[Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-04 Thread Hasanthi Purnima Dissanayake 
Hi All,

Following tasks are identified for the implementation for the $subject.

1. Move the logic of validating the token API invocation request to
validate required parameters for JWT client authentication to
PrivatekeyJWTClientAuthHandler
2. Introduce a new interface to read the public certificate.
   - Certificate can be read from keystore
   - Certificate can be read from db
   - Certificate can be read from any other means
3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown rapidly
which may cause to some performance issues. So need to implement a cleanup
script based on the expiration time of the JWT.
4. Honour the UI configuration for confidential applications which is
discussed in mail [1]

Apart from above need to consider on following tasks:
1. Improving the unit tests of the repository
2. Improve the documentations for the $subject.


[1] Confidential Aplications in OAuth2 Flow

Thanks,
-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-04 Thread Isura Karunaratne 
Hi Hasanthi,

On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi All,
>
> Following tasks are identified for the implementation for the $subject.
>
> 1. Move the logic of validating the token API invocation request to
> validate required parameters for JWT client authentication to
> PrivatekeyJWTClientAuthHandler
> 2. Introduce a new interface to read the public certificate.
>- Certificate can be read from keystore
>- Certificate can be read from db
>- Certificate can be read from any other means
> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
> rapidly which may cause to some performance issues. So need to implement a
> cleanup script based on the expiration time of the JWT.
>

Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is the
reason to store those data?

Thanks
Isura.

> 4. Honour the UI configuration for confidential applications which is
> discussed in mail [1]
>
> Apart from above need to consider on following tasks:
> 1. Improving the unit tests of the repository
> 2. Improve the documentations for the $subject.
>
>
> [1] Confidential Aplications in OAuth2 Flow
>
> Thanks,
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-04 Thread Omindu Rathnaweera 
On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne  wrote:

> Hi Hasanthi,
>
> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> Following tasks are identified for the implementation for the $subject.
>>
>> 1. Move the logic of validating the token API invocation request to
>> validate required parameters for JWT client authentication to
>> PrivatekeyJWTClientAuthHandler
>> 2. Introduce a new interface to read the public certificate.
>>- Certificate can be read from keystore
>>- Certificate can be read from db
>>- Certificate can be read from any other means
>> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
>> rapidly which may cause to some performance issues. So need to implement a
>> cleanup script based on the expiration time of the JWT.
>>
>
> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
> the reason to store those data?
>

If we are storing private keys in the table, make sure the content is
encrypted to avoid security concerns.


>
> Thanks
> Isura.
>
>> 4. Honour the UI configuration for confidential applications which is
>> discussed in mail [1]
>>
>> Apart from above need to consider on following tasks:
>> 1. Improving the unit tests of the repository
>> 2. Improve the documentations for the $subject.
>>
>>
>> [1] Confidential Aplications in OAuth2 Flow
>>
>> Thanks,
>> --
>>
>> Hasanthi Dissanayake
>>
>> Senior Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com 
>>
>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>
Regards,
Omindu.

-- 
Omindu Rathnaweera
Senior Software Engineer, WSO2 Inc.
Mobile: +94 771 197 211
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-04 Thread Hasanthi Purnima Dissanayake 
Hi Isura/Omindu,

Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is the
> reason to store those data?
>

In the patch that we have provided for 5.3.0 , this table contains
following fields.
JWT_ID (primary key)
EXP_TIME
TIME_CREATED

JWT_ID is an unique identifier for the token. According to the spec this
token should not be reused. So JWT_ID is responsible for prevent re-use of
this token. Hence we need to store the JWT_ID. Based on the EXP_TIME we
have planned to clean the records. The spec is bit flexible on re-using the
token.  So once the token is expired we let the same JWT_ID to be re-used.


jtiREQUIRED. JWT ID. A unique identifier for the token, which can be used
to prevent reuse of the token. These tokens MUST only be used once, unless
conditions for reuse were negotiated between the parties; any such
negotiation is beyond the scope of this specification.


If we are storing private keys in the table, make sure the content is
> encrypted to avoid security concerns.


Actually we don't store private keys here. Anyway the table name is bit
misleading. So shall we re-name the table as IDN_OIDC_JTI?


Thanks,

On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne  wrote:

> Hi Hasanthi,
>
> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> Following tasks are identified for the implementation for the $subject.
>>
>> 1. Move the logic of validating the token API invocation request to
>> validate required parameters for JWT client authentication to
>> PrivatekeyJWTClientAuthHandler
>> 2. Introduce a new interface to read the public certificate.
>>- Certificate can be read from keystore
>>- Certificate can be read from db
>>- Certificate can be read from any other means
>> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
>> rapidly which may cause to some performance issues. So need to implement a
>> cleanup script based on the expiration time of the JWT.
>>
>
> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
> the reason to store those data?
>
> Thanks
> Isura.
>
>> 4. Honour the UI configuration for confidential applications which is
>> discussed in mail [1]
>>
>> Apart from above need to consider on following tasks:
>> 1. Improving the unit tests of the repository
>> 2. Improve the documentations for the $subject.
>>
>>
>> [1] Confidential Aplications in OAuth2 Flow
>>
>> Thanks,
>> --
>>
>> Hasanthi Dissanayake
>>
>> Senior Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com 
>>
>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-04 Thread Hasanthi Purnima Dissanayake 
+Hasintha

On Fri, Jan 5, 2018 at 9:47 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Isura/Omindu,
>
> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>> the reason to store those data?
>>
>
> In the patch that we have provided for 5.3.0 , this table contains
> following fields.
> JWT_ID (primary key)
> EXP_TIME
> TIME_CREATED
>
> JWT_ID is an unique identifier for the token. According to the spec this
> token should not be reused. So JWT_ID is responsible for prevent re-use of
> this token. Hence we need to store the JWT_ID. Based on the EXP_TIME we
> have planned to clean the records. The spec is bit flexible on re-using
> the token.  So once the token is expired we let the same JWT_ID to be
> re-used.
>
>
> jtiREQUIRED. JWT ID. A unique identifier for the token, which can be used
> to prevent reuse of the token. These tokens MUST only be used once, unless
> conditions for reuse were negotiated between the parties; any such
> negotiation is beyond the scope of this specification.
>
>
> If we are storing private keys in the table, make sure the content is
>> encrypted to avoid security concerns.
>
>
> Actually we don't store private keys here. Anyway the table name is bit
> misleading. So shall we re-name the table as IDN_OIDC_JTI?
>
>
> Thanks,
>
> On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne  wrote:
>
>> Hi Hasanthi,
>>
>> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> Following tasks are identified for the implementation for the $subject.
>>>
>>> 1. Move the logic of validating the token API invocation request to
>>> validate required parameters for JWT client authentication to
>>> PrivatekeyJWTClientAuthHandler
>>> 2. Introduce a new interface to read the public certificate.
>>>- Certificate can be read from keystore
>>>- Certificate can be read from db
>>>- Certificate can be read from any other means
>>> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
>>> rapidly which may cause to some performance issues. So need to implement a
>>> cleanup script based on the expiration time of the JWT.
>>>
>>
>> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>> the reason to store those data?
>>
>> Thanks
>> Isura.
>>
>>> 4. Honour the UI configuration for confidential applications which is
>>> discussed in mail [1]
>>>
>>> Apart from above need to consider on following tasks:
>>> 1. Improving the unit tests of the repository
>>> 2. Improve the documentations for the $subject.
>>>
>>>
>>> [1] Confidential Aplications in OAuth2 Flow
>>>
>>> Thanks,
>>> --
>>>
>>> Hasanthi Dissanayake
>>>
>>> Senior Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133| http://wso2.com 
>>>
>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>



-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-04 Thread Hasintha Indrajee 
On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi All,
>
> Following tasks are identified for the implementation for the $subject.
>
> 1. Move the logic of validating the token API invocation request to
> validate required parameters for JWT client authentication to
> PrivatekeyJWTClientAuthHandler
> 2. Introduce a new interface to read the public certificate.
>- Certificate can be read from keystore
>- Certificate can be read from db
>

So this has to work with SP wise certificates which we are planing to
implement and currently in progress. Given the timelines I think we can
implement this extension for reading certificate per SP from DB. Hence
let's add this also to the scope since it adds a value and also we don't
need to worry about restarting servers once a certificate is added.

Anyway we need per SP certificate in this case. Hence the best approach is
to use this new feature which is done by Rushmin. Previous way of
implementation is just a workaround. Also we should support previous way as
well through a config in order to cater backward compatibility.


>- Certificate can be read from any other means
> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
> rapidly which may cause to some performance issues. So need to implement a
> cleanup script based on the expiration time of the JWT.
> 4. Honour the UI configuration for confidential applications which is
> discussed in mail [1]
>
> Apart from above need to consider on following tasks:
> 1. Improving the unit tests of the repository
> 2. Improve the documentations for the $subject.
>
>
> [1] Confidential Aplications in OAuth2 Flow
>
> Thanks,
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133 <071%20840%207133>| http://wso2.com 
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-04 Thread Rushmin Fernando 
On Fri, Jan 5, 2018 at 10:08 AM, Hasintha Indrajee 
wrote:

>
>
> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> Following tasks are identified for the implementation for the $subject.
>>
>> 1. Move the logic of validating the token API invocation request to
>> validate required parameters for JWT client authentication to
>> PrivatekeyJWTClientAuthHandler
>> 2. Introduce a new interface to read the public certificate.
>>- Certificate can be read from keystore
>>- Certificate can be read from db
>>
>
> So this has to work with SP wise certificates which we are planing to
> implement and currently in progress. Given the timelines I think we can
> implement this extension for reading certificate per SP from DB. Hence
> let's add this also to the scope since it adds a value and also we don't
> need to worry about restarting servers once a certificate is added.
>
> Anyway we need per SP certificate in this case. Hence the best approach is
> to use this new feature which is done by Rushmin. Previous way of
> implementation is just a workaround. Also we should support previous way as
> well through a config in order to cater backward compatibility.
>
>


Yes, we should align this task with the 'per SP certificate storing'
feature.

We had a discussion about this. (I will send a seperate mail on that.) The
outcome was not to have a configuration. I will explain it on the other
mail.


>- Certificate can be read from any other means
>> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
>> rapidly which may cause to some performance issues. So need to implement a
>> cleanup script based on the expiration time of the JWT.
>> 4. Honour the UI configuration for confidential applications which is
>> discussed in mail [1]
>>
>> Apart from above need to consider on following tasks:
>> 1. Improving the unit tests of the repository
>> 2. Improve the documentations for the $subject.
>>
>>
>> [1] Confidential Aplications in OAuth2 Flow
>>
>> Thanks,
>> --
>>
>> Hasanthi Dissanayake
>>
>> Senior Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133 <071%20840%207133>| http://wso2.com 
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>


-- 
*Best Regards*

*Rushmin Fernando*
*Technical Lead*

WSO2 Inc.  - Lean . Enterprise . Middleware

mobile : +94775615183
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-04 Thread Prakhash Sivakumar 
On Fri, Jan 5, 2018 at 9:47 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Isura/Omindu,
>
> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>> the reason to store those data?
>>
>
> In the patch that we have provided for 5.3.0 , this table contains
> following fields.
> JWT_ID (primary key)
> EXP_TIME
> TIME_CREATED
>
> JWT_ID is an unique identifier for the token. According to the spec this
> token should not be reused. So JWT_ID is responsible for prevent re-use of
> this token. Hence we need to store the JWT_ID. Based on the EXP_TIME we
> have planned to clean the records. The spec is bit flexible on re-using
> the token.  So once the token is expired we let the same JWT_ID to be
> re-used.
>
>
> jtiREQUIRED. JWT ID. A unique identifier for the token, which can be used
> to prevent reuse of the token. These tokens MUST only be used once, unless
> conditions for reuse were negotiated between the parties; any such
> negotiation is beyond the scope of this specification.
>
>
> If we are storing private keys in the table, make sure the content is
>> encrypted to avoid security concerns.
>
>
> Actually we don't store private keys here. Anyway the table name is bit
> misleading. So shall we re-name the table as IDN_OIDC_JTI?
>

Yes this name is misleading, as we don't store private keys here its better
to rename this table.

>
>
> Thanks,
>
> On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne  wrote:
>
>> Hi Hasanthi,
>>
>> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> Following tasks are identified for the implementation for the $subject.
>>>
>>> 1. Move the logic of validating the token API invocation request to
>>> validate required parameters for JWT client authentication to
>>> PrivatekeyJWTClientAuthHandler
>>> 2. Introduce a new interface to read the public certificate.
>>>- Certificate can be read from keystore
>>>- Certificate can be read from db
>>>- Certificate can be read from any other means
>>> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
>>> rapidly which may cause to some performance issues. So need to implement a
>>> cleanup script based on the expiration time of the JWT.
>>>
>>
>> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>> the reason to store those data?
>>
>> Thanks
>> Isura.
>>
>>> 4. Honour the UI configuration for confidential applications which is
>>> discussed in mail [1]
>>>
>>> Apart from above need to consider on following tasks:
>>> 1. Improving the unit tests of the repository
>>> 2. Improve the documentations for the $subject.
>>>
>>>
>>> [1] Confidential Aplications in OAuth2 Flow
>>>
>>> Thanks,
>>> --
>>>
>>> Hasanthi Dissanayake
>>>
>>> Senior Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133| http://wso2.com 
>>>
>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Prakhash Sivakumar
Software Engineer | WSO2 Inc
Platform Security Team
Mobile : +94771510080
Blog : https://medium.com/@PrakhashS
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-04 Thread Rushmin Fernando 
Please see [1] to read more about storing the application certificate in
the database.

[1] - Mail Thread: '[Feature] Storing the application certificate in the
database.'

On Fri, Jan 5, 2018 at 11:08 AM, Prakhash Sivakumar 
wrote:

>
>
> On Fri, Jan 5, 2018 at 9:47 AM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Isura/Omindu,
>>
>> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>>> the reason to store those data?
>>>
>>
>> In the patch that we have provided for 5.3.0 , this table contains
>> following fields.
>> JWT_ID (primary key)
>> EXP_TIME
>> TIME_CREATED
>>
>> JWT_ID is an unique identifier for the token. According to the spec this
>> token should not be reused. So JWT_ID is responsible for prevent re-use of
>> this token. Hence we need to store the JWT_ID. Based on the EXP_TIME we
>> have planned to clean the records. The spec is bit flexible on re-using
>> the token.  So once the token is expired we let the same JWT_ID to be
>> re-used.
>>
>>
>> jtiREQUIRED. JWT ID. A unique identifier for the token, which can be
>> used to prevent reuse of the token. These tokens MUST only be used once,
>> unless conditions for reuse were negotiated between the parties; any such
>> negotiation is beyond the scope of this specification.
>>
>>
>> If we are storing private keys in the table, make sure the content is
>>> encrypted to avoid security concerns.
>>
>>
>> Actually we don't store private keys here. Anyway the table name is bit
>> misleading. So shall we re-name the table as IDN_OIDC_JTI?
>>
>
> Yes this name is misleading, as we don't store private keys here its
> better to rename this table.
>
>>
>>
>> Thanks,
>>
>> On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne  wrote:
>>
>>> Hi Hasanthi,
>>>
>>> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
>>> hasan...@wso2.com> wrote:
>>>
 Hi All,

 Following tasks are identified for the implementation for the $subject.

 1. Move the logic of validating the token API invocation request to
 validate required parameters for JWT client authentication to
 PrivatekeyJWTClientAuthHandler
 2. Introduce a new interface to read the public certificate.
- Certificate can be read from keystore
- Certificate can be read from db
- Certificate can be read from any other means
 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
 rapidly which may cause to some performance issues. So need to implement a
 cleanup script based on the expiration time of the JWT.

>>>
>>> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>>> the reason to store those data?
>>>
>>> Thanks
>>> Isura.
>>>
 4. Honour the UI configuration for confidential applications which is
 discussed in mail [1]

 Apart from above need to consider on following tasks:
 1. Improving the unit tests of the repository
 2. Improve the documentations for the $subject.


 [1] Confidential Aplications in OAuth2 Flow

 Thanks,
 --

 Hasanthi Dissanayake

 Senior Software Engineer | WSO2

 E: hasan...@wso2.com
 M :0718407133| http://wso2.com 

>>>
>>>
>>>
>>> --
>>>
>>> *Isura Dilhara Karunaratne*
>>> Associate Technical Lead | WSO2
>>> Email: is...@wso2.com
>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>> Blog : http://isurad.blogspot.com/
>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>> Hasanthi Dissanayake
>>
>> Senior Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com 
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Prakhash Sivakumar
> Software Engineer | WSO2 Inc
> Platform Security Team
> Mobile : +94771510080 <+94%2077%20151%200080>
> Blog : https://medium.com/@PrakhashS
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
*Best Regards*

*Rushmin Fernando*
*Technical Lead*

WSO2 Inc.  - Lean . Enterprise . Middleware

mobile : +94775615183
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-05 Thread Farasath Ahamed 
On Friday, January 5, 2018, Hasanthi Purnima Dissanayake 
wrote:

> Hi Isura/Omindu,
>
> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>> the reason to store those data?
>>
>
> In the patch that we have provided for 5.3.0 , this table contains
> following fields.
> JWT_ID (primary key)
> EXP_TIME
> TIME_CREATED
>
> JWT_ID is an unique identifier for the token. According to the spec this
> token should not be reused. So JWT_ID is responsible for prevent re-use of
> this token. Hence we need to store the JWT_ID. Based on the EXP_TIME we
> have planned to clean the records. The spec is bit flexible on re-using
> the token.  So once the token is expired we let the same JWT_ID to be
> re-used.
>

Shouldn't this restriction per SP(client)?
Since jti is an identifier string, what happens if two different SPs send
two different JWTs with the same jti?


>
>
> jtiREQUIRED. JWT ID. A unique identifier for the token, which can be used
> to prevent reuse of the token. These tokens MUST only be used once, unless
> conditions for reuse were negotiated between the parties; any such
> negotiation is beyond the scope of this specification.
>
>
> If we are storing private keys in the table, make sure the content is
>> encrypted to avoid security concerns.
>
>
> Actually we don't store private keys here. Anyway the table name is bit
> misleading. So shall we re-name the table as IDN_OIDC_JTI?
>
>
> Thanks,
>
> On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne  wrote:
>
>> Hi Hasanthi,
>>
>> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> Following tasks are identified for the implementation for the $subject.
>>>
>>> 1. Move the logic of validating the token API invocation request to
>>> validate required parameters for JWT client authentication to
>>> PrivatekeyJWTClientAuthHandler
>>> 2. Introduce a new interface to read the public certificate.
>>>- Certificate can be read from keystore
>>>- Certificate can be read from db
>>>- Certificate can be read from any other means
>>> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
>>> rapidly which may cause to some performance issues. So need to implement a
>>> cleanup script based on the expiration time of the JWT.
>>>
>>
>> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>> the reason to store those data?
>>
>> Thanks
>> Isura.
>>
>>> 4. Honour the UI configuration for confidential applications which is
>>> discussed in mail [1]
>>>
>>> Apart from above need to consider on following tasks:
>>> 1. Improving the unit tests of the repository
>>> 2. Improve the documentations for the $subject.
>>>
>>>
>>> [1] Confidential Aplications in OAuth2 Flow
>>>
>>> Thanks,
>>> --
>>>
>>> Hasanthi Dissanayake
>>>
>>> Senior Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133| http://wso2.com 
>>>
>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>


-- 
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IAM] JWT client authentication for OAuth 2.0 for IS 5.5.0

2018-01-08 Thread Hasanthi Purnima Dissanayake 
Hi Farasath,

Shouldn't this restriction per SP(client)?
> Since jti is an identifier string, what happens if two different SPs send
> two different JWTs with the same jti?
>

As it is the same token end point which will issue the JWT, we did not
think to restrict this for per SP. So we have prevented to use the same JTI
even for the different SPs.

Thanks,
Hasanthi

On Sat, Jan 6, 2018 at 8:48 AM, Farasath Ahamed  wrote:

>
>
> On Friday, January 5, 2018, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Isura/Omindu,
>>
>> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>>> the reason to store those data?
>>>
>>
>> In the patch that we have provided for 5.3.0 , this table contains
>> following fields.
>> JWT_ID (primary key)
>> EXP_TIME
>> TIME_CREATED
>>
>> JWT_ID is an unique identifier for the token. According to the spec this
>> token should not be reused. So JWT_ID is responsible for prevent re-use of
>> this token. Hence we need to store the JWT_ID. Based on the EXP_TIME we
>> have planned to clean the records. The spec is bit flexible on re-using
>> the token.  So once the token is expired we let the same JWT_ID to be
>> re-used.
>>
>
> Shouldn't this restriction per SP(client)?
> Since jti is an identifier string, what happens if two different SPs send
> two different JWTs with the same jti?
>
>
>>
>>
>> jtiREQUIRED. JWT ID. A unique identifier for the token, which can be
>> used to prevent reuse of the token. These tokens MUST only be used once,
>> unless conditions for reuse were negotiated between the parties; any such
>> negotiation is beyond the scope of this specification.
>>
>>
>> If we are storing private keys in the table, make sure the content is
>>> encrypted to avoid security concerns.
>>
>>
>> Actually we don't store private keys here. Anyway the table name is bit
>> misleading. So shall we re-name the table as IDN_OIDC_JTI?
>>
>>
>> Thanks,
>>
>> On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne  wrote:
>>
>>> Hi Hasanthi,
>>>
>>> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake <
>>> hasan...@wso2.com> wrote:
>>>
 Hi All,

 Following tasks are identified for the implementation for the $subject.

 1. Move the logic of validating the token API invocation request to
 validate required parameters for JWT client authentication to
 PrivatekeyJWTClientAuthHandler
 2. Introduce a new interface to read the public certificate.
- Certificate can be read from keystore
- Certificate can be read from db
- Certificate can be read from any other means
 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown
 rapidly which may cause to some performance issues. So need to implement a
 cleanup script based on the expiration time of the JWT.

>>>
>>> Which data are supposed to store in  IDN_JWT_PRIVATE_KEY table? What is
>>> the reason to store those data?
>>>
>>> Thanks
>>> Isura.
>>>
 4. Honour the UI configuration for confidential applications which is
 discussed in mail [1]

 Apart from above need to consider on following tasks:
 1. Improving the unit tests of the repository
 2. Improve the documentations for the $subject.


 [1] Confidential Aplications in OAuth2 Flow

 Thanks,
 --

 Hasanthi Dissanayake

 Senior Software Engineer | WSO2

 E: hasan...@wso2.com
 M :0718407133| http://wso2.com 

>>>
>>>
>>>
>>> --
>>>
>>> *Isura Dilhara Karunaratne*
>>> Associate Technical Lead | WSO2
>>> Email: is...@wso2.com
>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>> Blog : http://isurad.blogspot.com/
>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>> Hasanthi Dissanayake
>>
>> Senior Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com 
>>
>
>
> --
> Farasath Ahamed
> Senior Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
>
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture