as the userStoreDomain >>> value with 'FEDERATED'. This domain is never expected to be sent out from >>> server as a user attribute or property or as part of username. >>> >>> In order to avoid any conflicts, we will avoid users from creating user >>> store domains with the name 'FEDERATED'. >>> If you see any pitfalls with this approach, please raise. We are >>> proceeding with implementation as above. >>> >>> [1] - https://wso2.org/jira/browse/IDENTITY-5939 >>> [2] - https://wso2.org/jira/browse/IDENTITY-4880 >>> [3] - https://wso2.org/jira/browse/IDENTITY-4512 >>> >>> Thanks, >>> -- >>> Pushpalanka. >>> -- >>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>> Mobile: +94779716248 >>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >>> ushpalanka/ | Twitter: @pushpalanka >>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 <%28650%29%20625-7950> >> >> http://facilelogin.com >> > > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 <071%20799%206791> > > > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Distinguish between local and federated users in oauth tables
On Wed, May 17, 2017 at 10:37 AM, Prabath Siriwardena wrote: > > > On Tue, May 16, 2017 at 10:04 PM, Ishara Karunarathna > wrote: > >> >> >> On Wed, May 17, 2017 at 10:26 AM, Prabath Siriwardena >> wrote: >> >>> Also - related to JWT/SAML grant types - do we have an option to JIT >>> provision the user...? >>> >> This is not available in the current implementation. >> >>> The expectation is - when you enable JIT provisioning under the trusted >>> IdP - and pick the userstore to provision the users - then the user should >>> be JIT provisioned... >>> >> If we need to support OIDC with JWT/SAML grant types we need to have this >> this feature. even though OIDC spec does not talk about supporting OIDC >> with custom grant types >> this can be treated as token exchange mechanism And +1 for supporting >> this. >> > > In fact this not related directly related ODIC - just the JWT grant type > (JWT grant type for OAuth 2.0).. > > if this is not supported then - in API M - how do we generate the JWT for > the backend - when users come from a federate JWT..? > In IS JWTTokenGenerator we check whether the user exists in local user store and get the claims. Else no claims are sent in the JWT in token validation. AFAIK API M has written a different token generator for this case. > > Thanks & regards, > -Prabath > > > >> >> -Ishara >> >>> >>> Thanks & regards, >>> -Prabath >>> >>> >>> On Tue, May 16, 2017 at 8:58 PM, Pushpalanka Jayawardhana < >>> la...@wso2.com> wrote: >>> >>>> >>>> >>>> On Tue, May 16, 2017 at 11:15 PM, Ishara Karunarathna >>> > wrote: >>>> >>>>> >>>>> >>>>> On Tue, May 16, 2017 at 10:25 PM, Prabath Siriwardena < >>>>> prab...@wso2.com> wrote: >>>>> >>>>>> How do you figure out users from different idps? >>>>>> >>>>> In this way we can only identify whether use is federated or local >>>>> user. >>>>> >>>>> But we can use a convention to keep IDP name as well if we need to go >>>>> without schema changes >>>>> Ex FEDERATED:IDP1 >>>>> >>>> >>>> Is this to address any future issues or cater for features? >>>> >>>> I can see a conceptual fault saving same domain name for different >>>> IDPs, along with the unique key constraint we have. This can lead to treat >>>> two identities as same, since we will only know they are federated. >>>> >>>> CONSTRAINT CON_APP_KEY UNIQUE (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID, >>>> *USER_DOMAIN*,USER_TYPE,TOKEN_SCOPE_HASH, >>>> >>>>TOKEN_STATE,TOKEN_STATE_ID) >>>> >>>> What will be the places we will make use of the knowledge of >>>> authenticated IDP? >>>> >>>>> >>>>> -Ishara >>>>> >>>>>> >>>>>> Thanks & regards, >>>>>> -Prabath >>>>>> >>>>>> On Tue, May 16, 2017 at 7:23 AM, Pushpalanka Jayawardhana < >>>>>> la...@wso2.com> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> We have below 3 issues that are caused mainly because we don't have >>>>>>> a clear way to distinguish local and federated users in oauth related >>>>>>> tables (authorization code and access token storage). >>>>>>> There are few more issues related to sending subject claim in proper >>>>>>> format in IDtoken, that needs to identify the user as federated or >>>>>>> local. >>>>>>> >>>>>>> In order to address these issues we need to check whether user is >>>>>>> from a federated IDP. To fix this without having DB schema changes, >>>>>>> IsharaK >>>>>>> came up with this idea to use 'UserStoreDomain' column, >>>>>>> to store the value 'FEDERATED' as user store domain for tokens and >>>>>>> authorization codes issued to federated users. The relevant >>>>>>> authenticators >>>>>>> and grant handlers are responsible to set 'isFederatedUser' flag to >
Re: [Architecture] Implementing consent receipt specification in WSO2 Identity Server
Hi Shan, Along with these detail we save in these tables, we need to keep a mapping to what each PII category means to WSO2 server. In that case we can think of a PII category as a collection of claims. In IS we already have this concept of collection of claims, where we categorize them into a scope. WSO2 APIM already make use of these scopes to provide role based access to resources. We can try to make use of scopes in the place of PII category to establish this mapping with server claims which are actually PII keys. In the 'PII_CATEGORY' table we can keep track of this. Thanks, On Wed, Sep 13, 2017 at 2:45 PM, Shan Jayathilaka wrote: > There is a new regulation called the EU General Data Protection Regulation > (GDPR) which replaces the Data Protection Directive 95/46/EC and was > designed to harmonize data privacy laws across Europe. GDPR was passed as > a regulation on 27th April 2016 and will be effective from 25th May 2018. > Regarding to this regulation any organization who is collecting user data > must collect data according to the user's consent. Also if an user request > about his/her consents about the user data, the data collecting > organization must provide those consents regarding to the user. In here we > have to record what are the consents of the user to a database. I designed > an [1]ER diagram for the database which collects the user consent. Also I > attached [2] GDPR Regulation document ,[3] a blog to understand the GDPR > and [4] Kantara Consent Receipt Management to this email. I hope they will > be helpful to all. > > *Brief explanation about the database tables* > > >- TRANSACTION_DETAILS: Contains details about the consent receipt id >and user identification. > > >- DATA_CONTROLLER: Contains details about the organization which >collects the user data. >- SERVICES: Contains details about the services provided to the user >data. >- PURPOSES: Contains details about the purposes to collect the user >data. >- THIRD_PARTY: Contains details about the third party organizations >which take the user data shared by the data controllers. >- PII_CATEGORY: Contains details about the personally identifiable >information (pii) categories. > > [1] > project_gdpr_new_erd.png > <https://mail.google.com/mail/ca/u/1/?ui=2&ik=2b82ec457b&view=att&th=15e7a6f581a803f6&attid=0.1&disp=safe&realattid=f_j7ise&zw> > (140K) > <https://mail.google.com/mail/ca/u/1/?ui=2&ik=2b82ec457b&view=att&th=15e7a6f581a803f6&attid=0.1&disp=safe&realattid=f_j7ise&zw> > > [2] > http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 > > [3] > https://medium.facilelogin.com/understanding-gdpr-9201e1356418 > > [4] > https://kantarainitiative.org/confluence/display/ > infosharing/Consent+Receipt+Specification?preview=/ > 76447870/90604248/DRAFT%20Recommendation%20Consent% > 20Receipt%20Specification%201_0_0.docx > > Appreciate your feedback. > > Regards, > > Shan Chathusanda Jayathilaka > Software Engineer (Intern) > WSO2 > > Mobile : +94702062877 <070%20206%202877> > Email : sh...@wso2.com > LinkedIn : www.linkedin.com/in/shanchathusanda/ > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] OIDC request object support
as well. >> >> >> >> *2. request_uri parameter* >> In this case the url will be a pre-registered url by the RP for use at >> the OP. The reference which is pointed from the url will consist the >> relevant jwt. The rationale behind returning claims will be same as the >> above in the request parameter. >> >> As we are planning to provide the implementation as a 5.3.0 WUM update >> the 'acr' implementation will be not available there. So if 'acr' value is >> requested as an essential claim a pre-define value will be returned. >> > If we keep the extendability as mentioned above, we will be able to cater for this if an implementation become available in the future. > >> Any suggestion or feedback on the above will be highly appreciated. >> > >> Thanks, >> >> Hasanthi Dissanayake >> >> Software Engineer | WSO2 >> >> E: hasan...@wso2.com >> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> >> > > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p ushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] OIDC request object support
Hi Hasanthi,
On Wed, Oct 11, 2017 at 11:10 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:
> Hi Pushpalanka,
>
> Since scope concept is no longer effective in this approach, I assume we
>> will have to capture user consent claim by claim in this case similar to
>> how we handle consent for scopes.
>
>
> Yes we should use the same way to capture the consent claim by claim but
> with the authorization request. Anyway we need to pass the 'openid' scope
> along with the request in order to make this an oidc request right?
>
Yes, the specification specially mentions that.
Yes, consent needs to captured with the authorization request as you
mentioned. As the request object is a part of authorization request, we
have to address it here. This section of specification [1] will help in
understanding.
>
>
> Are we introducing a new table to store this?
>
> I'm wondering whether we need to introduce a new table to store the claims
> and consents with this implementation. Can't we use the same table which
> we are introducing in consent management and then request consent, claim by
> claim here as well?
>
The newly introducing tables to store consent are domain specific, as it
comes for the solution. Consent for claims served by IS according to
request object will need to be handled through IS data source as this
governs what IS expose through userinfo endpoint and IDtoken.
>
>> We also need to take into the consideration that the request object can
>> be signed(JWS) and we need to do the signature validation before it's
>> handed over to next layer.
>>
>
> +1. Yes we need to do.
>
>
>>1. Define custom claims for those and use claim retrieving extensions
>>to handle the value
>>2. Provide an extension at this layer so that we filter out the
>>claims handled by IS and seperate others to be handled in custom ways.
>>
>> +1 for option 2
>
> BTW, are we planing to implement consent management with IS 5.3.0 WUM
> update? If so, can we do schema changes as a WUM update? Otherwise how do
> we plan to release consent management feature?
>
Consent management we refer here is much specific to the domain. So that
will not introduce a schema change to product db script. We will make use
of the extension to be introduced at request object level and use the
storage from solution.
[1] - http://openid.net/specs/openid-connect-core-1_0.html#RequestParameter
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/>
>
> On Wed, Oct 11, 2017 at 6:38 PM, Pushpalanka Jayawardhana
> wrote:
>
>> Hi Hasanthi,
>>
>> On Wed, Oct 11, 2017 at 4:41 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>>
>>>
>>> Hasanthi Dissanayake
>>>
>>> Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/>
>>>
>>> On Wed, Oct 11, 2017 at 4:35 PM, Hasanthi Purnima Dissanayake <
>>> hasan...@wso2.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> In order to support 'Request Object' we need to support two parameters.
>>>> 1. request parameter
>>>> 2. request_uri parameter
>>>>
>>>>
>>>>
>>>> *1. request_parameter*
>>>> The purpose of this parameter is for supporting to request some claims
>>>> other than the default Userinfo and IdToken claim set which is associated
>>>> with the requested scope.
>>>>
>>>> So if we consider a sample request with above parameter,
>>>>
>>>> https://localhost:9443/oauth2/authorize?
>>>> response_type=code%20id_token
>>>> &client_id=X
>>>> &redirect_uri=http://localhost:8080/playground
>>>> &scope=openid
>>>> &state=af0ifjsldkj
>>>> &nonce=n-0S6_WzA2Mj
>>>> &request={
>>>> "iss": "s6BhdRkqt3",
>>>> "aud": "https://server.example.com";,
>>>> "response_type": "code id_token",
>>>> "client_id": "s6BhdRkqt3",
>>>> "redirect_uri": "https://client.example.org/cb";,
>>>> "scope": "openid",
>>>> "state": "af0ifjsldkj",
>>>> "nonce": "n-0S
Re: [Architecture] Implementing consent receipt specification in WSO2 Identity Server
PII category means to WSO2 server. >>>> >>>> >>>> With our current implementation in Identity Server we maintain a >>>> scope-claim mapping in the registry level. For a scope a single or multiple >>>> claims can be mapped and we can define any custom or scope or claim. So >>>> IIUC here we can map PII category with scope. So indirectly we can map PII >>>> category with claims. But at the moment we don't store those scope - claim >>>> mapping in our database. So if we are to map PII category with the scopes >>>> we need to store the scopes in the db level. >>>> >>>> Thanks, >>>> >>>> Hasanthi Dissanayake >>>> >>>> Software Engineer | WSO2 >>>> >>>> E: hasan...@wso2.com >>>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> >>>> >>>> On Wed, Sep 20, 2017 at 9:09 AM, Pushpalanka Jayawardhana < >>>> la...@wso2.com> wrote: >>>> >>>>> Hi Shan, >>>>> >>>>> Along with these detail we save in these tables, we need to keep a >>>>> mapping to what each PII category means to WSO2 server. >>>>> In that case we can think of a PII category as a collection of claims. >>>>> >>>>> In IS we already have this concept of collection of claims, where we >>>>> categorize them into a scope. WSO2 APIM already make use of these scopes >>>>> to >>>>> provide role based access to resources. We can try to make use of scopes >>>>> in >>>>> the place of PII category to establish this mapping with server claims >>>>> which are actually PII keys. In the 'PII_CATEGORY' table we can keep track >>>>> of this. >>>>> >>>>> Thanks, >>>>> >>>>> On Wed, Sep 13, 2017 at 2:45 PM, Shan Jayathilaka >>>>> wrote: >>>>> >>>>>> There is a new regulation called the EU General Data Protection >>>>>> Regulation (GDPR) which replaces the Data Protection Directive 95/46/EC >>>>>> and >>>>>> was designed to harmonize data privacy laws across Europe. GDPR was >>>>>> passed >>>>>> as a regulation on 27th April 2016 and will be effective from 25th May >>>>>> 2018. Regarding to this regulation any organization who is collecting >>>>>> user >>>>>> data must collect data according to the user's consent. Also if an user >>>>>> request about his/her consents about the user data, the data collecting >>>>>> organization must provide those consents regarding to the user. In here >>>>>> we >>>>>> have to record what are the consents of the user to a database. I >>>>>> designed >>>>>> an [1]ER diagram for the database which collects the user consent. Also I >>>>>> attached [2] GDPR Regulation document ,[3] a blog to understand the GDPR >>>>>> and [4] Kantara Consent Receipt Management to this email. I hope they >>>>>> will >>>>>> be helpful to all. >>>>>> >>>>>> *Brief explanation about the database tables* >>>>>> >>>>>> >>>>>>- TRANSACTION_DETAILS: Contains details about the consent receipt >>>>>>id and user identification. >>>>>> >>>>>> >>>>>>- DATA_CONTROLLER: Contains details about the organization which >>>>>>collects the user data. >>>>>>- SERVICES: Contains details about the services provided to the >>>>>>user data. >>>>>>- PURPOSES: Contains details about the purposes to collect the >>>>>>user data. >>>>>>- THIRD_PARTY: Contains details about the third party >>>>>>organizations which take the user data shared by the data controllers. >>>>>>- PII_CATEGORY: Contains details about the personally >>>>>>identifiable information (pii) categories. >>>>>> >>>>>> [1] >>>>>> project_gdpr_new_erd.png >>>>>> <https://mail.google.com/mail/ca/u/1/?ui=2&ik=2b82ec457b&view=att&th=15e7a6f581a803f6&attid=0.1&disp=safe&realattid=f_j7ise&zw> >>>>>&
[Architecture] An API to get the count of users
Hi All, We are in the process of addressing following requirements related to getting the user count of user store. *Requirement* Mainly(in prority order), 1. *Get the count of users in a userstore domain* 2. Get the count of users within a tenant space 3. Get the count of users having a specific claim value (count the results matching a specific claim value. eg: Number of users been locked, Number of users from a specific country) Additionally following functionalities would be good to have, 1. Get the count of users across tenants *Approaches* 1. Keep a seperate database table to track the user count. Incrementally update it each time a new user is added. - When plugging an existing user store, the table needs to be populated initially for once with existing user. - PR at [1] creates a table 'IDN_UID_USER' to same user when user name is renamed. It will be possible to use that table for this same requirement. - This approach does *NOT* address 3rd requirement. 2. Execute a count query at user store manager level (This will be an API addition to carbon kernel user core) - This will cater for all the main requirements - The LDAP protocol does not have a specific mentioning about an API for count - Different implementations have different approaches to achieve this. - OpenDS, Sundirectory server - https://blogs.oracle.com/Ludo/entry/ldap_tip_counting_the_number - OpenLDAP - http://www.openldap.org/its/index.cgi/Archive.Incoming?id=4161 - Implementing this in LDAP seems to be comparatively harder than JDBC with having to manually go through the trees. - With user stores having millions of users, the operation will be very time consuming. (UI might be less responsive, if the API is used via mgt console) Appreciate your thoughts, inputs regarding this. @Kernel team : Appreciate your feed back on feasible time lines of releasing this new API integrated with user.core, if required to do so. [1] - Rename user https://github.com/wso2/carbon-identity/pull/437 <https://github.com/wso2/carbon-identity/pull/437> [2] - LDAP Protocol - https://tools.ietf.org/html/rfc4511 Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] An API to get the count of users
Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Tue, Feb 9, 2016 at 4:42 PM, Selvaratnam Uthaiyashankar wrote: > Why do we need to know the count? What are the user stories? The requirement has been raised when users are migrated from one user store to another, to check how many users have been migrated. While this information can be generated by the administrator by running a direct query on user store, an API is good to have for others to retrieve this information. One other user story I could think of is, combined with disabled user accounts, to know the active user base of an enterprise. > > Also, this is for C4 based products? If so, IMO, this feature is not > something urgent to add to C4. > This is committed for IS 5.2.0. > > > On Tuesday, February 9, 2016, Pushpalanka Jayawardhana > wrote: > >> Hi All, >> >> We are in the process of addressing following requirements related to >> getting the user count of user store. >> >> *Requirement* >> Mainly(in prority order), >> >>1. *Get the count of users in a userstore domain* >>2. Get the count of users within a tenant space >>3. Get the count of users having a specific claim value (count the >>results matching a specific claim value. eg: Number of users been locked, >>Number of users from a specific country) >> >> >> Additionally following functionalities would be good to have, >> >>1. Get the count of users across tenants >> >> >> >> >> >> *Approaches* >> >>1. Keep a seperate database table to track the user count. Incrementally >>update it each time a new user is added. >> - When plugging an existing user store, the table needs to be >> populated initially for once with existing user. >> - PR at [1] creates a table 'IDN_UID_USER' to same user when >> user name is renamed. It will be possible to use that table for >> this same >> requirement. >> - This approach does *NOT* address 3rd requirement. >> 2. Execute a count query at user store manager level (This will be >>an API addition to carbon kernel user core) >> - This will cater for all the main requirements >> - The LDAP protocol does not have a specific mentioning about >> an API for count >> - Different implementations have different approaches to >> achieve this. >>- OpenDS, Sundirectory server - >> >> https://blogs.oracle.com/Ludo/entry/ldap_tip_counting_the_number >> - OpenLDAP - >> >> http://www.openldap.org/its/index.cgi/Archive.Incoming?id=4161 >>- Implementing this in LDAP seems to be comparatively >> harder than JDBC with having to manually go through the trees. >> - With user stores having millions of users, the operation >> will be very time consuming. (UI might be less responsive, if >> the API is >> used via mgt console) >> >> Appreciate your thoughts, inputs regarding this. >> @Kernel team : Appreciate your feed back on feasible time lines of >> releasing this new API integrated with user.core, if required to do so. >> >> [1] - Rename user https://github.com/wso2/carbon-identity/pull/437 >> <https://github.com/wso2/carbon-identity/pull/437> >> [2] - LDAP Protocol - https://tools.ietf.org/html/rfc4511 >> >> >> Thanks, >> Pushpalanka. >> -- >> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >> Mobile: +94779716248 >> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >> >> > > -- > S.Uthaiyashankar > VP Engineering > WSO2 Inc. > http://wso2.com/ - "lean . enterprise . middleware" > > Phone: +94 714897591 > > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Decoupling client_id/client_secret based OAuth 2.0 client authentication from the token endpoint
+1. SCIM endpoint supports Basic Auth and OAuth for security through a handler interface defined specifically for SCIM. When implementing DCR (Dynamic client registration) specification this same need occurred. If the the security handlers defined inside SCIM(which serve for a generic purpose) can be placed in a seperate more generic package, that can be reused in occasionas like this. [1] - https://github.com/wso2/carbon-identity/tree/master/components/scim/org.wso2.carbon.identity.scim.provider/src/main/java/org/wso2/carbon/identity/scim/provider/auth Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Mon, Feb 22, 2016 at 1:42 PM, Johann Nallathamby wrote: > +1. > > Also these set of authenticators should be used to secure any REST > endpoint that we expose, not only OAuth2. WDYT? E.g. in SCIM endpoint the > authentication is baked into the SCIM code, although it has a concept of > handlers. I think all these restful authentication mechanisms must unify > and come under a single framework. > > > On Mon, Feb 22, 2016 at 11:24 AM, Prabath Siriwardana > wrote: > >> At the moment we are coupled into HTTP basic authentication >> with client_id/client_secret , which is not right.. >> >> Can we decouple this from the token endpoint..? And we should able to >> develop these authenticators as independent connectors.. >> >> WDYT...? >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://blog.facilelogin.com >> http://blog.api-security.org >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+9476950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] WSO2 Identity Server 5.2.0 Beta Released
3> Custom Response Type Validator class is not read under SupportedGrantTypes in Identity.xml - IDENTITY-4381 <https://wso2.org/jira/browse/IDENTITY-4381> NullPointerException could happen in e.getCause().getCause() - IDENTITY-4377 <https://wso2.org/jira/browse/IDENTITY-4377> Session Hijacking vulnerability at Identity Server's PassiveSTS endpoint - IDENTITY-4371 <https://wso2.org/jira/browse/IDENTITY-4371> InfoRecoverySample build breaks - IDENTITY-4361 <https://wso2.org/jira/browse/IDENTITY-4361> Error when adding default bps profile when database is DB2 - IDENTITY-4333 <https://wso2.org/jira/browse/IDENTITY-4333> validating the Refresh Token with database Oracle - IDENTITY-4314 <https://wso2.org/jira/browse/IDENTITY-4314> IDENTITY-3729 Features for nested.category must use "perfect" match - IDENTITY-4305 <https://wso2.org/jira/browse/IDENTITY-4305> Provide a target date to share the finalized 2016 IS roadmap - IDENTITY-4255 <https://wso2.org/jira/browse/IDENTITY-4255> IDENTITY-3729 Define importFeatureDef with version match rule in carbon-identity - IDENTITY-3948 <https://wso2.org/jira/browse/IDENTITY-3948> Required validations are not done for Callback URL for Oauth as Service Provider - IDENTITY-3894 <https://wso2.org/jira/browse/IDENTITY-3894> [Request Path Authentication] User credential prompted even after sending right access token - IDENTITY-3730 <https://wso2.org/jira/browse/IDENTITY-3730> IDENTITY-3729 POMs of "wso2-rampart", "wso2-wss4j", "balana" and "charon" need to be reviewed and fixed for WSO2 best practices - IDENTITY-3648 <https://wso2.org/jira/browse/IDENTITY-3648> Update OpenSAML version to 2.6.4. Improvements - IDENTITY-4497 <https://wso2.org/jira/browse/IDENTITY-4497> Add PKCE Support Detection - IDENTITY-4459 <https://wso2.org/jira/browse/IDENTITY-4459> Add the session data persistence pool size to the identity.xml - IDENTITY-4442 <https://wso2.org/jira/browse/IDENTITY-4442> Users can disable their own accounts via the MC and Dashboard New Features - IDENTITY-4453 <https://wso2.org/jira/browse/IDENTITY-4453> - Add PKCE Support for OAuth 2.0 Authorization Code Grant Type - IDENTITY-4096 <https://wso2.org/jira/browse/IDENTITY-4096> - SAML 2.0 token support for WS-Federation (Passive) Patches - IDENTITY-4449 <https://wso2.org/jira/browse/IDENTITY-4449> Data persistence is not working properly for AuthorizationGrantCache - IDENTITY-4443 <https://wso2.org/jira/browse/IDENTITY-4443> Identity server Tenant management servlet failure - IDENTITY-4440 <https://wso2.org/jira/browse/IDENTITY-4440> SCIM bulk update error masked by null pointer exception - IDENTITY-4398 <https://wso2.org/jira/browse/IDENTITY-4398> Authorization code can be sent in to get access token multiple times - IDENTITY-4395 <https://wso2.org/jira/browse/IDENTITY-4395> Identity Server URL must be configured inside EndpointConfig.properties - IDENTITY-4393 <https://wso2.org/jira/browse/IDENTITY-4393> Openid connect is failing when using implicit grant with custom claims. - IDENTITY-4386 <https://wso2.org/jira/browse/IDENTITY-4386> When role list have more than a single page, user can't select roles from 2 pages. - IDENTITY-4319 <https://wso2.org/jira/browse/IDENTITY-4319> Database read inside sync block in SecurityDeploymentInterceptor Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation
Hi All, On Fri, Jun 3, 2016 at 5:46 PM, Prabath Siriwardana wrote: > > > On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi, >> I am working on implementing regeneration of client secret/key of an >> oauth app and revocation of an oauth app for the next milestone release of >> Identity Server. Appreciate your feedbacks on the following approaches I >> have taken. >> >> A trusted client would need to update the client secret/key, in order to >> prevent the abuse of revealed client secret/key. So for addressing that, I >> am working on adding two options as *Regenerate Client Secret *and >> *Regenerate >> Consumer Key* for oauth applications in IS. After a client secret/key >> get regenerated, that will immediately invalidate any active authorization >> code, access token or refresh token, issued to the respective client. >> >> *Will it be necessary to add two options for revoking client secret and >> key or better to go for a different approach?* >> > > I guess (as discussed in this thread already) - having the ability to > change the consumer secret would be enough. Changing the consumer key is > bit challanging too - we would have all the analytics data against the > consumer key. > On a side note which is not directly relevant to consumer key revocation, I have seen occasions where customers wanted to decide the consumer key than generating them. Use case: Eg: When they are already having plenty of applications(may be mobile apps) which have embedded consumer key or/and secret, and then moving from current authorization server to WSO2 Identity Server they need to update consumer credentials in all these applications to use WSO2 generated ones, which they are reluctant to do. While we may be able to support above use case via a extension point, won't it be good to have a highly secured API to do it? Analytics, we may have to handle using the old to new consumer key mapping. > > Also - consumer key is not something - someone would remember and use - so > I don't think its same as the username - so I don't see any need to change > > >> >> >> >> And apart from that planning for the implementation of *Revoking an >> oauth app*. In there the oauth app will be revoked and that also will >> immediately invalidate any active authorization code, access token or >> refresh token, issued to the respective client. In order to activate the >> oauth app again, need to regenerate the client secret. >> >> >> *In there to activate the app, better to regenerate "both client key and >> secret" or "either client key or secret"?* >> > > Revoking an app means - mostly the revoking of its consumer secret (the > previous scenario). > > Another couple of use cases we can address with this: > > 1. Blocking an app temporary - Deactivate the App - and the Activate it > after sometime - nothing to do with the consumer secret revocation. > > 2. Ability to revoke an access token (s) issued on behalf of a user for a > particular app. > > 3. Ability to revoke all the access tokens issued on behalf of a user > across all the apps. > > Thanks & regards, > -Prabath > > >> >> >> Really value your ideas/suggestions on improving this feature. >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Emailindu...@wso2.com >> >> >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Dev]Force Password Reset and Password History validation
Hi Isura, On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne wrote: > HI all, > > I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following > are the currently identified improvements, > > >- Password History - > > Last 'n' number of passwords need to be maintained in user's history. When > user updates his password we don't allow him to choose one of these 'n' > passwords again. > > >- Periodic Password Reset - > > Force the user to periodically (configurable period) reset his password. > When doing this we need to leverage the password history feature as well. > > > CREATE TABLE IF NOT EXISTS idn_password_history_data > ( > user_name *VARCHAR*(255) NOT NULL, > user_domain *VARCHAR*(255) NOT NULL, > tenant_id *INTEGER* DEFAULT -1, > hash*VARCHAR*(255) NOT NULL, > time_created *TIMESTAMP* NOT NULL DEFAULT > CURRENT_TIMESTAMP, > PRIMARY KEY (user_name,user_domain,tenant_id, > hash), > ) > > > All the passwords which are supposed to store in this table are old > passwords (expired). > > - I think we don't need to use the same password hashing algorithm (with > or without salted value) which is defined user-mgt.xml for password history > validation. > - admin users can change other user's passwords without giving their old > passwords. In that case, how can we find the old password hash value to > store for password history validation? > In the given table schema we may need to pay special attention to handle user_domain, as secondary user store domain can be changed. Ideally we should incorporate a *unique user store domain id* than using user domain here. > > > Your comments and suggestions are highly appreciated. > > Thanks > Isura. > > > Isura Dilhara Karunaratne > Senior Software Engineer > > Mob +94 772 254 810 > > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Role Based Access Control (RBAC) for RDBMS based environment provisioning
Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Mon, Aug 18, 2014 at 10:40 PM, Dhanuka Ranasinghe wrote: > > > *Dhanuka Ranasinghe* > > Senior Software Engineer > WSO2 Inc. ; http://wso2.com > lean . enterprise . middleware > > phone : +94 715381915 > > > On Sat, Aug 16, 2014 at 4:32 AM, Manfred Herrmann < > herrmann.manf...@googlemail.com> wrote: > >> +1 ... for providing this capability >> >> my comments inline: >> >> >> 2014-08-15 8:15 GMT+02:00 Sumedha Rubasinghe : >> >> +1 for providing the capability. >>> >>> Are we going to define permissions per environment or are there going to >>> be static set of environments? >>> There is a similar mail for Cassandra in [Architecture] Supporting >>> multiple environments for Cassandra. >>> >> >> This mail should be answered http://markmail.org/message/4bnghbxw6egknfrn >> ... >> A consistent usecase/architecture regarding environments is prefered. >> >> Currently only support static set of environments, but with SS 1.5.0 we >> gonna support user define environments and instances. >> >>> >>> IMO permissions you have mentioned are too high level for this. It's >>> more practical to associate permissions with a specific database. So >>> having only 'Read' permission (for example) would not allow this. >>> >>> Sorry about high level description. Yes, permission is associate with > databases. For example permission = database (db1) + Action (create), but > again database is located in an instance and that instance located in an > Environment. We thought first go ahead with a simple solution and then we > can improve it iterativelly. > >> Then if you consider a particular database, real deployment scenarios >>> would want to control who can perform CRUD on that database. >>> >> This is already supported in existing SS. It control when provisioning a > database to a particular user with privilege template. > >> So I feel XACML type of an approach is far more practical and >>> extensible here. >>> >> +1 for considering XACML as an option. This will allow us to make the permission model more fine grained. In addition to restricting depending the user role, we can consider other attributes like 'within which time period a user is allowed to access the environment' etc., as well with this approach. The extend-ability will come with the cost of some added complexity though. > >> Is this environment-architecture only for access rss meta-data (like >> users/user-rights/templates...)? >> > Yes partly correct, this solution only apply when users working with SS, > and this not apply when users access external databases through JDBC > driver. > >> Or is it for all DB-data like access-rights (CRUD...) on/in a specific >> RSS provisioned DB? >> >> >>> >>> On Tue, Aug 12, 2014 at 11:06 AM, Dhanuka Ranasinghe >>> wrote: >>> >>>> Since SS 1.1.0 we do support concepts of environments. There can be >>>> multiple database server instances in single environment. So according to >>>> above use case, there can be multiple database server instances (R&D and >>>> maintenance ) for Development environment. At the moment any user can >>>> access any environment, configured in SS, but we need to control who and >>>> how they gonna access these environment. that is the whole purpose of RBAC. >>>> >>>> So far we have identified four permissions. >>>> >>>> 1. Access (Read) >>>> 2. Create >>>> 3. Modify >>>> 4. Delete >>>> >>>> These permissions should be assigned to user Roles against >>>> environments. By doing that we can check whether particular user has >>>> permission to access the environment. >>>> >>>> Cheers, >>>> Dhanuka >>>> >>>> >>>> ___ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> /sumedha >>> m: +94 773017743 >>> b : bit.ly/sumedha >>> >>> ___ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [IS] [Secondary User Store] Securing passwords in secondary userstore configurations
Hi, On Wed, Oct 29, 2014 at 1:02 AM, Udara Liyanage wrote: > Hi, > > Isn't is better to encrypt fields of the file rather than the whole file > like we do in secure vault. Please correct me if I am wrong since I am not > well aware of the exact use case > 1. Yes, we are to only encrypt the property value. Adding more information, as I know the plan is to define something like below in the file to be encrypted. admin After encrypting the value it will be saved back as, Wxy635hxahftafafetk8dsnnHkw It would be great if there is a better way to imply which properties should be encrypted and after encrypting, to imply that the value is encrypted. 2. An indication in the file name is added to imply whether it carries property values to be encrypted. Otherwise all the properties should be scanned blindly and checked for the encryption which seemed a waste. The is a trade-off between this cost of scanning and another convention added to the file name. > I prefer prefix rather than appending since appending enc does not help > someone to figure it out as a secured file at first glance. > > In OSes like Linux file extension does not matter much. Is it possible for > someone to have a file name like 'sec-con' (without any extension) > > Touched, not typed. Erroneous words are a feature, not a typo. > Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [IS] [Secondary User Store] Securing passwords in secondary userstore configurations
Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Sun, Nov 2, 2014 at 10:55 PM, Firzhan Naqash wrote: > Hi All, > > 1. Yes, we are to only encrypt the property value. > Adding more information, as I know the plan is to define something like > below in the file to be encrypted. > >admin > After encrypting the value it will be saved back as, > > > When we are encrypting from GUI, we use the fields mentioned to be > encrypted in Property objects. Therefore in order to maintain the > consistency, we can use those fields rather than explicitly defining > property called true. > That's clean and simple. So now the developer of the user store manager controls which properties should be encrypted rather than the admin. I think it's fine as most of the time it's the password only. > > > WDYT? > > Regards, > Firzhan > > On Wed, Oct 29, 2014 at 10:46 AM, Pushpalanka Jayawardhana > wrote: > >> Hi, >> >> >> On Wed, Oct 29, 2014 at 1:02 AM, Udara Liyanage wrote: >> >>> Hi, >>> >>> Isn't is better to encrypt fields of the file rather than the whole file >>> like we do in secure vault. Please correct me if I am wrong since I am not >>> well aware of the exact use case >>> >> 1. Yes, we are to only encrypt the property value. >> Adding more information, as I know the plan is to define something like >> below in the file to be encrypted. >> > >admin >> After encrypting the value it will be saved back as, >> > >Wxy635hxahftafafetk8dsnnHkw >> >> It would be great if there is a better way to imply which properties >> should be encrypted and after encrypting, to imply that the value is >> encrypted. >> >> 2. An indication in the file name is added to imply whether it >> carries property values to be encrypted. Otherwise all the properties >> should be scanned blindly and checked for the encryption which seemed a >> waste. The is a trade-off between this cost of scanning and another >> convention added to the file name. >> >>> I prefer prefix rather than appending since appending enc does not help >>> someone to figure it out as a secured file at first glance. >>> >>> In OSes like Linux file extension does not matter much. Is it possible >>> for someone to have a file name like 'sec-con' (without any extension) >>> >>> Touched, not typed. Erroneous words are a feature, not a typo. >>> >> Thanks, >> Pushpalanka. >> -- >> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >> Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >> Mobile: +94779716248 >> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >> > > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] User Store Manager Configuration UI - New Feature
Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> Mobile: +94779716248 <http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10> On Fri, May 10, 2013 at 12:29 PM, Pradeep Fernando wrote: > > Hi, > > >> After the first start up, UI will be the only way to edit the >> configuration (Except for go and change the storage). That limitation have >> negative points >> But the use of UI is to allow user to add a new configuration without a >> need to restart the server to get it effected. So will it be a big issue? >> > > - Once i configure the server with provided UI, I should be able to use > the server as a building block and populate similar environments. Of course > I can use user-mgt.xml, but if we are providing a new feature it must have > a consistent story across the platform. > - During dev test cycles we often re-start server with cleared database. > So this UI is not usable in day to day test scenarios as well. > - Do you find a real production use case for this functionality. > Organizations do not configure their use-stores then and there. More often > than not it is a one time thing. In that sense this looks like only a > 'demo' friendly feature. Please prove me wrong. > Yes, this will not be a functionality that will be used frequently. But will be useful when we want to add or edit a User Store Configuration, in a environment where shutting down a server is costly. I am not aware of a real production use case at the moment. CCing to Prabath to have some inputs. > > > >> >> >>> IMHO, proper approach would be to de-serialize/serialize from/to the >>> user-mgt.xml. Did you evaluate the option ? may be you encountered >>> technical issues, if so what are they. >>> >> This option was considered. But did not properly evaluated between using >> persistent storage and editing user-mgt.xml itself. >> A point to note will be, >> >>- The order of the uncommented User Store Managers matters, as it >>implies which is the Primary store and the order of Secondary >>stores.(Accordingly should decide on file appending or replacing the whole >>file with the new configuration.) So the flexibility we can provide >> through >>UI, in defining new configurations will be limited accordingly. >> >> This looks like a issue in configuration language. In the provided tables > you are maintaining a field to track the order of user-stores. Likewise the > config xml file should also maintain the same. Here I'm not questioning > the use of order in the configuration as the mechanism for deciding the > priority, It looks fine at the moment. But if you find a real use case, you > can alter the existing configuration language. > > > > UM_DOMAIN_ID is an already existing auto increment column in the >> dbscript. I guess it is used as a counter. >> UM_DOMAIN_NAME is also already defined. With the alteration this will >> also marked as UNIQUE as now the users are stored with the relevant domain. >> (Eg, PRIMARY/user1) >> > Dumb question. Why two unique fields ? > The use of UM_DOMAIN_ID is still a mystery to me. I am saying UM_DOMAIN_NAME has to be UNIQUE just because it will rise conflicts in uniquely identifying users. For example if two domains have the same user name 'user1' in each, it's only the DOMAIN_NAME that will differ them (PRIMARY/user1, SECONDARY/user1). It is the DOMAIN_NAME that is used here, not the DOMAIN_ID, as I have seen in the latest version. Thanks a lot for the ideas! > > Thanks, > --Pradeep > > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] User Store Manager Configuration UI - New Feature
Hi All, Here is a status update of the feature implementation. Looking for advice on few areas too. [image: Inline image 2] > > *Done* - Detect dropping of new user-mgt.xml and create new realmConfiguration from the file (Using Axis2 deployer. As I have observed this detects the dropping of a new a file, but not the editing of an already existing file. Please correct me if I am wrong.) - UI to show the existing configuration and edit the properties of UserStoreManager *Working on * - Making the newly created realmConfiguration effective through the RealmService (Need to address changing primary user store, already signed in users in the current configuration, secondary user stores) - In the UI, the details of the available UserStoreManagers(Implementation class and properties list) needs to be shown. In order have them, I am to introduce UserStoreRegistry with a ServiceTracker in carbon.user.core. It will have same functionality as AuthenticatorsRegistry, but for UserStoreManagers. Objective is to make sure that, if a user drops a custom UserStoreManager in addition to the existing ones, UI should detect it and allow user to utilize it via UI. - Saving data inserted via UI, at finish - This has few options. Please advice on best to use - Update the RealmService with new configuration and then write the updated Realmconfiguration into user-mgt.xml (This newly created file will trigger the Axis2 deployer as a new file addition, which is not needed ) - Write the updated details into user-mgt.xml. Even if only one UserStoreManager is edited, whole user-mgt.xml has to be read in, place new one in relevant order and update other's order accordingly. Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> Mobile: +94779716248 <http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10> <>___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] User Store Manager Configuration UI - New Feature
Hi, Please find the slides for today's design review here, https://docs.google.com/a/wso2.com/presentation/d/11lGLIXoeIm8TDV8vKcypLSk8Ksk-p1mrU3sqWHJD-8g/edit?usp=sharing Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> Mobile: +94779716248 <http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10> On Wed, May 29, 2013 at 1:57 PM, Dimuthu Leelarathne wrote: > +1. Please invite me the review as well. > > thanks, > dimuthu > > > On Tue, May 28, 2013 at 7:47 AM, Srinath Perera wrote: > >> Have we reviewed this? shall I schedule? >> >> --Srinath >> >> >> On Mon, May 27, 2013 at 5:42 PM, Amila Suriarachchi wrote: >> >>> >>> >>> >>> On Mon, May 27, 2013 at 5:30 PM, Prabath Siriwardena >>> wrote: >>> >>>> >>>> >>>> On Mon, May 27, 2013 at 5:13 PM, Amila Suriarachchi wrote: >>>> >>>>> >>>>> >>>>> >>>>> On Mon, May 27, 2013 at 5:01 PM, Prabath Siriwardena >>>> > wrote: >>>>> >>>>>> >>>>>> >>>>>> On Mon, May 27, 2013 at 4:04 PM, Amila Suriarachchi >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, May 27, 2013 at 3:06 PM, Prabath Siriwardena < >>>>>>> prab...@wso2.com> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, May 24, 2013 at 9:51 PM, Amila Suriarachchi >>>>>>> > wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>- Saving data inserted via UI, at finish - This has few >>>>>>>>>>options. Please advice on best to use >>>>>>>>>>- Update the RealmService with new configuration and then >>>>>>>>>> write the updated Realmconfiguration into user-mgt.xml (This >>>>>>>>>> newly created >>>>>>>>>> file will trigger the Axis2 deployer as a new file addition, >>>>>>>>>> which is not >>>>>>>>>> needed ) >>>>>>>>>> - Write the updated details into user-mgt.xml. Even if >>>>>>>>>> only one UserStoreManager is edited, whole user-mgt.xml has to >>>>>>>>>> be read in, >>>>>>>>>> place new one in relevant order and update other's order >>>>>>>>>> accordingly. >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Idea is to create a separate file per user store. you can save >>>>>>>>> this file with the userstore name. Then update only that file. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I don't think we need to keep files per user store. We can persist >>>>>>>> the changes to the user-mgt.xml it self and keep different user-mgt.xml >>>>>>>> files per tenant.. >>>>>>>> >>>>>>> >>>>>>> As we discussed last time user-mgt.xml is used to represent realm >>>>>>> which consists of user store, authorization manager, clam manager etc >>>>>>> ... >>>>>>> Since authorization mana
Re: [Architecture] Synching Configurations across the clusters
Hi All, Following is how we are to use dep-sync to sync user store configurations across clusters, with some inputs from Charitha, Prabath and Pradeep. - repository/conf/userstores/user-mgt.xml - configuration of super admin - repositoty/conf/userstores/tenants/1/user-mgt.xml - configuration for tenant with tenant-id: 1 - repositoty/conf/userstores/tenants/2/user-mgt.xml - configuration for tenant with tenant-id: 2likewise 1. This is similar to the structure used in deploying artifacts at repository/tenants/1/ for tenants, as currently existing. 2. So we already have two folders synced with dep-sync in a product. One at repositoy/deployment/server/ and one at repository/tenants/. 3. We are to add one more folder to be synced with dep-sync at repository/conf/userstores/ Correct me, if I have got anything wrong. Glad to know any concerns or thoughts. Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> Mobile: +94779716248 <http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10> On Fri, May 31, 2013 at 2:52 PM, Prabath Siriwardena wrote: > I guess dep sync based approach will solve these... > > Thanks & regards, > -Prabath > > > On Fri, May 31, 2013 at 2:41 PM, Srinath Perera wrote: > >> Hi All, >> >> Azeez and myself was chatting, and following are some of the conflicting >> requirements. >> >> 1. like to edit configs from file system, and via UI avoiding two copies >> if possible (have to avoid case where we edit file, then we edit via UI >> where we lost the file updates). >> 2. Need a way to sync configs across the cluster >> 3. Make the sync model clear and consistent for both configs and >> artifacts (currently we use dep-sync only with artifacts) >> 4. Like to sync only one folder in the product with dep-sync >> 5. We should not do product folder structure before major release (C5?) >> >> We need to find the best solution out of that. >> > >> --Srinath >> >> >> >> On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando wrote: >> >>> Hi Srinath, >>> >>> IMHO, relying on a dep-sync-based model sounds appropriate here. We can >>> have several strategies for dep-sync (i.e. registry, svn, manual etc), but >>> the server will be driven by what's on the filesystem. IMHO, that's very >>> straightforward. >>> >>> And, I think we need to first of all figure out what and what's going to >>> be sync'ed and what's not. When it comes to some configuration files it >>> might make sense to sync portions and keep some static. In that case, do we >>> need to split those files in two? Also, we need to focus on the "things >>> that change across environments and things that don't" for the sever >>> configuration as in the "CAR-based Governance Story" for ESB configurations. >>> >>> Also, the dep-sync's notification model should work like the >>> hierarchical cache invalidation model that Azeez proposed, making sure that >>> things will scale. >>> >>> Thanks, >>> Senaka. >>> >>> >>> On Thu, May 30, 2013 at 4:46 PM, Jeewantha Dharmaparakrama < >>> jeewan...@wso2.com> wrote: >>> >>>> Hi Srinath, >>>> >>>> If the node which detects the change in its config file redeploys the >>>> config in every other node explicitly, we can ensure that every node sees >>>> the change since there will always be one node which is responsible in >>>> informing the others. I guess thats what depsync does IINM. >>>> >>>> If the config is stored in a central place, every node will have to >>>> pull the change from that place. Here if one node fails to redeploy the >>>> change, other nodes will be unaware about it so that the system will be >>>
Re: [Architecture] Synching Configurations across the clusters
Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> On Tue, Jun 25, 2013 at 12:05 AM, Prabath Siriwardena wrote: > +1 > > repository/conf/user-mgt.xml > repositoty/conf/tenants/1/user-mgt.xml - configuration for tenant with > tenant-id: 1 > repositoty/conf/tenants/2/user-mgt.xml - configuration for tenant with > tenant-id: 2 > > OR > > repository/conf/userstores/user-mgt.xml > repositoty/conf/tenants/1/userstores/user-mgt.xml - configuration for > tenant with tenant-id: 1 > repositoty/conf/tenants/2/userstores/user-mgt.xml - configuration for > tenant with tenant-id: 2 > If we use the first one, then the folder to sync using dep-sync will be conf directory, which have much more other configuration files, which not yet required to be synced. If it is ok to sync them too,then it's fine. Second option narrow downs what are to sync, but still have two folder to sync 'repository/conf/userstores/' and 'repositoty/conf/tenants'. (With the fact that default user-mgt.xml is also going to be modified and those modifications needs to be populated in the cluster too, in addition to that of tenants.) Thanks & regards, > -Prabath > > > On Mon, Jun 24, 2013 at 11:55 PM, Pradeep Fernando wrote: > >> --Pradeep >> sent from my phone >> >> On Jun 24, 2013 11:25 PM, "Pushpalanka Jayawardhana" >> wrote: >> > >> > Hi All, >> > >> > Following is how we are to use dep-sync to sync user store >> configurations across clusters, with some inputs from Charitha, Prabath and >> Pradeep. >> > repository/conf/userstores/user-mgt.xml - configuration of super admin >> > repositoty/conf/userstores/tenants/1/user-mgt.xml - configuration for >> tenant with tenant-id: 1 >> > repositoty/conf/userstores/tenants/2/user-mgt.xml - configuration for >> tenant with tenant-id: 2likewise >> >> Is it possible to have the tenant directory structure independent from >> the user store directory. In the future there will be few config files with >> similar requirements I believe... >> >> > This is similar to the structure used in deploying artifacts at >> repository/tenants/1/ for tenants, as currently existing. >> > So we already have two folders synced with dep-sync in a product. One >> at repositoy/deployment/server/ and one at repository/tenants/. >> > We are to add one more folder to be synced with dep-sync at >> repository/conf/userstores/ >> > >> > Correct me, if I have got anything wrong. Glad to know any concerns or >> thoughts. >> > >> > Thanks, >> > >> > Pushpalanka Jayawardhana >> > >> > Software Engineer >> > >> > WSO2 Lanka (pvt) Ltd >> > >> > >> > Mobile: +94779716248 >> >> > >> > On Fri, May 31, 2013 at 2:52 PM, Prabath Siriwardena >> wrote: >> >> >> >> I guess dep sync based approach will solve these... >> >> >> >> Thanks & regards, >> >> -Prabath >> >> >> >> >> >> On Fri, May 31, 2013 at 2:41 PM, Srinath Perera >> wrote: >> >>> >> >>> Hi All, >> >>> >> >>> Azeez and myself was chatting, and following are some of the >> conflicting requirements. >> >>> >> >>> 1. like to edit configs from file system, and via UI avoiding two >> copies if possible (have to avoid case where we edit file, then we edit via >> UI where we lost the file updates). >> >>> 2. Need a way to sync configs across the cluster >> >>> 3. Make the sync model clear and consistent for both configs and >> artifacts (currently we use dep-sync only with artifacts) >> >>> 4. Like to sync only one folder in the product with dep-sync >> >>> 5. We should not do product folder structure before major release >> (C5?) >> >>> >> >>> We need to find the best solution out of that. >> >>> >> >>> >> >>> --Srinath >> &g
Re: [Architecture] Synching Configurations across the clusters
Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> Mobile: +94779716248 <http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10> On Tue, Jun 25, 2013 at 12:08 AM, Pulasthi Supun wrote: > > > > On Mon, Jun 24, 2013 at 11:55 PM, Pradeep Fernando wrote: > >> --Pradeep >> sent from my phone >> >> On Jun 24, 2013 11:25 PM, "Pushpalanka Jayawardhana" >> wrote: >> > >> > Hi All, >> > >> > Following is how we are to use dep-sync to sync user store >> configurations across clusters, with some inputs from Charitha, Prabath and >> Pradeep. >> > repository/conf/userstores/user-mgt.xml - configuration of super admin >> > repositoty/conf/userstores/tenants/1/user-mgt.xml - configuration for >> tenant with tenant-id: 1 >> > repositoty/conf/userstores/tenants/2/user-mgt.xml - configuration for >> tenant with tenant-id: 2likewise >> >> Is it possible to have the tenant directory structure independent from >> the user store directory. In the future there will be few config files with >> similar requirements I believe... >> > +1. If we move forward with the option 1, suggested by Prabath, then there is no userstores directory. So this will be resolved. repository/conf/user-mgt.xml repositoty/conf/tenants/1/user-mgt.xml - configuration for tenant with tenant-id: 1 repositoty/conf/tenants/2/user-mgt.xml - configuration for tenant with tenant-id: 2 Just is it ok to sync everything inside repository/conf? This also came to my mind can we have some structure like the following > repository/tenants/1/conf/userstores/user-mgt.xml this way whenever we > want to add another config file that needs to be synced we can just add it > under the "repository/tenants/1/conf/". Otherwise we will have tenant > information here and there. > Yes. We have to select from whether we keep configuration files at one place or tenant specific files in one place. I think having tenant's configurations in one place will be better. If all tenant configurations(that are allowed to be modified by the tenant admin) are in one folder, permission needs to be given only to that folder, if tenant admin wish to change any. > > >> > This is similar to the structure used in deploying artifacts at >> repository/tenants/1/ for tenants, as currently existing. >> > So we already have two folders synced with dep-sync in a product. One >> at repositoy/deployment/server/ and one at repository/tenants/. >> > We are to add one more folder to be synced with dep-sync at >> repository/conf/userstores/ >> > >> > Correct me, if I have got anything wrong. Glad to know any concerns or >> thoughts. >> > >> > Thanks, >> > >> > Pushpalanka Jayawardhana >> > >> > Software Engineer >> > >> > WSO2 Lanka (pvt) Ltd >> > >> > >> > Mobile: +94779716248 >> >> > >> > On Fri, May 31, 2013 at 2:52 PM, Prabath Siriwardena >> wrote: >> >> >> >> I guess dep sync based approach will solve these... >> >> >> >> Thanks & regards, >> >> -Prabath >> >> >> >> >> >> On Fri, May 31, 2013 at 2:41 PM, Srinath Perera >> wrote: >> >>> >> >>> Hi All, >> >>> >> >>> Azeez and myself was chatting, and following are some of the >> conflicting requirements. >> >>> >> >>> 1. like to edit configs from file system, and via UI avoiding two >> copies if possible (have to avoid case where we edit file, then we edit via >> UI where we lost the file updates). >> >>> 2. Need a way to sync configs across the cluster >> >>> 3. Make the sync model clear and consistent for both configs and >> artifacts (currently we use dep-sync only with artifacts) >> >>&g
Re: [Architecture] Synching Configurations across the clusters
Thanks all for the ideas.
Will be moving forward with option 2.
repository/conf/userstores/user-mgt.xml
repositoty/conf/tenants/1/userstores/user-mgt.xml - configuration for
tenant with tenant-id: 1
repositoty/conf/tenants/2/userstores/user-mgt.xml - configuration for
tenant with tenant-id: 2
So a product will have 2 locations, inside repository/conf to be synced
with dep-sync as,
- repositoty/conf/userstores ('userstores' just to avoid syncing all
content in conf directory) and
- repository/conf/tenants
Thanks,
Pushpalanka Jayawardhana
Software Engineer
WSO2 Lanka (pvt) Ltd
[image:
Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka>
[image:
Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka>
[image:
LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro>
[image:
Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F>
[image:
SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka>
Mobile: +94779716248
<http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10>
On Tue, Jun 25, 2013 at 11:46 AM, Dhanuka Ranasinghe wrote:
> Hi,
>
> I am not much aware about carbon architecture, but have few thoughts to
> achieve above requirements.
>
> 1. Having a high available singleton (HA) service (through MBeans) then
> make sure it is active only in master node.
> 2. When the master node down one of other member in cluster become a
> master node and it's HA service will be activated.
> 3. All the configurations done and read through that HA service, by doing
> this whether it's UI or local file system change it will be synch with
> every time with every member.
>
>
> Cheers,
> Dhanuka
>
> *Dhanuka Ranasinghe*
>
> Senior Software Engineer
> WSO2 Inc. ; http://wso2.com
> lean . enterprise . middleware
>
> phone : +94 715381915
>
>
> On Fri, May 31, 2013 at 2:41 PM, Srinath Perera wrote:
>
>> Hi All,
>>
>> Azeez and myself was chatting, and following are some of the conflicting
>> requirements.
>>
>> 1. like to edit configs from file system, and via UI avoiding two copies
>> if possible (have to avoid case where we edit file, then we edit via UI
>> where we lost the file updates).
>> 2. Need a way to sync configs across the cluster
>> 3. Make the sync model clear and consistent for both configs and
>> artifacts (currently we use dep-sync only with artifacts)
>> 4. Like to sync only one folder in the product with dep-sync
>>
> ^This will not be achieved, with the option.
> 5. We should not do product folder structure before major release (C5?)
>>
>> We need to find the best solution out of that.
>>
>> --Srinath
>>
>>
>>
>> On Thu, May 30, 2013 at 9:20 PM, Senaka Fernando wrote:
>>
>>> Hi Srinath,
>>>
>>> IMHO, relying on a dep-sync-based model sounds appropriate here. We can
>>> have several strategies for dep-sync (i.e. registry, svn, manual etc), but
>>> the server will be driven by what's on the filesystem. IMHO, that's very
>>> straightforward.
>>>
>>> And, I think we need to first of all figure out what and what's going to
>>> be sync'ed and what's not. When it comes to some configuration files it
>>> might make sense to sync portions and keep some static. In that case, do we
>>> need to split those files in two? Also, we need to focus on the "things
>>> that change across environments and things that don't" for the sever
>>> configuration as in the "CAR-based Governance Story" for ESB configurations.
>>>
>>> Also, the dep-sync's notification model should work like the
>>> hierarchical cache invalidation model that Azeez proposed, making sure that
>>> things will scale.
>>>
>>> Thanks,
>>> Senaka.
>>>
>>>
>>> On Thu, May 30, 2013 at 4:46 PM, Jeewantha Dharmaparakrama <
>>> jeewan...@wso2.com> wrote:
>>>
>>>> Hi Srinath,
>>>>
>>>> If the node which detects the change in its config file redeploys the
>>>> config in every other node explicitly, we can ensure that every node sees
>>>> the change since there will always be one node which is resp
Re: [Architecture] Synching Configurations across the clusters
Pushpalanka Jayawardhana
Software Engineer
WSO2 Lanka (pvt) Ltd
[image:
Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka>
[image:
Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka>
[image:
LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro>
[image:
Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F>
[image:
SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka>
Mobile: +94779716248
<http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10>
On Tue, Jun 25, 2013 at 4:00 PM, Amila Suriarachchi wrote:
>
>
>
> On Tue, Jun 25, 2013 at 3:05 PM, Pushpalanka Jayawardhana
> wrote:
>
>> Thanks all for the ideas.
>> Will be moving forward with option 2.
>>
>> repository/conf/userstores/user-mgt.xml
>> repositoty/conf/tenants/1/userstores/user-mgt.xml - configuration for
>> tenant with tenant-id: 1
>> repositoty/conf/tenants/2/userstores/user-mgt.xml - configuration for
>> tenant with tenant-id: 2
>>
>
> Technically speaking this is not correct. User-mgt.xml is used to
> configure UserRealm not only the userstore. So it should be usermanager.
>
> But in this case what we want to dep-synch only the userstores. so my
> suggestion is to put them under userstores folder with the store name.
>
> eg. repository/deployment/server/userstores/userstore1.xml
>repository/deployment/server/userstores/userstore2.xml.
>
> For an example if we change one userstore there is not reason to dep-sychn
> all user-mgt.xml and re initialise all user stores.
>
As I have understood, still we will have to re initialise all user stores,
unless we are adding or deleting a secondary user store at the very end of
the chain. This is because the order of the secondary user stores matters
and at deletion or insertion we need to update with the new order. Correct
me if I am wrong.
>
> thanks,
> Amila.
>
>>
>> So a product will have 2 locations, inside repository/conf to be synced
>> with dep-sync as,
>>
>>- repositoty/conf/userstores ('userstores' just to avoid syncing all
>>content in conf directory) and
>>- repository/conf/tenants
>>
>> Thanks,
>>
>> Pushpalanka Jayawardhana
>>
>> Software Engineer
>>
>> WSO2 Lanka (pvt) Ltd
>> [image:
>> Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka>
>> [image:
>> Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka>
>> [image:
>> LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro>
>> [image:
>> Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F>
>> [image:
>> SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka>
>> Mobile: +94779716248
>> <http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10>
>>
>>
>>
>> On Tue, Jun 25, 2013 at 11:46 AM, Dhanuka Ranasinghe wrote:
>>
>>> Hi,
>>>
>>> I am not much aware about carbon architecture, but have few thoughts to
>>> achieve above requirements.
>>>
>>> 1. Having a high available singleton (HA) service (through MBeans) then
>>> make sure it is active only in master node.
>>> 2. When the master node down one of other member in cluster become a
>>> master node and it's HA service will be activated.
>>> 3. All the configurations done and read through that HA service, by
>>> doing this whether it's UI or local file system change it will be synch
>>> with every time with every member.
>>>
>>>
>>> Cheers,
>>> Dhanuka
>>>
>>> *Dhanuka Ranasinghe*
>>>
>>> Senior Software Engineer
>>> WSO2 Inc. ; http://wso2.com
>>> lean . enterprise . middleware
>>>
>>> phone : +94 715381915
>>>
>>>
>>> On Fri, May 31, 2013 at 2:41 PM, Srina
Re: [Architecture] Apple push strategy
Hi, In APNS connector the notnoop java-apns jar is packed into the connector zip and uploaded [1]. It can be used once the proper security certificates are given to connect to APNS server at configuration (explained in the docs[2]). At the moment this is not created as an orbit. We can work on making the apns.jar as an orbit bundle. [1] - https://svn.wso2.com/wso2/repo/intern/ipass-cloud-connectors/applepush/new_class_mediator/ [2] - https://svn.wso2.com/wso2/repo/intern/ipass-cloud-connectors/applepush/Documents/ Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> Mobile: +94779716248 <http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10> On Sat, Aug 3, 2013 at 10:37 PM, Dilshan Edirisuriya wrote: > Hi, > > We will be using notnoop [1] for apple push notifications in MDM. This has > been discussed in a separate thread (related to ESB cloud connector) and > the license was approved to use as well. Not sure whether this has been > implemented at the moment. Is there anyway we can make use of this (if this > has been created as a orbit) or cant we create a generic module for this to > be used by anyone? Right now our plan is to embed this inside MDM Jaggery > app as an external jar. > > > [1] - https://github.com/notnoop/java-apns > > Regards, > > Dilshan > ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
[Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active
Hi,
This with regard to the issue [1], which is a known issue in IS 4.5.0.
Issue reproduced with following steps.
Set up cluster with two IS nodes (Depsync enabled).
Create a tenant(wso2.com)
Wait till the tenant is unloaded in the worker node
Add a secondary user store in master node
Add a user(user1) to secondary user store in master node
Try to login from master node, it allows
Try to login from this user(us...@wso2.com) in worker node, it fails
Login as tenant admin and then try to login as user. it allows
So as the tenant is unloaded in the worker node, it does not check out the
added user store configuration from the SVN repo, hence users in that user
store can not login at worker node.
Following log can be seen in worker node,
{org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} - Received
[SynchronizeRepositoryRequest{tenantId=3, tenantDomain='win.com',
messageId=203837d4-576b-4929-a0a1-e5efccf15b01}
INFO {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} -
Tenant is not loaded.
Is there a possibility to load the tenant at this cluster message receipt
(if we can check whether it's to sync user stores, to avoid loading tenant
at each receipt of cluster message), so that user stores will be checked
out at a fair cost?
Great to know any better ways to handle this and know your ideas.
[1] - https://wso2.org/jira/browse/IDENTITY-1824
Thanks,
Pushpalanka Jayawardhana
Software Engineer
WSO2 Lanka (pvt) Ltd
[image:
Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka>
[image:
Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka>
[image:
LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro>
[image:
Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F>
[image:
SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka>
Mobile: +94779716248
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active
Thanks,
Pushpalanka Jayawardhana
Software Engineer
WSO2 Lanka (pvt) Ltd
[image:
Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka>
[image:
Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka>
[image:
LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro>
[image:
Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F>
[image:
SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka>
Mobile: +94779716248
On Thu, Sep 26, 2013 at 5:26 PM, Prabath Siriwardena wrote:
> +1 for that.. Only downside - tenant is loaded not on demand..
>
> Another approach is..
>
> Currently the tenant is loaded by looking at the URL.. say for example -
> if the url says - /t/wso2.com - this will make wso2.com to be loaded if
> it is not loaded already.
>
> The issue with authentication is - we do not know the tenant of the user
> from the URL.
>
> But client (say the UI which accepts user credentials) knows the tenant of
> the user - by the user name (but the backend cannot derive it - as the user
> names comes in different places in different scenarios)..
>
> So - what client can do is - in authentication calls - we send the tenant
> domain of the user in an http header - say tenat_domain.
>
> Now - the interceptor will look in to the URL (most of the cases) and if
> no tenant info not there will look in to the tenat_domain http header and
> load the corresponding tenant..
>
Thanks a lot for the ideas..
Won't it be late to load the tenant at this moment? As the changes needs to
be checked out from the repo , for authentication to be successful, are we
to hold the decision using some mechanism till the check out completes?
>
> Thanks & regards,
> -Prabath
>
>
> On Thu, Sep 26, 2013 at 5:10 PM, Afkham Azeez wrote:
>
>> Hmm... very interesting problem :)
>>
>> What we could do is this...
>>
>> We can implement a LoadTenant Cluster message. When that is received, all
>> nodes would load the tenants. We can get depsync to follow. That way, every
>> node will properly load the new user stores. IS can send this message.
>>
>> Azeez
>>
>>
>> On Thu, Sep 26, 2013 at 4:56 PM, Pushpalanka Jayawardhana > > wrote:
>>
>>> Hi,
>>>
>>> This with regard to the issue [1], which is a known issue in IS 4.5.0.
>>>
>>> Issue reproduced with following steps.
>>> Set up cluster with two IS nodes (Depsync enabled).
>>> Create a tenant(wso2.com)
>>> Wait till the tenant is unloaded in the worker node
>>> Add a secondary user store in master node
>>> Add a user(user1) to secondary user store in master node
>>> Try to login from master node, it allows
>>> Try to login from this user(us...@wso2.com) in worker node, it fails
>>> Login as tenant admin and then try to login as user. it allows
>>>
>>>
>>> So as the tenant is unloaded in the worker node, it does not check out
>>> the added user store configuration from the SVN repo, hence users in that
>>> user store can not login at worker node.
>>>
>>> Following log can be seen in worker node,
>>> {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} -
>>> Received [SynchronizeRepositoryRequest{tenantId=3, tenantDomain='win.com',
>>> messageId=203837d4-576b-4929-a0a1-e5efccf15b01}
>>> INFO {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} -
>>> Tenant is not loaded.
>>>
>>> Is there a possibility to load the tenant at this cluster message
>>> receipt (if we can check whether it's to sync user stores, to avoid loading
>>> tenant at each receipt of cluster message), so that user stores will be
>>> checked out at a fair cost?
>>>
>>> Great to know any better ways to handle this and know your ideas.
>>>
>>>
>>> [1] - https://wso2.org/jira/browse/IDENTITY-1824
>>>
>>> Thanks,
>>>
>>> Pushpalanka Jayawardhana
>>>
>>> Software Engineer
>>>
>>> WSO2 Lanka (pvt) Ltd
>>> [image:
>>> Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka>
>>> [image:
>>> Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka>
>>> [image:
>>> LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro>
>>>
Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active
Thanks,
Pushpalanka Jayawardhana
Software Engineer
WSO2 Lanka (pvt) Ltd
[image:
Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka>
[image:
Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka>
[image:
LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro>
[image:
Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F>
[image:
SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka>
Mobile: +94779716248
On Thu, Sep 26, 2013 at 10:08 PM, Prabath Siriwardena wrote:
>
>
>>
>> Won't it be late to load the tenant at this moment? As the changes needs
>> to be checked out from the repo , for authentication to be successful, are
>> we to hold the decision using some mechanism till the check out completes?
>>
>
>
> This is the same behavior you see when you login to management console
> now. User authenticated and redirected to its tenant /t/wso2.com - now
> the tenant will be loaded...
>
What I thought was, at tenant loading what it does is building the user
store manager chain from the config files that are already there in
relevant 'userstores' folder. Depsync will happen after this step, so that
the new file is still not checked out.
Please correct me if I'm wrong.
>
> Thanks & regards,
> -Prabath
>
>
>
>>
>>> Thanks & regards,
>>> -Prabath
>>>
>>>
>>> On Thu, Sep 26, 2013 at 5:10 PM, Afkham Azeez wrote:
>>>
>>>> Hmm... very interesting problem :)
>>>>
>>>> What we could do is this...
>>>>
>>>> We can implement a LoadTenant Cluster message. When that is received,
>>>> all nodes would load the tenants. We can get depsync to follow. That way,
>>>> every node will properly load the new user stores. IS can send this
>>>> message.
>>>>
>>>> Azeez
>>>>
>>>>
>>>> On Thu, Sep 26, 2013 at 4:56 PM, Pushpalanka Jayawardhana <
>>>> la...@wso2.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> This with regard to the issue [1], which is a known issue in IS 4.5.0.
>>>>>
>>>>> Issue reproduced with following steps.
>>>>> Set up cluster with two IS nodes (Depsync enabled).
>>>>> Create a tenant(wso2.com)
>>>>> Wait till the tenant is unloaded in the worker node
>>>>> Add a secondary user store in master node
>>>>> Add a user(user1) to secondary user store in master node
>>>>> Try to login from master node, it allows
>>>>> Try to login from this user(us...@wso2.com) in worker node, it fails
>>>>> Login as tenant admin and then try to login as user. it allows
>>>>>
>>>>>
>>>>> So as the tenant is unloaded in the worker node, it does not check out
>>>>> the added user store configuration from the SVN repo, hence users in that
>>>>> user store can not login at worker node.
>>>>>
>>>>> Following log can be seen in worker node,
>>>>> {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest} -
>>>>> Received [SynchronizeRepositoryRequest{tenantId=3, tenantDomain='
>>>>> win.com', messageId=203837d4-576b-4929-a0a1-e5efccf15b01}
>>>>> INFO {org.wso2.carbon.core.deployment.SynchronizeRepositoryRequest}
>>>>> - Tenant is not loaded.
>>>>>
>>>>> Is there a possibility to load the tenant at this cluster message
>>>>> receipt (if we can check whether it's to sync user stores, to avoid
>>>>> loading
>>>>> tenant at each receipt of cluster message), so that user stores will be
>>>>> checked out at a fair cost?
>>>>>
>>>>> Great to know any better ways to handle this and know your ideas.
>>>>>
>>>>>
>>>>> [1] - https://wso2.org/jira/browse/IDENTITY-1824
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Pushpalanka Jayawardhana
>>>>>
>>>>> Software Engineer
>>>>>
>>>>> WSO2 Lanka (pvt) Ltd
>>>>> [image:
>>>>> Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka>
>>>>> [image:
>>>>> Twitter]<http://s.wisestamp.com/l
Re: [Architecture] [Identity Server] Applications
Hi, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> Mobile: +94779716248 On Mon, Nov 11, 2013 at 12:43 PM, Venura Kahawala wrote: > Hi Johann, > > > On Mon, Nov 11, 2013 at 12:15 PM, Johann Nallathamby wrote: > >> Hi Venura, >> >> >> On Mon, Nov 11, 2013 at 10:46 AM, Venura Kahawala wrote: >> >>> Hi, >>> >>> Is this a continuation of what we discussed during the custom >>> permissions feature code review? >>> >>> Please see the comments inline... >>> >>> >>> On Mon, Nov 11, 2013 at 9:58 AM, Prabath Siriwardena >>> wrote: >>> >>>> Hi Johann, >>>> >>>> Please find comment inline... >>>> >>>> On Mon, Nov 11, 2013 at 9:35 AM, Johann Nallathamby wrote: >>>> >>>>> Hi Prabath, >>>>> >>>>> +1 for the concept. Some concerns and thoughts inline.. bear with me >>>>> for my lengthy verbose arguments.. [?] >>>>> >>>>> >>>>> On Mon, Nov 11, 2013 at 3:12 AM, Prabath Siriwardena >>>> > wrote: >>>>> >>>>>> 1. What is an Application under the context of Identity Server ? >>>>>> >>>>>> Its a consumer of identity attributes, roles (and groups), >>>>>> authentication methods/ policies and authorization policies. In practice, >>>>>> this could be a web application,mobile application - or even a desktop >>>>>> application. >>>>>> >>>>>> *- Identity attributes* >>>>>> >>>>>> A given user can be allowed to maintain his own set of attributes >>>>>> against different registered Applications. (multiple profiles) >>>>>> >>>>> >>>>> This should be a separate thread of discussion, but just so that we >>>>> are on the same page here, for this we need to have the multiple profiles >>>>> working with all types user stores. Currently it works with only JDBC. As >>>>> I >>>>> understand there are problems with representing multiple values for >>>>> attributes in a standard manner in all kinds of LDAPs. Am I right? I guess >>>>> we need to figure out a way of supporting this. >>>>> >>>> >>>> Yes. The underlying user store should support this. We can support by >>>> default for both LDAP and JDBC. >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> *- Permission / Roles* >>>>>> >>>>>> A given Application can maintain its own set of permissions with the >>>>>> Identity Server. That is, a given application can maintain its own set of >>>>>> resources and actions. For IS - Carbon is just another application - and >>>>>> its permissions / roles will be maintained as it is today. >>>>>> >>>>> >>>>> Applications can create their own permissions of course, but do we >>>>> allow them do define their own roles as well or do they select roles from >>>>> existing roles of the tenant and assign permissions to them? >>>>> >>>> >>>> Yes. Application should be allowed define their own roles Those out >>>> side the permission model of Carbon. >>>> >>> >>> +1 for this, This has to be done since if roles are not restricted to >>> applications, an unintended user might get access to an application. >>> >> >> My notion is that: >> >> An application (developer) can restrict access to his/her application >> based on >> - user stores >> - trusted IdPs >> - roles >> - users (if this is possible then unwanted users cannot get access to the >> application) >> > > I'm not clear on this approach. What you are telling here is, if I > (developer) select a role for my a
Re: [Architecture] Are we missing a common EmailSenderService
Hi, +1. I also recently had a look at this component to find possibilities to send HTML formatted emails. If we can have a separate email sending service it would be better if we add this support as well. This was easily achievable with Apache Commons Email<http://commons.apache.org/proper/commons-email/userguide.html>library, keeping the freedom to send alternate plain/text as well. Thanks, Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> Mobile: +94779716248 <http://s.wisestamp.com/links?url=http%3A%2F%2Fr1.wisestamp.com%2Fr%2Flanding%3Fu%3Dc984892c0c4ca423%26v%3D3.13.2%26t%3D1361257731639%26promo%3D10%26dest%3Dhttp%253A%252F%252Fwww.wisestamp.com%252Femail-install%253Futm_source%253Dextension%2526utm_medium%253Demail%2526utm_campaign%253Dpromo_10> On Tue, Jan 21, 2014 at 1:07 PM, Ashansa Perera wrote: > Do we have a *service* which can be used to send the emails? > I found an email sender component under components/stratos. But still it > is specific to stratos. > Wouldn't it be useful to have a common email sending service where you can > give the configuration file as a parameter? > > We in AppFactory wanted a similar service and we have created a one[1] > But as I feel a common email sending service would be useful platform wide. > WDYT? > > [1] > https://svn.wso2.org/repos/wso2/scratch/appfactorycc/components/appfac/org.wso2.carbon.appfactory.utilities/1.1.0/src/main/java/org/wso2/carbon/appfactory/utilities/services/EmailSenderService.java > -- > Thanks & Regards, > > Ashansa Perera > Software Engineer > WSO2, Inc > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Pushpalanka Jayawardhana Software Engineer WSO2 Lanka (pvt) Ltd [image: Facebook]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.facebook.com%2Fpushpalanka> [image: Twitter]<http://s.wisestamp.com/links?url=http%3A%2F%2Ftwitter.com%2FPushpalanka> [image: LinkedIn]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.linkedin.com%2Fprofile%2Fview%3Fid%3D75175642%26trk%3Dtab_pro> [image: Blogger]<http://s.wisestamp.com/links?url=http%3A%2F%2Fpushpalankajaya.blogspot.com%2F> [image: SlideShare]<http://s.wisestamp.com/links?url=http%3A%2F%2Fwww.slideshare.net%2FPushpalanka> Mobile: +94779716248 http://c.content.wso2.com/signatures/us.png ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1
;> Dilini >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 14, 2018 at 5:23 PM, Farasath Ahamed >>>>>> > wrote: >>>>>>> >>>>>>>> >>>>>>>> Tested Below scenario on the IS 5.5.0-RC1 pack with MSSQL database >>>>>>>> >>>>>>>>- Create an OAuth app using Dynamic Client Registration endpoint >>>>>>>>- Configured mandatory claims for the service provider >>>>>>>>- Tested OIDC Implicit flow with user consent management enabled >>>>>>>>- Verified that the user claims sent in the id_token are >>>>>>>>filtered based on user consent. >>>>>>>> >>>>>>>> +1 to go ahead and release >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Mar 14, 2018 at 11:16 AM, Sathya Bandara >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> We are pleased to announce the first release candidate of WSO2 >>>>>>>>> Identity Server 5.5.0. >>>>>>>>> >>>>>>>>> This is the first release candidate (RC) of the WSO2 Identity >>>>>>>>> Server 5.5.0 release. >>>>>>>>> >>>>>>>>> >>>>>>>>> This release fixes the following issues >>>>>>>>> >>>>>>>>>- 5.5.0-RC1 fixes >>>>>>>>> >>>>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-RC1> >>>>>>>>>- 5.5.0-Beta fixes >>>>>>>>> >>>>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-beta> >>>>>>>>>- 5.5.0-Alpha3 fixes >>>>>>>>> >>>>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha3> >>>>>>>>>- 5.5.0-Alpha2 fixes >>>>>>>>> >>>>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha2> >>>>>>>>>- 5.5.0-Alpha fixes >>>>>>>>> >>>>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-alpha> >>>>>>>>>- 5.5.0-M4 fixes >>>>>>>>> >>>>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M4> >>>>>>>>>- 5.5.0-M3 fixes >>>>>>>>> >>>>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M3> >>>>>>>>>- 5.5.0-M2 fixes >>>>>>>>> >>>>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M2> >>>>>>>>>- 5.5.0-M1 fixes >>>>>>>>> >>>>>>>>> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-M1> >>>>>>>>> >>>>>>>>> >>>>>>>>> Source and distribution >>>>>>>>> >>>>>>>>> Runtime - https://github.com/wso2/produc >>>>>>>>> t-is/releases/tag/v5.5.0-rc1 >>>>>>>>> Analytics - https://github.com/wso2/analyt >>>>>>>>> ics-is/releases/tag/v5.5.0-rc1 >>>>>>>>> >>>>>>>>> >>>>>>>>> Please download, test the product and vote. >>>>>>>>> >>>>>>>>> [+] Stable - go ahead and release >>>>>>>>> [-] Broken - do not release (explain why) >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> - WSO2 Identity and Access Management Team - >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Sathya Bandara >>>>>>>>> Software Engineer >>>>>>>>> WSO2 Inc. http://wso2.com >>>>>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>>>>> >>>>>>>>> <+94%2071%20411%205032> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Farasath Ahamed >>>>>>>> Senior Software Engineer, WSO2 Inc.; http://wso2.com >>>>>>>> Mobile: +94777603866 >>>>>>>> Blog: blog.farazath.com >>>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ___ >>>>>>>> Architecture mailing list >>>>>>>> Architecture@wso2.org >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Dilini GunatilakeSoftware Engineer - QA Team* >>>>>>> Mobile : +94771162518 <+94%2077%20116%202518> >>>>>>> dili...@wso2.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> ___ >>>>>>> Architecture mailing list >>>>>>> Architecture@wso2.org >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> >>>>>> >>>>>> *Darshana Gunawardana*Technical Lead >>>>>> WSO2 Inc.; http://wso2.com >>>>>> >>>>>> *E-mail: darsh...@wso2.com * >>>>>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . >>>>>> Middleware >>>>>> >>>>>> ___ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Nilasini Thirunavukkarasu >>>>> Software Engineer - WSO2 >>>>> >>>>> Email : nilas...@wso2.com >>>>> Mobile : +94775241823 <+94%2077%20524%201823> >>>>> Web : http://wso2.com/ >>>>> >>>>> >>>>> <http://wso2.com/signature> >>>>> >>>> >>>> >>>> >>>> -- >>>> Sathya Bandara >>>> Software Engineer >>>> WSO2 Inc. http://wso2.com >>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>> >>>> <+94%2071%20411%205032> >>>> >>>> ___ >>>> Dev mailing list >>>> d...@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Sagara Gunathunga >>> >>> Director; WSO2, Inc.; http://wso2.com >>> Linkedin; http://www.linkedin.com/in/ssagara >>> Blog ; http://ssagara.blogspot.com >>> Mobile : +9471 <+94%2071%20565%209887>2149951 >>> >>> >> > > > -- > Sagara Gunathunga > > Director; WSO2, Inc.; http://wso2.com > Linkedin; http://www.linkedin.com/in/ssagara > Blog ; http://ssagara.blogspot.com > Mobile : +9471 <+94%2071%20565%209887>2149951 > > > ___ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/ pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1
On Wed, Mar 14, 2018 at 10:09 PM, Pushpalanka Jayawardhana wrote: > Hi All, > > Tested OIDC hybrid flow with "code idtoken" response type. This is > breaking with "Invalid response type" error message. > Could do a bit of debugging and it seems that at [1], it failing to > identify the existing key for "code idtoken" type. > > In the HashTable returned at > OAuthServerConfiguration.getInstance().getSupportedResponseTypeValidators() > execution, "code idtoken" key has the hashCode of '-1819461976' while > input key 'code idtoken' produce the hashcode of '-732188021'. In plain > Java code, if we generate the hashCode for 'code idtoken' it also generates > this. This result in not identifying the sending response type properly. > Appreciate if this can be further investigated. > > [1] - https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/5.6.x/components/org.wso2.carbon. > identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/model/ > CarbonOAuthAuthzRequest.java#L49 > Please ignore this, just realised it should be id_token. Sorry for the noise. > > > > On Wed, Mar 14, 2018 at 7:52 PM, Sagara Gunathunga > wrote: > >> >> >> On Wed, Mar 14, 2018 at 7:46 PM, Jayanga Kaushalya >> wrote: >> >>> Hi Sagara, >>> >>> Yes I have suggested other teams also to follow the IS convention in >>> [1]. APIM team told me offline that they already changed. Hope others will >>> do the same. >>> >> >> Great. >> >> Thanks ! >> >>> >>> [1] [GDPR] Anonymization Tool default configurations/references are >>> differed over the Products >>> >>> Thanks! >>> >>> *Jayanga Kaushalya* >>> Senior Software Engineer >>> Mobile: +94777860160 <+94%2077%20786%200160> >>> WSO2 Inc. | http://wso2.com >>> lean.enterprise.middleware >>> >>> >>> >>> On Wed, Mar 14, 2018 at 7:37 PM, Sagara Gunathunga >>> wrote: >>> >>>> >>>> >>>> On Wed, Mar 14, 2018 at 7:27 PM, Sathya Bandara >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> We are calling-off this vote as we have found an issue, >>>>> >>>>>- for user-mgt ui component in EI product >>>>>- in Windows environment >>>>> >>>>> Since we want to align same component versions among EI & IS, we will >>>>> fix this and update versions in IS as well. Additionally we will fix the >>>>> issue in README.txt along with this. >>>>> >>>> Ruwan/Jayanga, shall we also look into the suggestion made by Lanka in >>>> the "GDPR compliance for WSO2 products" thread ? >>>> >>>> Thanks ! >>>> >>>>> We will do a RC2 and call for a vote soon. >>>>> >>>>> [1] https://github.com/wso2/product-ei/issues/2004 >>>>> >>>>> On Wed, Mar 14, 2018 at 6:29 PM, Nilasini Thirunavukkarasu < >>>>> nilas...@wso2.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have tested the following flows in mysql. >>>>>> >>>>>>- User management, role management (Primary + Secondary user >>>>>>store) >>>>>>- OIDC flow (password grant, authorization code)(Primary + >>>>>>Secondary user store) >>>>>>- consent management with SAML SSO for primary and secondary >>>>>>users. >>>>>>- SAML assertion encryption and response signing. >>>>>> >>>>>> >>>>>> I have tested the following flow with h2 >>>>>> >>>>>>- federated scenario with two IS >>>>>> >>>>>> +1 to go ahead and release >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Nila. >>>>>> >>>>>> >>>>>> On Wed, Mar 14, 2018 at 6:15 PM, Darshana Gunawardana < >>>>>> darsh...@wso2.com> wrote: >>>>>> >>>>>>> Hi Dilini, >>>>>>> >>>>>>> We will fix this, if we noted any blocker for RC1 release.. If not, >>>>>>> let's continue on the vote considering this is a known is
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1
Hi, On Wed, Mar 14, 2018 at 10:14 PM, Pushpalanka Jayawardhana wrote: > > > On Wed, Mar 14, 2018 at 10:09 PM, Pushpalanka Jayawardhana > wrote: > >> Hi All, >> >> Tested OIDC hybrid flow with "code idtoken" response type. This is >> breaking with "Invalid response type" error message. >> Could do a bit of debugging and it seems that at [1], it failing to >> identify the existing key for "code idtoken" type. >> >> In the HashTable returned at >> OAuthServerConfiguration.getInstance().getSupportedResponseTypeValidators() >> execution, "code idtoken" key has the hashCode of '-1819461976' while >> input key 'code idtoken' produce the hashcode of '-732188021'. In plain >> Java code, if we generate the hashCode for 'code idtoken' it also generates >> this. This result in not identifying the sending response type properly. >> Appreciate if this can be further investigated. >> >> [1] - https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/blob/5.6.x/components/org.wso2.carbon.identity. >> oauth/src/main/java/org/wso2/carbon/identity/oauth2/model/C >> arbonOAuthAuthzRequest.java#L49 >> > > Please ignore this, just realised it should be id_token. Sorry for the > noise. > Even with this fix the flow is failing with below error, java.lang.NullPointerException org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.getIdTokenFromRedirectURL(OAuth2AuthzEndpoint.java:2321) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.storeSidClaim(OAuth2AuthzEndpoint.java:2225) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.manageOIDCSessionState(OAuth2AuthzEndpoint.java:2050) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleSuccessfulAuthentication(OAuth2AuthzEndpoint.java:607) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleAuthenticationResponse(OAuth2AuthzEndpoint.java:574) org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:199) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188) org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104) org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204) org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101) org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94) org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249) org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289) org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214) javax.servlet.http.HttpServlet.service(HttpServlet.java:624) org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) org.wso2.carbon.webapp.mgt.filter.AuthorizationHeaderFilter.doFilter(AuthorizationHeaderFilter.java:85) org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53) org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124) This is only when the user login is performed in the flow. If the authorization request is sent in a browser where user is already loggedin, the issue is not occurring and flow works fine. > >> >> >> On Wed, Mar 14, 2018 at 7:52 PM, Sagara Gunathunga >> wrote: >> >>> >>> >>> On Wed,
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC1
Hi, Thanks for the information Darshana. Didn't know it was decided to be rectified in an RC2. Thanks for the fix. On Thu, Mar 15, 2018 at 1:39 AM, Omindu Rathnaweera wrote: > Hi Lanka, > > This issue is now fixed in the latest oauth version (v5.6.63) and will be > available with RC2. > > Regards, > Omindu. > > > On Wed, Mar 14, 2018 at 10:32 PM, Darshana Gunawardana > wrote: > >> Hi Lanka, >> >> As you already know, we are working on rectifying this NPE in the RC2. >> >> Thanks, >> >> On Wed, Mar 14, 2018 at 10:25 PM, Pushpalanka Jayawardhana < >> la...@wso2.com> wrote: >> >>> Hi, >>> >>> On Wed, Mar 14, 2018 at 10:14 PM, Pushpalanka Jayawardhana < >>> la...@wso2.com> wrote: >>> >>>> >>>> >>>> On Wed, Mar 14, 2018 at 10:09 PM, Pushpalanka Jayawardhana < >>>> la...@wso2.com> wrote: >>>> >>>>> Hi All, >>>>> >>>>> Tested OIDC hybrid flow with "code idtoken" response type. This is >>>>> breaking with "Invalid response type" error message. >>>>> Could do a bit of debugging and it seems that at [1], it failing to >>>>> identify the existing key for "code idtoken" type. >>>>> >>>>> In the HashTable returned at >>>>> OAuthServerConfiguration.getInstance().getSupportedResponseTypeValidators() >>>>> execution, "code idtoken" key has the hashCode of '-1819461976' while >>>>> input key 'code idtoken' produce the hashcode of '-732188021'. In plain >>>>> Java code, if we generate the hashCode for 'code idtoken' it also >>>>> generates >>>>> this. This result in not identifying the sending response type properly. >>>>> Appreciate if this can be further investigated. >>>>> >>>>> [1] - https://github.com/wso2-extensions/identity-inbound-auth-o >>>>> auth/blob/5.6.x/components/org.wso2.carbon.identity.oauth/sr >>>>> c/main/java/org/wso2/carbon/identity/oauth2/model/CarbonOAut >>>>> hAuthzRequest.java#L49 >>>>> >>>> >>>> Please ignore this, just realised it should be id_token. Sorry for the >>>> noise. >>>> >>> Even with this fix the flow is failing with below error, >>> >>> java.lang.NullPointerException >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.getIdTokenFromRedirectURL(OAuth2AuthzEndpoint.java:2321) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.storeSidClaim(OAuth2AuthzEndpoint.java:2225) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.manageOIDCSessionState(OAuth2AuthzEndpoint.java:2050) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleSuccessfulAuthentication(OAuth2AuthzEndpoint.java:607) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleAuthenticationResponse(OAuth2AuthzEndpoint.java:574) >>> >>> org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:199) >>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> java.lang.reflect.Method.invoke(Method.java:498) >>> >>> org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188) >>> >>> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104) >>> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204) >>> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101) >>> >>> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) >>> >>> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94) >>> >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) >>> >>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >>> >>> org.apache.cxf.transport.http.AbstractHTTPDestination.inv
Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC2
O2 Inc.; http://wso2.com >>>> >>>> *E-mail: darsh...@wso2.com * >>>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . >>>> Middleware >>>> >>> >>> >>> >>> -- >>> >>> Best Regards, >>> >>> Nuwandi Wickramasinghe >>> >>> Senior Software Engineer >>> >>> WSO2 Inc. >>> >>> Web : http://wso2.com >>> >>> Mobile : 0719214873 <071%20921%204873> >>> >>> ___ >>> Dev mailing list >>> d...@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> >> >> >> *Kind Regards,Nipuni Bhagya* >> >> *Software Engineering Intern* >> *WSO2* >> >> >> >> *Mobile : +94 0779028904 <+94%2077%20767%201807>* >> >> ___ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Dinali Rosemin Dabarera* > Software Engineer > WSO2 Lanka (pvt) Ltd. > Web: http://wso2.com/ > Email : gdrdabar...@gmail.com > LinkedIn <https://lk.linkedin.com/in/dinalidabarera> > Mobile: +94770198933 <077%20019%208933> > > > > > <https://lk.linkedin.com/in/dinalidabarera> > > > > > > > > > > > > > > > ___ > Dev mailing list > d...@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > Thanks, -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] [Dev] [IS] Architecture - API to Retrieve Authentication Session Information
;> *Solution* >>>>>>>>> >>>>>>>>> Develop an API to provide following functionalities. >>>>>>>>> >>>>>>>>>- Retrieve information of currently logged in and recently used >>>>>>>>>sessions since last password changes. >>>>>>>>>- Retrieve Time, location, OS and browser details of each >>>>>>>>>session Logged in and recently used. >>>>>>>>>- Terminate a particular logged in account. >>>>>>>>> >>>>>>>>> >>>>>>>>> *Retrieve session information* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> * - User can view his currently logged in details and recently >>>>>>>>> used session information. In each session, information about last time >>>>>>>>> used, location, browser and OS details.- To view information, user >>>>>>>>> has to >>>>>>>>> request HTTP GET request with SessionID and can query by >>>>>>>>> ServiceProvider >>>>>>>>> detail for particular account. Then API will query alive UserID for >>>>>>>>> given >>>>>>>>> details and produce required information for user.* >>>>>>>>> >>>>>>>>> >>>>>>>>> *Terminate a particular account* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>- If a user or admin wants to logged out from a logged in >>>>>>>>>account, he can terminate particular account session. >>>>>>>>>- If Identity Provider/ Service Provider/ User Account is >>>>>>>>>deleted by admin, session will be automatically terminated by event >>>>>>>>>listeners. >>>>>>>>> - *To terminate an account, user has to request HTTP POST request >>>>>>>>>with SessionID and can query by ServiceProvider detail for >>>>>>>>> particular >>>>>>>>>account. Then API will query alive UserID for given details and >>>>>>>>> terminate >>>>>>>>>account.* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *Database design* >>>>>>>>> >>>>>>>>> >>>>>>>>>- *UserID* which is mapped to* IDP, IDP UserID* and *Service >>>>>>>>>Provider* is used to identify unique account. >>>>>>>>>- Through *UserID*, information of particular account will be >>>>>>>>>provided. >>>>>>>>>- In *Session* table, details of *Browser, OS* and *Location* >>>>>>>>>will not be used in query. So we can store this information as >>>>>>>>> JSON object. >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Chuhaashanan >>>>>>>>> Intern - Software Engineering >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Ruwan Abeykoon* >>>>>>>> *Associate Director/Architect**,* >>>>>>>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>>>>>>> *lean.enterprise.middleware.* >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Chuhaashanan >>>>>>> Intern - Software Engineering >>>>>>> >>>>>>> >>>>>>> ___ >>>>>>> Dev mailing list >>>>>>> d...@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Dulanja Liyanage >>>>>> Lead, Platform Security Team >>>>>> WSO2 Inc. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Chuhaashanan >>>>> Intern - Software Engineering >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Dulanja Liyanage >>>> Lead, Platform Security Team >>>> WSO2 Inc. >>>> >>> >>> >>> >>> -- >>> Chuhaashanan >>> Intern - Software Engineering >>> >>> >> >> >> -- >> Thanks & Regards, >> Dulanja Liyanage >> Lead, Platform Security Team >> WSO2 Inc. >> > > > -- > > *Ruwan Abeykoon* > *Associate Director/Architect**,* > *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * > *lean.enterprise.middleware.* > > ___ > Dev mailing list > d...@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] Cloud Tenant deletion caching issue
>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Sep 5, 2014 at 8:00 PM, Nirmal Fernando < >>>>>>>>>>>> nir...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Can't we use a tenant event listener and remove the entry from >>>>>>>>>>>>> the map on a tenant deletion event? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Sep 5, 2014 at 7:50 PM, Godwin Amila Shrimal < >>>>>>>>>>>>> god...@wso2.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> We are working on tenant deletion implementation, once we >>>>>>>>>>>>>> perform the current tenant deletion operation in >>>>>>>>>>>>>> *TenantMgtAdminService* it deletes registry, user store etc. >>>>>>>>>>>>>> data. But it doesn't allow to create a tenant again with the >>>>>>>>>>>>>> same tenant >>>>>>>>>>>>>> domain name until restart the server. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Reason for above situation is tenant domain and id is keeping >>>>>>>>>>>>>> in a map(*tenantDomainIdMap*) inside the *JDBCTenantManager*. >>>>>>>>>>>>>> When perform delete operation it check the availability from >>>>>>>>>>>>>> this map. >>>>>>>>>>>>>> >>>>>>>>>>>>>> As per the discussion we can see following solutions for this. >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Solution1* >>>>>>>>>>>>>> Check the tenant availability from database not from memory >>>>>>>>>>>>>> data, but this will be costly if it is a frequently perform >>>>>>>>>>>>>> operation. >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Solution2* >>>>>>>>>>>>>> We can give a public access to delete the particular key in >>>>>>>>>>>>>> the map, this will be a security issue which people can pass >>>>>>>>>>>>>> tenant domain >>>>>>>>>>>>>> and perform deletion. >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Solution3* >>>>>>>>>>>>>> Run a periodic operation which check the availability of the >>>>>>>>>>>>>> tenant in the database and delete from map which are not exist. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> We are looking for a feedback on this. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> Godwin >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> *Godwin Amila Shrimal* >>>>>>>>>>>>>> Senior Software Engineer >>>>>>>>>>>>>> WSO2 Inc.; http://wso2.com >>>>>>>>>>>>>> lean.enterprise.middleware >>>>>>>>>>>>>> >>>>>>>>>>>>>> mobile: *+94772264165* >>>>>>>>>>>>>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* >>>>>>>>>>>>>> twitter: https://twitter.com/godwinamila >>>>>>>>>>>>>> >>>>>>>>>>>>>> ___ >&
Re: [Architecture] [Microgateway] API Manager JWT Token Revocation Feature
gt; scalability) with a near real-time impact, which I think is ideal. >>>>>>>>>>> For the >>>>>>>>>>> persistence related issue I think we need to introduce a lightweight >>>>>>>>>>> persistence layer across the microgateways. >>>>>>>>>>> >>>>>>>>>>> [1] - https://github.com/wso2/product-microgateway/issues/298 >>>>>>>>>>> >>>>>>>>>>> On Sat, Feb 9, 2019 at 9:53 PM Fazlan Nazeem >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Sanjeewa, >>>>>>>>>>>> >>>>>>>>>>>> Irrespective of the method we use to implement this, once we >>>>>>>>>>>> choose a mechanism, we will not be able to refer to the JWT tokens >>>>>>>>>>>> as >>>>>>>>>>>> self-contained, isn't it? Because we will have to depend on an >>>>>>>>>>>> external >>>>>>>>>>>> party to decide the validity of a token. >>>>>>>>>>>> >>>>>>>>>>>> AFAIU, I think the pub/sub model and push model has a >>>>>>>>>>>> disadvantage if the process running the topic(in pub/sub model) or >>>>>>>>>>>> the >>>>>>>>>>>> microgateway(in push model) restarted(unless we repopulate the >>>>>>>>>>>> topic or the >>>>>>>>>>>> mgw memory on each restart with JTIs of unexpired revoked tokens). >>>>>>>>>>>> >>>>>>>>>>>> With the Pull model, I don't see this issue. the key manager >>>>>>>>>>>> only needs to store the unexpired revoked token information. >>>>>>>>>>>> >>>>>>>>>>>> I also feel that we need to introduce a config to switch on >>>>>>>>>>>> enabling/disabling this feature so that we can also use the >>>>>>>>>>>> microgateways >>>>>>>>>>>> in the current mode. >>>>>>>>>>>> >>>>>>>>>>>> On Thu, Feb 7, 2019 at 3:58 PM Sanjeewa Malalgoda < >>>>>>>>>>>> sanje...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi All, >>>>>>>>>>>>> I'm initiating this mail thread to discuss more about JWT >>>>>>>>>>>>> token revocation feature we are planning to implement for API >>>>>>>>>>>>> Manager >>>>>>>>>>>>> micro-gateway. In API Manager micro-gateway we do support both >>>>>>>>>>>>> oauth access >>>>>>>>>>>>> tokens and JWT access tokens. When we use OAuth access tokens we >>>>>>>>>>>>> can revoke >>>>>>>>>>>>> them and make it effect immediately. Since all OAuth tokens geting >>>>>>>>>>>>> validated with key manager revoked tokens will fail validation. >>>>>>>>>>>>> When we use >>>>>>>>>>>>> JWT token we do token validation within gateway itself without >>>>>>>>>>>>> calling key >>>>>>>>>>>>> manager or external party. Since JWT is self contained one we are >>>>>>>>>>>>> basically >>>>>>>>>>>>> trust its content as long as token not expired and signature >>>>>>>>>>>>> valid. Then it >>>>>>>>>>>>> will be a problem. >>>>>>>>>>>>> >>>>>>>>>>>>> So we will need to have some mechanism to propagate revoked >>>>>>>>>>>>> token details to micro-gateways as well. Since self contained >>>>>>>>>>>>> token >>>>>>>>>>>>> revocation i
