Re: [Dev] Regarding the OIDC openid scope in WSO2 IS

[Ashen Weerathunga]

On Fri, Aug 11, 2017 at 10:13 AM, Farasath Ahamed 
wrote:

>
>
> On Friday, August 11, 2017, Omindu Rathnaweera  wrote:
>
>>
>>
>> On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana 
>> wrote:
>>
>>> Hi,
>>>
>>> Currently I am working on making WSO2 IS OpenID Connect certified. I ran
>>> a test on requesting essential claims from OP, when the scope is openid. It
>>> gave an error saying unexpected claims returned.
>>>
>>
>> This is not an error, but a warning correct ?
>>
>>
>>> Then I inquired about this issue through the mailing list of OIDC
>>> specifications [1]. I got some information from that as openid scope
>>> should only return subject and issuer.
>>>
>>> IS 5.4.0 is supporting many claims for scope openid. They are :
>>>   sub,email,email_verified,name,
>>> family_name,given_name,middle_name,nickname,
>>>   preferred_username,profile,pic
>>> ture,website,gender,birthdate,zoneinfo,locale,
>>>   phone_number,phone_number_veri
>>> fied,address,street,updated_at
>>>
>>> I couldn't find In the OIDC specification where it mention that, openid
>>> scope should only return subject and issuer.
>>>
>>
>> AFAIK, the spec has not specifically mentioned about what we should
>> return for the openid scope and it only mentions about the what should be
>> returned for the default 4 scopes. However it is understandable that the
>> test client expects a minimum set of claims when having only the openid
>> scope. If an RP needs additional claims, it should request them with
>> specifying additional scopes and/or essential claims. So I think the
>> correct behavior would be to return only a minimal set of claims for the
>> openid scope.
>>
>
> Since the spec hasn't specifed this minimal set of claims one can argue
> that it is something specific to an RP. This is how our current
> implementation works as well. Although we could define a set of claim bound
> to the 'openid' scope, the service provider could control what it needs
> from the claims bound to openid scope by using requested claims
> configuration.
>
> Changing 'openid' scope to return issuer and sub claims only will be a
> breaking change for many existing providers who rely on the additional
> claims (some of them could be mandatory in PoV of the RP)
>
> IMO, if the spec doesn't mandate what should be returned for openid scope
> then we can keep our existing implementation as it is.
>

+1 to keep existing claims if it's not a spec violation. Seems like we have
defined all the standerd claims mentioned in the spec [1] under our openid
scope implemenation. So if someone need to remove some of claims they can
remove it from the oidc configurations in the registry.

[1] http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims


>
>>
>>> Can you please help me on this issue?
>>>
>>> Thank you.
>>>
>>>
>>> [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/s
>>> ubject.html
>>>
>>> --
>>>
>>> *Hasini Witharana*
>>> Software Engineering Intern | WSO2
>>>
>>>
>>> *Email : hasi...@wso2.com*
>>>
>>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>>> http://wso2.com/signature] *
>>>
>>
>>
>> Regards,
>> Omindu.
>>
>> --
>> Omindu Rathnaweera
>> Senior Software Engineer, WSO2 Inc.
>> Mobile: +94 771 197 211 <+94%2077%20119%207211>
>>
>
>
> --
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
*Ashen Weerathunga*
Software Engineer
WSO2 Inc.: http://wso2.com
lean.enterprise.middleware

Email: as...@wso2.com
Mobile: +94716042995 <94716042995>
LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
*

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Regarding the OIDC openid scope in WSO2 IS

[Hasanthi Purnima Dissanayake]

Hi Hasini,


> IMO, if the spec doesn't mandate what should be returned for openid scope
> then we can keep our existing implementation as it is


+1. If we change this behavior it will break the existing scenarios of our
product users. AFAIR we discussed this in past as well once we run the
certification for basic and implicit profiles. According to the test client
it gives a warning as the server returns some unexpected claims.

IS 5.4.0 is supporting many claims for scope openid. They are :
>   sub,email,email_verified,name,family_name,given_name,middle_
> name,nickname,
>   
> preferred_username,profile,picture,website,gender,birthdate,zoneinfo,locale,
>
>   phone_number,phone_number_verified,address,street,updated_at
>

Yes in IS 5.4.0 it will return all those claims as we have defined all
these claims under openid scope inside the registry by default. So our
conclusion from the previous discussions was to handle such test case
specific scenarios by changing the defined claims for the openid scope
accordingly in the registry. If the users wish to get minimum number of
claims with the scope 'openid' they need to define those claims in the
registry by changing the default configurations.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Fri, Aug 11, 2017 at 10:13 AM, Farasath Ahamed 
wrote:

>
>
> On Friday, August 11, 2017, Omindu Rathnaweera  wrote:
>
>>
>>
>> On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana 
>> wrote:
>>
>>> Hi,
>>>
>>> Currently I am working on making WSO2 IS OpenID Connect certified. I ran
>>> a test on requesting essential claims from OP, when the scope is openid. It
>>> gave an error saying unexpected claims returned.
>>>
>>
>> This is not an error, but a warning correct ?
>>
>>
>>> Then I inquired about this issue through the mailing list of OIDC
>>> specifications [1]. I got some information from that as openid scope
>>> should only return subject and issuer.
>>>
>>> IS 5.4.0 is supporting many claims for scope openid. They are :
>>>   sub,email,email_verified,name,
>>> family_name,given_name,middle_name,nickname,
>>>   preferred_username,profile,pic
>>> ture,website,gender,birthdate,zoneinfo,locale,
>>>   phone_number,phone_number_veri
>>> fied,address,street,updated_at
>>>
>>> I couldn't find In the OIDC specification where it mention that, openid
>>> scope should only return subject and issuer.
>>>
>>
>> AFAIK, the spec has not specifically mentioned about what we should
>> return for the openid scope and it only mentions about the what should be
>> returned for the default 4 scopes. However it is understandable that the
>> test client expects a minimum set of claims when having only the openid
>> scope. If an RP needs additional claims, it should request them with
>> specifying additional scopes and/or essential claims. So I think the
>> correct behavior would be to return only a minimal set of claims for the
>> openid scope.
>>
>
> Since the spec hasn't specifed this minimal set of claims one can argue
> that it is something specific to an RP. This is how our current
> implementation works as well. Although we could define a set of claim bound
> to the 'openid' scope, the service provider could control what it needs
> from the claims bound to openid scope by using requested claims
> configuration.
>
> Changing 'openid' scope to return issuer and sub claims only will be a
> breaking change for many existing providers who rely on the additional
> claims (some of them could be mandatory in PoV of the RP)
>
> IMO, if the spec doesn't mandate what should be returned for openid scope
> then we can keep our existing implementation as it is.
>
>
>>
>>> Can you please help me on this issue?
>>>
>>> Thank you.
>>>
>>>
>>> [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/s
>>> ubject.html
>>>
>>> --
>>>
>>> *Hasini Witharana*
>>> Software Engineering Intern | WSO2
>>>
>>>
>>> *Email : hasi...@wso2.com*
>>>
>>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>>> http://wso2.com/signature] *
>>>
>>
>>
>> Regards,
>> Omindu.
>>
>> --
>> Omindu Rathnaweera
>> Senior Software Engineer, WSO2 Inc.
>> Mobile: +94 771 197 211 <+94%2077%20119%207211>
>>
>
>
> --
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.4.0-M2 Released!

[Rushmin Fernando]

The WSO2 Identity Server team is pleased to announce the 2nd Milestone of
WSO2 IdentityServer 5.4.0. You can download this distribution from the
following location.

https://github.com/wso2/product-is/releases/tag/v5.4.0-m2

Following list contains all the features, improvements and bug fixes
available with this milestone.
New Feature

   - [IDENTITY-6086 ] -
   Cluster-wide local cache invalidation for Identity caches
   - [IDENTITY-6180 ] - OAuth
   Scopes API

Improvement

   - [IDENTITY-5502 ] - Add
   ability to NameIDType in SAML SSO Federated Authenticator configs
   - [IDENTITY-5544 ] - Error
   while trying to define user password after receiving an activation email
   when the Ask password feature is enabled.
   - [IDENTITY-5890 ] - Thrift
   server keystore password doesn't support securevault
   - [IDENTITY-6038 ] -
   Customizing oauth2 token expiry times according to the SP
   - [IDENTITY-6103 ] -
   Possible connection leak in UserAccountAssociationDAO.getA
   ssociationsOfUser
   - [IDENTITY-6120 ] -
   Improvement in IdentityEventConfigBuilder
   - [IDENTITY-6150 ] -
   Introduce a new Configuration Property to decide the poolsize for OAuth
   Persistence tasks
   - [IDENTITY-6166 ] - Update
   UI for Lock Idle Accounts
   - [IDENTITY-6169 ] -
   Optimizations for token endpoint
   - [IDENTITY-6177 ] - [SCIM]
   When listing all the users, admin user details won't retrieved, but
   retrieved with the filtering
   - [IDENTITY-6236 ] - Add
   SCIM2 event listener to identity.xml

Bug

   - [IDENTITY-4127 ] - SCIM
   Outbound Provisioning Fails due to Ask Password feature disabled
   - [IDENTITY-4159 ] - Error
   when processing the authentication request! (SAML2) ... Caused by:
   java.util.zip.ZipException: incorrect header check
   - [IDENTITY-4222 ] - Issue
   with secondary user store's user's permission which secondary user store
   created in tenant
   - [IDENTITY-4491 ] -
   Provisioning patterns are not showing properly salesforce for provisioning
   connector configuration is
   - [IDENTITY-4581 ] -
   Configuring federated identity providers for file based SP does not works
   correctly
   - [IDENTITY-4880 ] -
   Distinguish local and federated users in IDN_OAUTH2_AUTHORIZATION_CODE and
   IDN_OAUTH2_ACCESS_TOKEN tables
   - [IDENTITY-4977 ] -
   Expiration time of commonAuthId cookie is wrong when a different tenant
   user logged into saas app
   - [IDENTITY-4989 ] -
   UserInfo cannot be obtained for access tokens obtained with SAML2 Bearer
   grant type with SAML federated scenario
   - [IDENTITY-4994 ] - NPE on
   tenant deactivation
   - [IDENTITY-5003 ] -
   Secondary store users do not get provisioned when EmailUserName is enabled
   in carbon.xml
   - [IDENTITY-5038 ] -
   [Federation] [JIT provisioning] provisioned facebook user saved as user id
   in IS when multi step authentication
   - [IDENTITY-5126 ] - Subject
   claim retrieval is not consistent when claim mappings are not done in
   tenant mode.
   - [IDENTITY-5375 ] - Access
   token revoked for a different Application's encoded key
   - [IDENTITY-5612 ] - SSO
   fails for valid authenticated sessions after migrating from IS 5.1.0 to IS
   5.2.0
   - [IDENTITY-5715 ] - XACML
   simple policy evaluation fails when the templated policies enabled
   - [IDENTITY-5756 ] - Getting
   null pointer exceptions when testing SSO
   - [IDENTITY-5764 ] - Older
   ClaimAdminService should be backward compatible
   - [IDENTITY-5765 ] - Problem
   with response when XCAML policy with AdviceExpressions/ObligationExpressions
   and calling PDP's REST API with json response type
   - [IDENTITY-

Re: [Dev] API Manager with EI Analytics

[Júnior]

Thank you Rukshan!!

I will go through it!

Thanks!

2017-08-11 6:03 GMT-03:00 Rukshan Premathunga :

> Hi Júnior,
>
> ESB and APIM Analytics can be a shared server(APIM analytics, ESB
> analytics or DAS). Please check the [1] for installing APIM analytics
> features on other analytics/DAS server and doc[2] for diffrent analytics
> profiles that can be used.
>
> [1] https://docs.wso2.com/display/AM210/Installing+WSO2+APIM+
> Analytics+Features
> [2] https://docs.wso2.com/display/DAS310/Working+with+Product+
> Specific+Analytics+Profiles
>
> Thanks and Regards
>
> On Sat, Aug 5, 2017 at 11:39 PM, Júnior  wrote:
>
>> Hi all,
>>
>> In the docs for API Manager for analytics it is done by using WSO2 API
>> Manager Analytics.
>>
>> Is it possible to have API Manager to use the Analytics Server on EI
>> 6.1.1?
>>
>> Is it possible to have both ESB and API Manager sharing the same
>> Analytics Server so, we can have in one place analytics for both API and
>> ESB?
>>
>> Thanks,
>>
>> --
>> Francisco Ribeiro
>> *SCEA|SCJP|SCWCD|IBM Certified SOA Associate*
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Rukshan Chathuranga.
> Software Engineer.
> WSO2, Inc.
> +94711822074 <+94%2071%20182%202074>
>



-- 
Francisco Ribeiro
*SCEA|SCJP|SCWCD|IBM Certified SOA Associate*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Amazon Lambda connector for WSO2 Enterprise Integrator

[Miyuru Madusanka]

Hello dev guys at WSO2,I am working with the project and need some help from 
you. I need to know what are the resources I need to know/ follow to work on 
the below project. I am not familiar with any of your products earlier. So, 
could you please suggest how should I start or what are the things I need to 
practice? Your answers are much appreciated.  Thank you. Amazon Lambda 
connector for WSO2 Enterprise Integrator___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [VOTE] Release of WSO2 IoT Server 3.1.0 RC version 4

[Milan Perera]

Hi Devs,

We are pleased to announce the release candidate version 4 of WSO2 IoT Server
3.1.0.

Please download, test the product and vote. Vote will be open for 72 hours
or as needed.

Known issues : https://github.com/wso2/product-iots/issues-RC4


Source and binary distribution files:
https://github.com/wso2/product-iots/releases/tag/v3.1.0-RC4

The tag to be voted upon:
https://github.com/wso2/product-iots/tree/v3.1.0-RC4

Please vote as follows.
[+] Stable - go ahead and release
[-] Broken - do not release (explain why)

Thank you

Regards,
-- 
*Milan Perera *| Senior Software Engineer
WSO2, Inc | lean. enterprise. middleware.
#20, Palm Grove, Colombo 03, Sri Lanka
Mobile: +94 77 309 7088 | Work: +94 11 214 5345
Email: mi...@wso2.com  | Web: www.wso2.com


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Please review and merge the PR

[Dilan Udara Ariyaratne]

Thanks, Ashen.

Your PR was merged on to carbon-kernel-4.4.x branch.

Regards,
Dilan.

*Dilan U. Ariyaratne*
Senior Software Engineer
WSO2 Inc. 
Mobile: +94766405580 <%2B94766405580>
lean . enterprise . middleware


On Fri, Aug 11, 2017 at 3:33 PM, Ashen Weerathunga  wrote:

> Hi Dilan,
>
> I have done the changes and successfully build the component and kernel
> with the tests.
>
> Thanks,
> Ashen
>
> On Fri, Aug 11, 2017 at 8:09 AM, Dilan Udara Ariyaratne 
> wrote:
>
>> Hi Ashen,
>>
>> Added Few more suggestions. Please go through and verify.
>>
>> Thanks,
>> Dilan.
>>
>> *Dilan U. Ariyaratne*
>> Senior Software Engineer
>> WSO2 Inc. 
>> Mobile: +94766405580 <%2B94766405580>
>> lean . enterprise . middleware
>>
>>
>> On Thu, Aug 10, 2017 at 7:23 PM, Ashen Weerathunga 
>> wrote:
>>
>>> Hi Dilan,
>>>
>>> I have done the requested changes and updated the PR.
>>>
>>> Thanks,
>>> Ashen
>>>
>>> On Thu, Aug 10, 2017 at 6:23 AM, Dilan Udara Ariyaratne >> > wrote:
>>>
 Hi Ashen,

 Went through the code and added few comments, Please go through and
 verify.

 Thanks,
 Dilan.

 *Dilan U. Ariyaratne*
 Senior Software Engineer
 WSO2 Inc. 
 Mobile: +94766405580 <%2B94766405580>
 lean . enterprise . middleware


 On Wed, Aug 9, 2017 at 1:44 PM, Ashen Weerathunga 
 wrote:

> Hi,
>
> Can you please review and merge the PR [1]. This is regarding the
> Issue [2].
>
> [1] https://github.com/wso2/carbon-kernel/pull/1464
> [2] https://github.com/wso2/carbon-kernel/issues/1467
>
>
> Thanks,
> Ashen
> --
> *Ashen Weerathunga*
> Software Engineer
> WSO2 Inc.: http://wso2.com
> lean.enterprise.middleware
>
> Email: as...@wso2.com
> Mobile: +94716042995 <94716042995>
> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
> *
> 
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>

>>>
>>>
>>> --
>>> *Ashen Weerathunga*
>>> Software Engineer
>>> WSO2 Inc.: http://wso2.com
>>> lean.enterprise.middleware
>>>
>>> Email: as...@wso2.com
>>> Mobile: +94716042995 <94716042995>
>>> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
>>> *
>>> 
>>>
>>
>>
>
>
> --
> *Ashen Weerathunga*
> Software Engineer
> WSO2 Inc.: http://wso2.com
> lean.enterprise.middleware
>
> Email: as...@wso2.com
> Mobile: +94716042995 <94716042995>
> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
> *
> 
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Please review and merge the PR

[Ashen Weerathunga]

Hi Dilan,

I have done the changes and successfully build the component and kernel
with the tests.

Thanks,
Ashen

On Fri, Aug 11, 2017 at 8:09 AM, Dilan Udara Ariyaratne 
wrote:

> Hi Ashen,
>
> Added Few more suggestions. Please go through and verify.
>
> Thanks,
> Dilan.
>
> *Dilan U. Ariyaratne*
> Senior Software Engineer
> WSO2 Inc. 
> Mobile: +94766405580 <%2B94766405580>
> lean . enterprise . middleware
>
>
> On Thu, Aug 10, 2017 at 7:23 PM, Ashen Weerathunga  wrote:
>
>> Hi Dilan,
>>
>> I have done the requested changes and updated the PR.
>>
>> Thanks,
>> Ashen
>>
>> On Thu, Aug 10, 2017 at 6:23 AM, Dilan Udara Ariyaratne 
>> wrote:
>>
>>> Hi Ashen,
>>>
>>> Went through the code and added few comments, Please go through and
>>> verify.
>>>
>>> Thanks,
>>> Dilan.
>>>
>>> *Dilan U. Ariyaratne*
>>> Senior Software Engineer
>>> WSO2 Inc. 
>>> Mobile: +94766405580 <%2B94766405580>
>>> lean . enterprise . middleware
>>>
>>>
>>> On Wed, Aug 9, 2017 at 1:44 PM, Ashen Weerathunga 
>>> wrote:
>>>
 Hi,

 Can you please review and merge the PR [1]. This is regarding the Issue
 [2].

 [1] https://github.com/wso2/carbon-kernel/pull/1464
 [2] https://github.com/wso2/carbon-kernel/issues/1467


 Thanks,
 Ashen
 --
 *Ashen Weerathunga*
 Software Engineer
 WSO2 Inc.: http://wso2.com
 lean.enterprise.middleware

 Email: as...@wso2.com
 Mobile: +94716042995 <94716042995>
 LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
 *
 

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


>>>
>>
>>
>> --
>> *Ashen Weerathunga*
>> Software Engineer
>> WSO2 Inc.: http://wso2.com
>> lean.enterprise.middleware
>>
>> Email: as...@wso2.com
>> Mobile: +94716042995 <94716042995>
>> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
>> *
>> 
>>
>
>


-- 
*Ashen Weerathunga*
Software Engineer
WSO2 Inc.: http://wso2.com
lean.enterprise.middleware

Email: as...@wso2.com
Mobile: +94716042995 <94716042995>
LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
*

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] API Manager with EI Analytics

[Rukshan Premathunga]

Hi Júnior,

ESB and APIM Analytics can be a shared server(APIM analytics, ESB analytics
or DAS). Please check the [1] for installing APIM analytics features on
other analytics/DAS server and doc[2] for diffrent analytics profiles that
can be used.

[1]
https://docs.wso2.com/display/AM210/Installing+WSO2+APIM+Analytics+Features
[2]
https://docs.wso2.com/display/DAS310/Working+with+Product+Specific+Analytics+Profiles

Thanks and Regards

On Sat, Aug 5, 2017 at 11:39 PM, Júnior  wrote:

> Hi all,
>
> In the docs for API Manager for analytics it is done by using WSO2 API
> Manager Analytics.
>
> Is it possible to have API Manager to use the Analytics Server on EI 6.1.1?
>
> Is it possible to have both ESB and API Manager sharing the same Analytics
> Server so, we can have in one place analytics for both API and ESB?
>
> Thanks,
>
> --
> Francisco Ribeiro
> *SCEA|SCJP|SCWCD|IBM Certified SOA Associate*
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Rukshan Chathuranga.
Software Engineer.
WSO2, Inc.
+94711822074
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev