Re: [Dev] [Iam-dev] [VOTE] Release WSO2 Identity Server 5.11.0 RC1

[Hasanthi Purnima Dissanayake]

Hi all,

Tested the following in the WSO2-IS-5.11.0-RC1.

SCIM Users endpoint

- GET/ Get User by ID
- POST/ Create User
- DELETE/ Delete User by ID
- GET/ Get Users
- POST/ Search Users
- PATCH/ Update User
- PUT/ Update User


SCIM Me Endpoint

- POST/ Create Me
- DELETE/ Delete Me
- GET/ Get Me
- PATCH/ Update Me
- PUT/ Update User

No blocking issues were found.
[+] Stable - go ahead and release

Thanks,
Hasanthi


On Tue, Nov 17, 2020 at 8:54 PM Dinika Senarath  wrote:
>
> Hi all,
>
> Tested the following in the WSO2-IS-5.11.0-RC1
>
> Password recovery flows (notification based/challenge question based)
> Username recovery
> SMS OTP authenticator
> TOTP authenticator
> Email/Mobile verification on update flows
> SCIM outbound provisioning (for resident SP/Oauth SPs)
> Authorization using XACML policies
>
> No blocking issues were found.
> [+] Stable - go ahead and release
>
> Regards,
> Dinika
>
> On Tue, Nov 17, 2020 at 6:13 PM Janak Amarasena  wrote:
>>
>> Hi All,
>>
>> Tested the following flows using a tenant with the user in JDBCUniqueId 
>> secondary userstore.
>>
>> DCR create/get/update/delete
>> Following OAuth2/OIDC grants/flows
>>
>> Authorization code
>> Authorization code with PKCE
>> Client credentials
>> Password
>> Refresh token
>> Implicit
>> OIDC hybrid flow
>>
>> No Blockers found.
>> [+] Stable - go ahead and release.
>>
>> Best Regards,
>> Janak
>>
>> On Tue, Nov 17, 2020 at 6:37 AM Isura Karunaratne  wrote:
>>>
>>> Hi all,
>>>
>>> Tested the following flows.
>>>
>>> Password Recovery with Email
>>> Password Recovery with Security Questions.
>>> Self User Registration.
>>> Account Locking
>>> Account Disabling.
>>> Password History validation.
>>> Password Pattern Validation.
>>>
>>> No Blockers found.
>>> [+] Stable - go ahead and release.
>>>
>>> Cheers,
>>> Isura.
>>>
>>> On Mon, Nov 16, 2020 at 10:47 PM Sathya Bandara  wrote:

 Hi All,

 Tested following authentication/provisioning flows.

 Federated authentication with OIDC
 Inbound authentication with OIDC
 Userstore Based Adaptive Authentication
 TOTP Based 2 Factor Authentication
 Basic SCIM2 inbound operations
 Outbound provisioning with SCIM

 No Blockers found.
 [+] Stable - go ahead and release.

 Thanks,
 Sathya

 On Sat, Nov 14, 2020 at 6:09 PM Nipuni Paaris  wrote:
>
> Hi all,
>
> We are pleased to announce the first release candidate of WSO2 Identity 
> Server 5.11.0.
>
> New Features:
>
> New react based Console application(BETA) with developer and 
> administrator views to manage and maintain the features offered by the 
> Identity Server.
>
>
> 2. Enhanced My Account application(known as User Portal in 5.10.0) for 
> users to manage their account-related preferences.
>
>
> 3. Data protection with symmetric key encryption.
> 4. User groups and roles separation and new Role Management API.
> 5. CORS management APIs.
> 6. Open SAML 3 upgrade.
>
> Fixes and Improvements:
> This release includes the following issue fixes and improvements:
>
> 5.11.0-M4
> 5.11.0-M9
> 5.11.0-M10
> 5.11.0-M11
> 5.11.0-M12
> 5.11.0-M13
> 5.11.0-M14
> 5.11.0-M15
> 5.11.0-M16
> 5.11.0-M17
> 5.11.0-M18
> 5.11.0-M19
> 5.11.0-M20
> 5.11.0-M21
> 5.11.0-M22
> 5.11.0-M23
> 5.11.0-M24
> 5.11.0-M25
> 5.11.0-M26
> 5.11.0-M27
> 5.11.0-M28
> 5.11.0-M29
> 5.11.0-M30
> 5.11.0-M32
> 5.11.0-M34
> 5.11.0-M35
> 5.11.0-Alpha
> 5.11.0-Alpha2
> 5.11.0-Alpha3
> 5.11.0-Beta
> 5.11.0-Beta2
> 5.11.0-Beta3
> 5.11.0-Beta4
> 5.11.0-Beta5
> 5.11.0-RC
>
>
> Source and Distribution
> The source and distribution are available at 
> https://github.com/wso2/product-is/releases/tag/v5.11.0-rc1
>
> Documentation
> The product documentation for this version is available at 
> https://is.docs.wso2.com/en/5.11.0
>
> Please download the product, test it, and vote using the following 
> convention.
> [+] Stable - go ahead and release
> [-] Broken - do not release (explain why)
>
> Thank you,
> WSO2 Identity and Access Management Team.
>
> Nipuni Paaris | Software Engineer | WSO2 Inc.
> (m) +94 077 9028904 | (w) +94 011 2145345 | (e): nipu...@wso2.com
>
>


 --
 Sathya Bandara
 Senior Software Engineer
 Blog: https://medium.com/@technospace
 WSO2 Inc. http://wso2.com
 Mobile: (+94) 715 360 421

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>>
>>> --
>>> Isura Dilhara Karunaratne
>>> Technical Lead | WSO2
>>> lean.enterprise.middleware
>>> Email: is...@wso2.com
>>> Mob : +94 772 254 810
>>> Blog : https://medium.com/@isurakarunaratne
>>>
>>>

Re: [Dev] [Iam-dev] [VOTE] Release WSO2 Identity Server 5.10.0 RC2

[Hasanthi Purnima Dissanayake]

Hi All,

Tested following flows in UMA 2.0

 1. Registration Endpoint
 2. Permission Endpoint
 3. Introspection Endpoint
 4. Obtaining an RPT using UMA Grant Type
 5. Obtaining an access token using Password Grant Type

No Blockers found.

[+] Stable - go ahead and release.

Thanks,
Hasanthi


On Sun, Mar 8, 2020 at 11:26 PM Janak Amarasena  wrote:

> Hi all,
>
> We are pleased to announce the second release candidate of WSO2 Identity
> Server 5.10.0.
>
>
> *New Features:*
>
>1. Passwordless authentication support
>2. An improved User Portal
>3. New RESTful APIs for user self-services and server management
>4. Scope based authorization for internal REST APIs
>5. Unique User ID support
>6. Tenant wise email-sender configuration
>
>
>
> *Fixes:*
> This release includes the following issue fixes and improvements:
>
>- 5.10.0-M1 
>- 5.10.0-M2 
>- 5.10.0-M3 
>- 5.10.0-M4 
>- 5.10.0-M5 
>- 5.10.0-M6 
>- 5.10.0-M7 
>- 5.10.0-M8 
>- 5.10.0-M9 
>- 5.10.0-Alpha
>
>- 5.10.0-Alpha2
>
>- 5.10.0-Alpha3
>
>- 5.10.0-Beta
>
>- 5.10.0-Beta2
>
>- 5.10.0-Beta3
>
>- 5.10.0-GA 
>
>
> *Source and Distribution*
> The source and distribution
> 
>  are
> available at https://github.com/wso2/product-is/releases/tag/v5.10.0-rc2
>
>
> Please download the product, test it, and vote using the following
> convention.
> [+] Stable - go ahead and release
> [-] Broken - do not release (explain why)
>
>
> Thank you,
> WSO2 Identity and Access Management Team
>
> --
> *Janak Amarasena* | Senior Software Engineer | WSO2 Inc.
> (m) +9464144 | (w) +94112145345 | (e) ja...@wso2.com
>
>
> 
> ___
> Iam-dev mailing list
> iam-...@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/iam-dev
>


-- 

Hasanthi Dissanayake | Associate Technical Lead | WSO2 Inc.
(m) +94718407133 | (w) +94112145345  | Email: hasan...@wso2.com  | Blog:
https://medium.com/@hasanthipurnimadissanayake
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Committers += Buddhima Udaranga

[Hasanthi Purnima Dissanayake]

Hi All,

It's my pleasure to announce Buddhima Udaranga as a WSO2 Committer. He has
been a valuable contributor and enthusiast to the WSO2 IAM team.

In recognition of his contribution, dedication, and commitment he has been
voted as a WSO2 committer.

Congratulations Buddhima and keep up the good work...!!!

Thanks,
Hasanthi
-- 

Hasanthi Dissanayake | Associate Technical Lead | WSO2 Inc.
(m) +94718407133 | (w) +94112145345  | Email: hasan...@wso2.com  | Blog:
https://medium.com/@hasanthipurnimadissanayake
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.9.0 RC2

[Hasanthi Purnima Dissanayake]

Hi All,

Tested following flows and working as expected.

- Obtained access tokens using the following grant types.

   - authorization code grant type
   - password grant type
   - implicit grant type
   - client-credential grant type

- Access token revocation
- JWKS endpoint

[+] Stable - go ahead and release

Thanks,
Hasanthi

On Thu, Oct 3, 2019 at 9:44 AM Wijith Bandara  wrote:

> Hi all
>
> Verified and validated below listed features are working as expected.
>
> QSG
> - Single-Sign-On with SAML2
> - Single-Sign-On with OIDC
> - Multi-Factor Authentication
> - Google as a Federated Authenticator
> - Self-Signup
> - Creating a workflow
>
> Multi Options Authentication with local authenticators (basic,
> X509Certificate)
> Multi Options Authentication with federated authenticators (SAML2 Web SSO,
> Google, Yahoo)
> Multi Options Authentication with federated authenticators (OAuth2/OpenID
> Connect, Facebook, Twitter)
> Multi-Factor Authentication with federated authenticators(SAML2 Web SSO,
> Google, Yahoo, basic)
>
> No blocker issue found +1 to proceed
>
> Thanks,
> wijith
>
> On Thu, Oct 3, 2019 at 9:16 AM Achini Jayasena  wrote:
>
>> Hi All,
>>
>> Tested and verified with performance test and long running test. Test
>> result match with the expectations.
>>
>> *Performance test*
>>
>> Summary*:  *Performance has been improved comparing to the product
>> version 5.8
>>
>> Deployment
>>
>>- OS: Ubuntu
>>- DB: Mysql
>>- Heap: 4G/2G
>>- CPU cores: 4
>>- Concurrent users: 50, 100, 150, 300, 500
>>
>> Scenarios:
>>
>>- Authenticate_Super_Tenant_User
>>- OAuth_AuthCode_Redirect_WithConsent
>>- OAuth_Client_Credentials_Grant
>>- OAuth_Implicit_Redirect_WithConsent
>>- OAuth_Password_Grant
>>- OIDC_AuthCode_Redirect_WithConsent
>>- OIDC_AuthCode_Request_Path_Authenticator_WithConsent
>>- OIDC_Implicit_Redirect_WithConsent
>>- OIDC_Password_Grant
>>- SAML2_SSO_Redirect_Binding
>>- Challenge questions by super tenant users
>>- Refresh token refresh grant - Renewal false
>>
>> *Long running test*
>>
>> Summery*: *No issue reported.
>>
>> Deployment :
>>
>>- IS node
>>- Instance type: c5.xlarge
>>   - vCPU:4
>>   - RAM: 8GB
>>   - Heap: 2G allocated for IS
>>
>>
>>- RDS as the MySQL DB
>>- Mysql engine version : 5.7.22
>>   - vCPU: 4
>>   - Instance class : db.m4.xlarge
>>   - RAM: 16 GB
>>   - Storage: 100 GiB
>>- Executing test scenarios:
>>- Authenticate_Super_Tenant_User
>>   - OAuth_AuthCode_Redirect_WithConsent
>>   - OAuth_Password_Grant
>>   - OIDC_AuthCode_Redirect_WithConsent
>>   - OIDC_Implicit_Redirect_WithConsent
>>   - OIDC_Password_Grant
>>   - OIDC_AuthCode_Request_Path_Authenticator_WithConsent
>>   - SAML2_SSO_Redirect_Binding
>>- Concurrency : 20
>>- TPS: 240 per minute
>>
>> No blocking issue reported. +1 for proceed. :)
>>
>>
>> *Thanks & Best Regards!*
>>
>> *Achini Jayasena*
>> *Software Engineer - QA | WSO2*
>>
>> Email: achi...@wso2.com
>> Mobile: +94 713 882 897
>>
>> [image: http://wso2.com/signature] 
>>
>>
>> On Wed, Oct 2, 2019 at 10:31 PM Mathuriga Thavarajah 
>> wrote:
>>
>>> Hi All,
>>>
>>> Security Scanning reports (Static and Dynamic) were analyzed and
>>> reviewed. Hence +1 from the Platform Security Team for proceeding with
>>> the release.
>>>
>>> Thanks.
>>>
>>> Regards,
>>> Mathuriga.
>>>
>>> On Wed, Oct 2, 2019 at 10:08 PM Niluka Sripali Monnankulama <
>>> nil...@wso2.com> wrote:
>>>
 Hi all,


 Verified and validated below listed features are working as expected.


 Test Environment OS- MAC O/S, Windows-Server-2016-standard-64bit

Java version- 1.8.0_171, 11.0.4

   Database - H2, Oracle 12c

   User type, Primary, Secondary, Super user and Tenant user



- User management with multilayer approval
- Manage user stores(Create,update,delete,disable)
- Configuring Claims for a Service Provider
- Consent Management for Self Sign Up
- Single Sign-On / Federated authentication for a web application
with SAML - SP-Init, IDP-Init
- SAML2 IdP Initiated Single Logout

 Front channel post binding
 Front channel redirect binding
 Backchannel

- SAML SSO with end-user consent and claim mapping
-  Add a custom claim to OIDC
- Adding Multiple Federated authenticators
- By-parsing the IS authenticator selection page
- Identity Analytics-SSO analyzed via WSO2 IS Analytics.
- QSG- Self signup, workflow management
- JIT provision
- Ask Password
- Add Email template
- Connectors- GITHUB, LinkedIn, Google
- Installing as a Windows Service (Java version- 1.8.0_171)
- REST APIs 

[Dev] [Architecture][IAM] Moving the artefacts in tenant space to a generic place

[Hasanthi Purnima Dissanayake]

Hi All,

As the second step of removing file based artefcats from the Identity
Server, we have started the $subject. In the tenant space two artefacts
were identified as EmailPublisher.xml and id_gov_notify_stream_1.0.0.json.
These file are static files and there is no requirement to configure those,
tenant wise from Identity server. Hence the proposed solution is to consume
the files reside in the super tenant to trigger the email based on those
files.

After discussing with @Ruwan Abeykoon   and @Mohanadarshan
Vivekanandalingam  , we started a super tenant flow before
publishing the stream to the analytics common level. So it will consume the
super tenants EmailPublisher.xml and id_gov_notify_stream_1.0.0.json files
to trigger the e-mail. Had a round of testings with the fix and found no
issues.

[1] [Architecture][Dev][IAM] Moving File Based Artifacts to Artifact Store

Thanks,
Hasanthi


-- 

Hasanthi Dissanayake | Senior Software Engineer | WSO2 Inc.
(m) +94718407133 | (w) +94112145345  | Email: hasan...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Infra][Cluster]WSO2 IS 5.3.0 Cluster

[Hasanthi Purnima Dissanayake]

Hi Praveen,

Once the cluster set up is successful you will able to see  ‘member joined’
log messages in all consoles. Please refer [1] and [2] which describes on
how to set up a cluster.

[1] https://docs.wso2.com/display/IS530/Setting+Up+Deployment+Pattern+1
[2] https://docs.wso2.com/display/CLUSTER44x/Setting+up+a+Cluster

Thanks,
Hasanthi

On Thu, Jun 13, 2019 at 6:49 PM Praveen Kumar K S 
wrote:

> Hello Team,
>
> I would like to know how to verify if my WSO2 IS 5.3.0 has formed the
> cluster. In the official documentation of WSO2 IS 5.3.0, there are no steps
> to test the cluster. Please advise if there are any commands.
>
> Regards,
> Praveen Kumar K S
> +91-9986855625
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 

Hasanthi Dissanayake | Senior Software Engineer | WSO2 Inc.
(m) +94718407133 | (w) +94112145345  | Email: hasan...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Regarding SCIM Patch Add With Path Attribute - How to Handle the Few Addressed Use-case

[Hasanthi Purnima Dissanayake]

Hi Sarubi,

1. According to the SCIM protocol specification, if the "path" attribute is
> not provided in the request then we assume that the target location is
> resource itself.
>
> If omitted, the target location is assumed to be the resource
>> itself. The "value" parameter contains a set of attributes to be
>> added to the resource.
>
>
> But if the path attribute is present in the request but path attribute
> value is empty. In this case, how we are going to treat the request, are we
> going to assume the target location as a resource itself and process the
> Patch Add operation or going to throw an error? if we are going to throw an
> error what should be the error message?
>

 As the path is an optional parameter if the request contains path
parameter, then we need to honour it and throw an error message if the
value is empty.

2. According to the specification, path attribute can have a filter
> condition. as an example,
>
>  "path":"addresses[type eq \"work\"]"
>
> Where we going to patch the address its type is equal to work.
>
> Under the Patch Add operation, we haven't specifically instructed how we
> need to handle it.
> So how we are going to handle this kind of use-case?
> But this is kind of Patch Replace upon provided condition. In Patch
> Replace it has been explained how we going to treat.
> So shall we treat this kind of operation as patch replace?
>

As the spec does not specify anything for patch add, lets treat this
operations in the same way as patch replace.

Thanks,
Hasanthi

On Wed, Jun 5, 2019 at 12:15 PM Sarubi Thillainathan 
wrote:

> Hi All,
>
> Currently, I'm working on to support the "path" attribute in the SCIM
> PATCH ADD operation. While working on that, I come across some confusion on
> how we are going to handle the following few use-cases.
> 1. According to the SCIM protocol specification, if the "path" attribute
> is not provided in the request then we assume that the target location is
> resource itself.
>
> If omitted, the target location is assumed to be the resource
>> itself. The "value" parameter contains a set of attributes to be
>> added to the resource.
>
>
> But if the path attribute is present in the request but path attribute
> value is empty. In this case, how we are going to treat the request, are we
> going to assume the target location as a resource itself and process the
> Patch Add operation or going to throw an error? if we are going to throw an
> error what should be the error message?
>
> 2. According to the specification, path attribute can have a filter
> condition. as an example,
>
>  "path":"addresses[type eq \"work\"]"
>
> Where we going to patch the address its type is equal to work.
>
> Under the Patch Add operation, we haven't specifically instructed how we
> need to handle it.
> So how we are going to handle this kind of use-case?
> But this is kind of Patch Replace upon provided condition. In Patch
> Replace it has been explained how we going to treat.
> So shall we treat this kind of operation as patch replace?
>
> Please provide your guidance around this.
> [1] https://tools.ietf.org/html/rfc7644#section-3.5.2.1
>
> Thanks,
> Sarubi.
> --
> *Sarubi Thillainathan* | Software Engineer | WSO2 Inc.
> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>
> *[image: https://wso2.com/signature] *
>


-- 

Hasanthi Dissanayake | Senior Software Engineer | WSO2 Inc.
(m) +94718407133 | (w) +94112145345  | Email: hasan...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Architecture][IAM] Moving File Based Artifacts to Artifact Store

[Hasanthi Purnima Dissanayake]

Hi All,

*Problem *
Currently, some artifacts like userstores , tenants' data, etc are stored
in the file system (not in the database). So when using a clustered setup
those artifacts should be shared among all the nodes by using one of the
following file sharing mechanisms.

   - Dep Sync
   - rSync
   - Shared File System


*Solution *
In order to avoid a shared file system and to reduce the deployment and
maintenance overhead, those artifacts ca be persisted in the database
itself.

*Approach*
After discussing with @Ruwan Abeykoon   and @Isura
Karunaratne  we have two options to persist above discussed
artifact details.

   - In the configuration store which is already implemented as discussed
   in [1][2].
   - In a separate table structure.

If we are to go with option 01, then we need to consider the artifacts as
configurations and persist in the existing schema. The advantage of using
this is we can re-use the existing implementation including the database
schema and existing rest APIs and functionalities (pagination, searching,
etc) . The drawback is the conceptual difference between an artifact and
configuration. Further if we are to use the configuration store there is no
way to include specific input validations for the userstore configuration
feature.

If we are to go with the option 02, then the flow will be as follows.

*Existing Flow*

[image: Untitled Diagram (9).png]






*Suggested Flow*

[image: Untitled Diagram (10).png]



   - With the suggested approach, as the storage mechanisms, file system
   and database can be used and any other storage mechanism is pluggable.
   - There should be a way to identify the repository where the data is
   loaded from. The repository can be the file system, database or any other
   storage mechanism.
   - In both the read write operations the enduser should have the control
   to decide the storage mechanism.
   - If the user needs to migrate a userstore from one storage mechanism
   (file system) to another then they can do it via UI.

When persisting the data in the database there are two options we can use :

   - Persist data as a blob
   - Persists data as key value pair

If we are to go with the option one then we can persist the file as a blob
and reuse most of the existing parsing logics.

Highly appreciate your suggestions and feedbacks on the above approach.

[1] [Architecture][IAM][JDBC based Configuration Store] Database Schema
[2] [Architecture] [IS] JDBC based Configuration Store for WSO2 IS

Thanks,
Hasanthi

-- 

Hasanthi Dissanayake | Senior Software Engineer | WSO2 Inc.
(m) +94718407133 | (w) +94112145345  | Email: hasan...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Announce] WSO2 Identity Server 5.8.0 Released!

[Hasanthi Purnima Dissanayake]

The WSO2 Identity Server team is pleased to announce the release of WSO2
Identity Server version 5.8.0.

The WSO2 Identity Server is a uniquely extensible, open source IAM product
optimized for identity federation and SSO with comprehensive support for
adaptive and strong authentication. It supports a wide array of
authentication protocols such as SAML 2.0 Web SSO, OAuth 2.0/1.0a, OpenID
Connect, and WS-Federation Passive. It supports role based authorization
and fine grained authorization with XACML 2.0/3.0 while inbound/outbound
provisioning is supported through SCIM and SPML.

WSO2 Identity Server is developed on top of the revolutionary WSO2 Carbon
platform, an OSGi based framework that provides seamless modularity to your
SOA solution via componentization.

All the major features have been developed as pluggable Carbon components.

You can download this distribution from https://wso2.com/identity
-and-access-management/install

Online documentation is available at http://docs.wso2
.org/wiki/display/IS580/WSO2+Identity+Server+Documentation
.
How to Run

   1.

   Extract the downloaded zip file.
   2.

   Go to the bin directory in the extracted folder.
   3.

   Run the wso2server.sh or wso2server.bat file as appropriate.
   4.

   Optionally, if you need to start the OSGi console with the server, use
   the -DosgiConsole property when starting the server.

New Features in this Release

WSO2 Identity Server version 5.8.0 is part of WSO2’s 2019 Fall Release
which includes new features and updates across all products, solutions, and
services.

The following includes major features and improvements provided in WSO2 IS
5.8.0:


   -

   OpenID Connect backchannel logout - This feature enables logging out
   users from a client application/Relying Party (RP) by directly
   communicating the logout requests between the client application and
   authorization server.
   -

   *SAML front channel logout* - This feature enables the session
   participants use an asynchronous binding such as HTTP Redirect binding,
   HTTP POST Binding or Artifact Binding to send a request to the identity
   provider through a browser agent.


This release includes functional improvements and fixes to the product. The
complete list of improvements and bug fixes available with the release can
be found at the following locations:



   - 5.8.0-RC2 fixes
   
   - 5.8.0-RC1 fixes
   
   - 5.8.0-Beta5 fixes
   
   - 5.8.0-Beta4 fixes
   
   - 5.8.0-Beta3 fixes
   
   - 5.8.0-Beta fixes
   
   - 5.8.0-Alpha5 fixes
   
   - 5.8.0-Alpha4 fixes
   
   - 5.8.0-Alpha3 fixes
   
   - 5.8.0-Alpha2 fixes
   
   - 5.8.0-Alpha fixes
   
   - 5.8.0-M26 fixes
   
   - 5.8.0-M25 fixes
   
   - 5.8.0-M24 fixes
   
   - 5.8.0-M6 fixes
   
   - 5.8.0-M5 fixes
   
   - 5.8.0-M4 fixes
   
   - 5.8.0-M3 fixes
   
   - 5.8.0-M2 fixes
   
   - 5.8.0-M1 fixes
   

Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following locations:

IS Runtime 

IS Analytics 
How You Can ContributeMailing Lists

Join our mailing list and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.


   -

   Developer list: dev@wso2.org | Subscribe | Mail Archive
   
   -

   Architecture list: architect...@wso2.org | Subscribe | Mail Archive
   
   -

   User forum: StackOverflow
   

Reporting Issues

We 

Re: [Dev] [Architecture] [VOTE] Release WSO2 Identity Server 5.8.0 RC3

[Hasanthi Purnima Dissanayake]

Hi All,

We had an issue receiving the replies to this thread and seems some of the
replies have lost due to this. Hence if you have sent a vote and it is not
available in the archive [1] please re-send the vote. All the votes we
received are positive once, so we are planing to close the vote with in few
hours. If you have any concerns please raise ASAP.

[1] https://wso2.markmail.org/thread/xuyn7ilrts2xvdsn

Thanks,
Hasanthi

On Wed, May 22, 2019 at 5:15 PM Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi All,
>
> I have tested following features.
>
>1. OIDC backchannel logout
>2. SAML front channel logout.
>
> No blocking issues found.
>
> [+] Stable - go ahead and release.
>
> Thanks,
> Hasanthi
>
>
>
> On Wed, May 22, 2019 at 8:03 AM Isuranga Perera  wrote:
>
>> All:
>> I have tested Federated Authentication
>> [+] Stable - go ahead and release.
>>
>> Best Regards
>> Isuranga Perera
>>
>> On Sun, May 19, 2019 at 7:30 PM Shanika Wickramasinghe 
>> wrote:
>>
>>> Hi All,
>>>
>>> I have tested the SAML SSO with POST binding and Redirect binding flows
>>> and no issues found.
>>>
>>> +1 Go Ahead and Release
>>>
>>>
>>> Thanks,
>>>
>>> Shanika
>>>
>>> On Thu, May 16, 2019 at 12:33 PM Hasanthi Purnima Dissanayake <
>>> hasan...@wso2.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> The reason of breaking the RC2 vote is because it is reported an unused
>>>> commented configuration description in carbon.xml [1]. From RC3 release
>>>> that commented line in the configuration file is removed and no other code
>>>> level changes done.
>>>>
>>>> Further in the Analytics-IS pack, the versions are updated according to
>>>> the latest released SP pack versions [2].
>>>>
>>>> [1] [Dev][VOTE] Release WSO2 Identity Server 5.8.0 RC2
>>>> [2] [VOTE] Release of WSO2 Stream Processor 4.4.0 RC6
>>>>
>>>> Thanks,
>>>> Hasanthi
>>>>
>>>> On Thu, May 16, 2019 at 12:30 PM Hasanthi Purnima Dissanayake <
>>>> hasan...@wso2.com> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> We are pleased to announce the third release candidate of WSO2
>>>>> Identity Server 5.8.0.
>>>>>
>>>>> This release fixes the following issues,
>>>>>
>>>>>- 5.8.0-RC3 fixes
>>>>><https://github.com/wso2/product-is/milestone/84?closed=1>
>>>>>- 5.8.0-RC2 fixes
>>>>><https://github.com/wso2/product-is/milestone/82?closed=1>
>>>>>- 5.8.0-RC1 fixes
>>>>><https://github.com/wso2/product-is/milestone/78?closed=1>
>>>>>- 5.8.0-Beta5 fixes
>>>>><https://github.com/wso2/product-is/milestone/80?closed=1>
>>>>>- 5.8.0-Beta4 fixes
>>>>><https://github.com/wso2/product-is/milestone/79?closed=1>
>>>>>- 5.8.0-Beta3 fixes
>>>>><https://github.com/wso2/product-is/milestone/77?closed=1>
>>>>>- 5.8.0-Beta fixes
>>>>><https://github.com/wso2/product-is/milestone/75?closed=1>
>>>>>- 5.8.0-Alpha5 fixes
>>>>><https://github.com/wso2/product-is/milestone/74?closed=1>
>>>>>- 5.8.0-Alpha4 fixes
>>>>><https://github.com/wso2/product-is/milestone/73?closed=1>
>>>>>- 5.8.0-Alpha3 fixes
>>>>><https://github.com/wso2/product-is/milestone/72?closed=1>
>>>>>- 5.8.0-Alpha2 fixes
>>>>><https://github.com/wso2/product-is/milestone/71?closed=1>
>>>>>- 5.8.0-Alpha fixes
>>>>><https://github.com/wso2/product-is/milestone/70?closed=1>
>>>>>- 5.8.0-M26 fixes
>>>>><https://github.com/wso2/product-is/milestone/69?closed=1>
>>>>>- 5.8.0-M25 fixes
>>>>><https://github.com/wso2/product-is/milestone/68?closed=1>
>>>>>- 5.8.0-M24 fixes
>>>>><https://github.com/wso2/product-is/milestone/67?closed=1>
>>>>>- 5.8.0-M6 fixes
>>>>><https://github.com/wso2/product-is/milestone/64?closed=1>
>>>>>- 5.8.0-M5 fixes
>>>>><https://github.com/wso2/product-is/milestone/63?closed=1>
>>&g

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.8.0 RC2

[Hasanthi Purnima Dissanayake]

Hi All,

We have closed this vote as a stale comment without following a config was
noted and started an other vote [1].

[1] [Dev][VOTE] Release WSO2 Identity Server 5.8.0 RC2

Thanks,
Hasanthi

On Thu, May 16, 2019 at 10:28 AM Prabath Siriwardena 
wrote:

> +1 to go ahead with the release
>
> Thanks & Regards
> -Prabath
>
> On Wed, May 15, 2019 at 1:06 AM Shanika Wickramasinghe 
> wrote:
>
>> Hi All,
>>
>> I have tested the SAML SSO with POST binding and Redirect binding flows.
>>
>> +1 Go Ahead and Release
>>
>>
>> Thanks,
>>
>> Shanika
>>
>>
>> On Mon, May 13, 2019 at 11:57 PM Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi all,
>>>
>>> We are pleased to announce the second release candidate of WSO2 Identity
>>> Server 5.8.0.
>>>
>>> This release fixes the following issues,
>>>
>>>- 5.8.0-RC2 fixes
>>><https://github.com/wso2/product-is/milestone/82?closed=1>
>>>- 5.8.0-RC1 fixes
>>><https://github.com/wso2/product-is/milestone/78?closed=1>
>>>- 5.8.0-Beta5 fixes
>>><https://github.com/wso2/product-is/milestone/80?closed=1>
>>>- 5.8.0-Beta4 fixes
>>><https://github.com/wso2/product-is/milestone/79?closed=1>
>>>- 5.8.0-Beta3 fixes
>>><https://github.com/wso2/product-is/milestone/77?closed=1>
>>>- 5.8.0-Beta fixes
>>><https://github.com/wso2/product-is/milestone/75?closed=1>
>>>- 5.8.0-Alpha5 fixes
>>><https://github.com/wso2/product-is/milestone/74?closed=1>
>>>- 5.8.0-Alpha4 fixes
>>><https://github.com/wso2/product-is/milestone/73?closed=1>
>>>- 5.8.0-Alpha3 fixes
>>><https://github.com/wso2/product-is/milestone/72?closed=1>
>>>- 5.8.0-Alpha2 fixes
>>><https://github.com/wso2/product-is/milestone/71?closed=1>
>>>- 5.8.0-Alpha fixes
>>><https://github.com/wso2/product-is/milestone/70?closed=1>
>>>- 5.8.0-M26 fixes
>>><https://github.com/wso2/product-is/milestone/69?closed=1>
>>>- 5.8.0-M25 fixes
>>><https://github.com/wso2/product-is/milestone/68?closed=1>
>>>- 5.8.0-M24 fixes
>>><https://github.com/wso2/product-is/milestone/67?closed=1>
>>>- 5.8.0-M6 fixes
>>><https://github.com/wso2/product-is/milestone/64?closed=1>
>>>- 5.8.0-M5 fixes
>>><https://github.com/wso2/product-is/milestone/63?closed=1>
>>>- 5.8.0-M4 fixes
>>><https://github.com/wso2/product-is/milestone/62?closed=1>
>>>- 5.8.0-M3 fixes
>>><https://github.com/wso2/product-is/milestone/61?closed=1>
>>>- 5.8.0-M2 fixes
>>><https://github.com/wso2/product-is/milestone/60?closed=1>
>>>- 5.8.0-M1 fixes
>>><https://github.com/wso2/product-is/milestone/59?closed=1>
>>>
>>>
>>> Source and distribution
>>>
>>> Runtime - https://github.com/wso2/product-is/releases/tag/v
>>> <https://github.com/wso2/product-is/releases/download/v5.8.0-rc2/wso2is-5.8.0-rc2.zip>
>>> 5.8.0-rc2
>>> <https://github.com/wso2/product-is/releases/download/v5.8.0-rc2/wso2is-5.8.0.zip>
>>> Analytics -
>>> https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc2
>>> <https://github.com/wso2/analytics-is/releases/download/v5.8.0-rc2/wso2is-analytics-5.8.0-rc2.zip>
>>>
>>>
>>> Please download, test the product and vote.
>>>
>>> [+] Stable - go ahead and release
>>> [-] Broken - do not release (explain why)
>>>
>>>
>>> Thanks,
>>> - WSO2 Identity and Access Management Team -
>>>
>>> --
>>>
>>> Hasanthi Dissanayake
>>>
>>> Senior Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133| http://wso2.com <http://wso2.com/>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "IAM team" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to iam-group+unsubscr...@wso2.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/wso2.com/d/msgid/iam-group/CANox4Yi3gJDBqdjqN%3Dv-EgSzdWdd9-z2nbCZXWoAfG4QLFJ7Jw%40mail.gmail.com
>>> <https:/

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.8.0 RC3

[Hasanthi Purnima Dissanayake]

Hi All,

The reason of breaking the RC2 vote is because it is reported an unused
commented configuration description in carbon.xml [1]. From RC3 release
that commented line in the configuration file is removed and no other code
level changes done.

Further in the Analytics-IS pack, the versions are updated according to the
latest released SP pack versions [2].

[1] [Dev][VOTE] Release WSO2 Identity Server 5.8.0 RC2
[2] [VOTE] Release of WSO2 Stream Processor 4.4.0 RC6

Thanks,
Hasanthi

On Thu, May 16, 2019 at 12:30 PM Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi all,
>
> We are pleased to announce the third release candidate of WSO2 Identity
> Server 5.8.0.
>
> This release fixes the following issues,
>
>- 5.8.0-RC3 fixes
><https://github.com/wso2/product-is/milestone/84?closed=1>
>- 5.8.0-RC2 fixes
><https://github.com/wso2/product-is/milestone/82?closed=1>
>- 5.8.0-RC1 fixes
><https://github.com/wso2/product-is/milestone/78?closed=1>
>- 5.8.0-Beta5 fixes
><https://github.com/wso2/product-is/milestone/80?closed=1>
>- 5.8.0-Beta4 fixes
><https://github.com/wso2/product-is/milestone/79?closed=1>
>- 5.8.0-Beta3 fixes
><https://github.com/wso2/product-is/milestone/77?closed=1>
>- 5.8.0-Beta fixes
><https://github.com/wso2/product-is/milestone/75?closed=1>
>- 5.8.0-Alpha5 fixes
><https://github.com/wso2/product-is/milestone/74?closed=1>
>- 5.8.0-Alpha4 fixes
><https://github.com/wso2/product-is/milestone/73?closed=1>
>- 5.8.0-Alpha3 fixes
><https://github.com/wso2/product-is/milestone/72?closed=1>
>- 5.8.0-Alpha2 fixes
><https://github.com/wso2/product-is/milestone/71?closed=1>
>- 5.8.0-Alpha fixes
><https://github.com/wso2/product-is/milestone/70?closed=1>
>- 5.8.0-M26 fixes
><https://github.com/wso2/product-is/milestone/69?closed=1>
>- 5.8.0-M25 fixes
><https://github.com/wso2/product-is/milestone/68?closed=1>
>- 5.8.0-M24 fixes
><https://github.com/wso2/product-is/milestone/67?closed=1>
>- 5.8.0-M6 fixes
><https://github.com/wso2/product-is/milestone/64?closed=1>
>- 5.8.0-M5 fixes
><https://github.com/wso2/product-is/milestone/63?closed=1>
>- 5.8.0-M4 fixes
><https://github.com/wso2/product-is/milestone/62?closed=1>
>- 5.8.0-M3 fixes
><https://github.com/wso2/product-is/milestone/61?closed=1>
>- 5.8.0-M2 fixes
><https://github.com/wso2/product-is/milestone/60?closed=1>
>- 5.8.0-M1 fixes
><https://github.com/wso2/product-is/milestone/59?closed=1>
>
>
> Source and distribution
>
> Runtime - https://github.com/wso2/product-is/releases/tag/v
> <https://github.com/wso2/product-is/releases/download/v5.8.0-rc3/wso2is-5.8.0-rc3.zip>
> 5.8.0-rc3
> <https://github.com/wso2/product-is/releases/download/v5.8.0-rc3/wso2is-5.8.0-rc3.zip>
> Analytics -
> https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc3
> <https://github.com/wso2/analytics-is/releases/download/v5.8.0-rc3/wso2is-analytics-5.8.0-rc3.zip>
>
>
> Please download, test the product and vote.
>
> [+] Stable - go ahead and release
> [-] Broken - do not release (explain why)
>
>
> Thanks,
> - WSO2 Identity and Access Management Team -
>
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [VOTE] Release WSO2 Identity Server 5.8.0 RC3

[Hasanthi Purnima Dissanayake]

Hi all,

We are pleased to announce the third release candidate of WSO2 Identity
Server 5.8.0.

This release fixes the following issues,

   - 5.8.0-RC3 fixes
   
   - 5.8.0-RC2 fixes
   
   - 5.8.0-RC1 fixes
   
   - 5.8.0-Beta5 fixes
   
   - 5.8.0-Beta4 fixes
   
   - 5.8.0-Beta3 fixes
   
   - 5.8.0-Beta fixes
   
   - 5.8.0-Alpha5 fixes
   
   - 5.8.0-Alpha4 fixes
   
   - 5.8.0-Alpha3 fixes
   
   - 5.8.0-Alpha2 fixes
   
   - 5.8.0-Alpha fixes
   
   - 5.8.0-M26 fixes
   
   - 5.8.0-M25 fixes
   
   - 5.8.0-M24 fixes
   
   - 5.8.0-M6 fixes
   
   - 5.8.0-M5 fixes
   
   - 5.8.0-M4 fixes
   
   - 5.8.0-M3 fixes
   
   - 5.8.0-M2 fixes
   
   - 5.8.0-M1 fixes
   


Source and distribution

Runtime - https://github.com/wso2/product-is/releases/tag/v

5.8.0-rc3

Analytics - https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc3



Please download, test the product and vote.

[+] Stable - go ahead and release
[-] Broken - do not release (explain why)


Thanks,
- WSO2 Identity and Access Management Team -

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.8.0 RC2

[Hasanthi Purnima Dissanayake]

Hi All,

Please find the source and distribution ,

Runtime - https://github.com/wso2/product-is/releases/tag/v
<https://github.com/wso2/product-is/releases/tag/v5.8.0-rc2>5.8.0-rc2
<https://github.com/wso2/product-is/releases/download/v5.8.0-rc2/wso2is-5.8.0.zip>
Analytics - https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc2

Thanks,
Hasanthi

On Mon, May 13, 2019 at 11:56 PM Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi all,
>
> We are pleased to announce the second release candidate of WSO2 Identity
> Server 5.8.0.
>
> This release fixes the following issues,
>
>- 5.8.0-RC2 fixes
><https://github.com/wso2/product-is/milestone/82?closed=1>
>- 5.8.0-RC1 fixes
><https://github.com/wso2/product-is/milestone/78?closed=1>
>- 5.8.0-Beta5 fixes
><https://github.com/wso2/product-is/milestone/80?closed=1>
>- 5.8.0-Beta4 fixes
><https://github.com/wso2/product-is/milestone/79?closed=1>
>- 5.8.0-Beta3 fixes
><https://github.com/wso2/product-is/milestone/77?closed=1>
>- 5.8.0-Beta fixes
><https://github.com/wso2/product-is/milestone/75?closed=1>
>- 5.8.0-Alpha5 fixes
><https://github.com/wso2/product-is/milestone/74?closed=1>
>- 5.8.0-Alpha4 fixes
><https://github.com/wso2/product-is/milestone/73?closed=1>
>- 5.8.0-Alpha3 fixes
><https://github.com/wso2/product-is/milestone/72?closed=1>
>- 5.8.0-Alpha2 fixes
><https://github.com/wso2/product-is/milestone/71?closed=1>
>- 5.8.0-Alpha fixes
><https://github.com/wso2/product-is/milestone/70?closed=1>
>- 5.8.0-M26 fixes
><https://github.com/wso2/product-is/milestone/69?closed=1>
>- 5.8.0-M25 fixes
><https://github.com/wso2/product-is/milestone/68?closed=1>
>- 5.8.0-M24 fixes
><https://github.com/wso2/product-is/milestone/67?closed=1>
>- 5.8.0-M6 fixes
><https://github.com/wso2/product-is/milestone/64?closed=1>
>- 5.8.0-M5 fixes
><https://github.com/wso2/product-is/milestone/63?closed=1>
>- 5.8.0-M4 fixes
><https://github.com/wso2/product-is/milestone/62?closed=1>
>- 5.8.0-M3 fixes
><https://github.com/wso2/product-is/milestone/61?closed=1>
>- 5.8.0-M2 fixes
><https://github.com/wso2/product-is/milestone/60?closed=1>
>- 5.8.0-M1 fixes
><https://github.com/wso2/product-is/milestone/59?closed=1>
>
>
> Source and distribution
>
> Runtime - https://github.com/wso2/product-is/releases/tag/v
> <https://github.com/wso2/product-is/releases/download/v5.8.0-rc2/wso2is-5.8.0-rc2.zip>
> 5.8.0-rc2
> <https://github.com/wso2/product-is/releases/download/v5.8.0-rc2/wso2is-5.8.0.zip>
> Analytics -
> https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc2
> <https://github.com/wso2/analytics-is/releases/download/v5.8.0-rc2/wso2is-analytics-5.8.0-rc2.zip>
>
>
> Please download, test the product and vote.
>
> [+] Stable - go ahead and release
> [-] Broken - do not release (explain why)
>
>
> Thanks,
> - WSO2 Identity and Access Management Team -
>
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [VOTE] Release WSO2 Identity Server 5.8.0 RC2

[Hasanthi Purnima Dissanayake]

Hi all,

We are pleased to announce the second release candidate of WSO2 Identity
Server 5.8.0.

This release fixes the following issues,

   - 5.8.0-RC2 fixes
   
   - 5.8.0-RC1 fixes
   
   - 5.8.0-Beta5 fixes
   
   - 5.8.0-Beta4 fixes
   
   - 5.8.0-Beta3 fixes
   
   - 5.8.0-Beta fixes
   
   - 5.8.0-Alpha5 fixes
   
   - 5.8.0-Alpha4 fixes
   
   - 5.8.0-Alpha3 fixes
   
   - 5.8.0-Alpha2 fixes
   
   - 5.8.0-Alpha fixes
   
   - 5.8.0-M26 fixes
   
   - 5.8.0-M25 fixes
   
   - 5.8.0-M24 fixes
   
   - 5.8.0-M6 fixes
   
   - 5.8.0-M5 fixes
   
   - 5.8.0-M4 fixes
   
   - 5.8.0-M3 fixes
   
   - 5.8.0-M2 fixes
   
   - 5.8.0-M1 fixes
   


Source and distribution

Runtime - https://github.com/wso2/product-is/releases/tag/v

5.8.0-rc2

Analytics - https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc2



Please download, test the product and vote.

[+] Stable - go ahead and release
[-] Broken - do not release (explain why)


Thanks,
- WSO2 Identity and Access Management Team -

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [VOTE] Release WSO2 Identity Server 5.8.0 RC1

[Hasanthi Purnima Dissanayake]

Hi all,

We are pleased to announce the first release candidate of WSO2 Identity
Server 5.8.0.

This release fixes the following issues,

   - 5.8.0-RC1 fixes
   
   - 5.8.0-Beta5 fixes
   
   - 5.8.0-Beta4 fixes
   
   - 5.8.0-Beta3 fixes
   
   - 5.8.0-Beta fixes
   
   - 5.8.0-Alpha5 fixes
   
   - 5.8.0-Alpha4 fixes
   
   - 5.8.0-Alpha3 fixes
   
   - 5.8.0-Alpha2 fixes
   
   - 5.8.0-Alpha fixes
   
   - 5.8.0-M26 fixes
   
   - 5.8.0-M25 fixes
   
   - 5.8.0-M24 fixes
   
   - 5.8.0-M6 fixes
   
   - 5.8.0-M5 fixes
   
   - 5.8.0-M4 fixes
   
   - 5.8.0-M3 fixes
   
   - 5.8.0-M2 fixes
   
   - 5.8.0-M1 fixes
   


Source and distribution

Runtime - https://github.com/wso2/product-is/releases/tag/v5.8.0-rc1
Analytics - https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc1


Please download, test the product and vote.

[+] Stable - go ahead and release
[-] Broken - do not release (explain why)


Thanks,
- WSO2 Identity and Access Management Team -

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.7.0 RC3

[Hasanthi Purnima Dissanayake]

Hi All,

Please note that the product version in the title is not correct. Hence we
will not be continuing vote in this email thread. We will be sending
another email soon for the vote. Sorry for the inconvenience caused.

Thanks,
Hasanthi

On Sat, May 11, 2019 at 2:10 AM Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi all,
>
> We are pleased to announce the first release candidate of WSO2 Identity
> Server 5.8.0.
>
> This release fixes the following issues,
>
>- 5.5.0-RC1 fixes
>
> <https://github.com/wso2/product-is/issues?q=is%3Aclosed+milestone%3A5.5.0-RC1>
>- 5.5.0-Beta5 fixes
><https://github.com/wso2/product-is/milestone/80?closed=1>
>- 5.5.0-Beta4 fixes
><https://github.com/wso2/product-is/milestone/79?closed=1>
>- 5.5.0-Beta3 fixes
><https://github.com/wso2/product-is/milestone/77?closed=1>
>- 5.5.0-Beta fixes
><https://github.com/wso2/product-is/milestone/75?closed=1>
>- 5.8.0-Alpha5 fixes
><https://github.com/wso2/product-is/milestone/74?closed=1>
>- 5.8.0-Alpha4 fixes
><https://github.com/wso2/product-is/milestone/73?closed=1>
>- 5.8.0-Alpha3 fixes
><https://github.com/wso2/product-is/milestone/72?closed=1>
>- 5.8.0-Alpha2 fixes
><https://github.com/wso2/product-is/milestone/71?closed=1>
>- 5.8.0-Alpha fixes
><https://github.com/wso2/product-is/milestone/70?closed=1>
>- 5.8.0-M26 fixes
><https://github.com/wso2/product-is/milestone/69?closed=1>
>- 5.8.0-M25 fixes
><https://github.com/wso2/product-is/milestone/68?closed=1>
>- 5.8.0-M24 fixes
><https://github.com/wso2/product-is/milestone/67?closed=1>
>- 5.8.0-M6 fixes
><https://github.com/wso2/product-is/milestone/64?closed=1>
>- 5.8.0-M5 fixes
><https://github.com/wso2/product-is/milestone/63?closed=1>
>- 5.8.0-M4 fixes
><https://github.com/wso2/product-is/milestone/62?closed=1>
>- 5.8.0-M3 fixes
><https://github.com/wso2/product-is/milestone/61?closed=1>
>- 5.8.0-M2 fixes
><https://github.com/wso2/product-is/milestone/60?closed=1>
>- 5.8.0-M1 fixes
><https://github.com/wso2/product-is/milestone/59?closed=1>
>
>
> Source and distribution
>
> Runtime - https://github.com/wso2/product-is/releases/tag/v5.8.0-rc1
> Analytics -
> https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc1
>
>
> Please download, test the product and vote.
>
> [+] Stable - go ahead and release
> [-] Broken - do not release (explain why)
>
>
> Thanks,
> - WSO2 Identity and Access Management Team -
>
> --
>
> Hasanthi Dissanayake
>
> Senior Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [VOTE] Release WSO2 Identity Server 5.7.0 RC3

[Hasanthi Purnima Dissanayake]

Hi all,

We are pleased to announce the first release candidate of WSO2 Identity
Server 5.8.0.

This release fixes the following issues,

   - 5.5.0-RC1 fixes
   

   - 5.5.0-Beta5 fixes
   
   - 5.5.0-Beta4 fixes
   
   - 5.5.0-Beta3 fixes
   
   - 5.5.0-Beta fixes
   
   - 5.8.0-Alpha5 fixes
   
   - 5.8.0-Alpha4 fixes
   
   - 5.8.0-Alpha3 fixes
   
   - 5.8.0-Alpha2 fixes
   
   - 5.8.0-Alpha fixes
   
   - 5.8.0-M26 fixes
   
   - 5.8.0-M25 fixes
   
   - 5.8.0-M24 fixes
   
   - 5.8.0-M6 fixes
   
   - 5.8.0-M5 fixes
   
   - 5.8.0-M4 fixes
   
   - 5.8.0-M3 fixes
   
   - 5.8.0-M2 fixes
   
   - 5.8.0-M1 fixes
   


Source and distribution

Runtime - https://github.com/wso2/product-is/releases/tag/v5.8.0-rc1
Analytics - https://github.com/wso2/analytics-is/releases/tag/v5.8.0-rc1


Please download, test the product and vote.

[+] Stable - go ahead and release
[-] Broken - do not release (explain why)


Thanks,
- WSO2 Identity and Access Management Team -

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.8.0-beta3 Released!

[Hasanthi Purnima Dissanayake]

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.8.0 beta3!
Download

You can download WSO2 Identity Server 5.8.0 beta3 from here

.

You can download WSO2 Identity Server Analytics 5.8.0 beta3 from here

.
How to run

   1.

   Extract the downloaded zip file.
   2.

   Go to the bin directory in the extracted folder.
   3.

   Run the wso2server.sh file if you are on a Linux/Mac OS or run the
   wso2server.bat file if you are on a Windows OS.
   4.

   Optionally, if you need to start the OSGi console with the server, use
   the -DosgiConsole property when starting the server.

What's new in WSO2 Identity Server 5.8.0 beta3

A list of all the new features and bug fixes shipped with this release can
be found here 

Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

   -

   IS Runtime 
   -

   IS Analytics 

Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   -

   Developer List: dev@wso2.org
   -

   Architecture List: architect...@wso2.org
   -

   User Forum: StackOverflow
   

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues .

For more information about WSO2 Identity Server, please see https://wso2
.com/identity-and-access-management or visit the WSO2 Oxygen Tank
 developer portal for additional resources.

~ The WSO2 Identity and Access Management Team ~

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Delaying account verification email

[Hasanthi Purnima Dissanayake]

Hi Manu,

The above can not be achieved OOTB through the product, but a simple
customization would do this. You need to customize [1] and override the
triggerNotification() method. From the customization you need to delay
triggering the notification. You can refer [2] to gather details on the
above customization.

If you need this delay in the all the emails send through the Identity
Server you can write a customized email sending module in a way that caters
your requirement. Please refer [3] to gather details on customizing the
email sending module.

[1]
https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/UserSelfRegistrationHandler.java
<https://www.google.com/url?q=https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/UserSelfRegistrationHandler.java=D=hangouts=1555764513845000=AFQjCNG5vcx04Y0GS6lvVkuzA_-b78ttiw>
[2]
https://medium.com/@isurakarunaratne/wso2-identity-server-eventing-framework-32505bcc1600
[3]
https://medium.com/@isurakarunaratne/extending-email-sending-module-wso2-identity-server-7f9b1233d5c
<https://www.google.com/url?q=https://medium.com/@isurakarunaratne/extending-email-sending-module-wso2-identity-server-7f9b1233d5c=D=hangouts=1555764949853000=AFQjCNHp7EtGZUimAt7IMgPwpih8KfkWyA>

Thanks,
Hasanthi

On Fri, Apr 19, 2019 at 5:20 PM Manu Shah  wrote:

> Hi Hasanthi,
>
> Our requirement is that email verification mail should be triggered after
> 5 mins of account creation.
>
> Thanks
> Manu
>
> On Fri, Apr 19, 2019 at 4:33 AM Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Manu,
>>
>> Can you please elaborate more on your requirement. Do you need to
>> schedule an email to be sent for account verification for a specific time?
>>
>> Thanks,
>>
>> On Thu, Apr 11, 2019 at 5:21 AM Manu Shah  wrote:
>>
>>> Hello,
>>>
>>> Has anyone worked on delaying the account verification email ?
>>>
>>> Thanks
>>> Manu
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>
>>
>> --
>>
>> Hasanthi Dissanayake
>>
>> Senior Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>
>
> --
> Regards,
> Manu
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Delaying account verification email

[Hasanthi Purnima Dissanayake]

Hi Manu,

Can you please elaborate more on your requirement. Do you need to schedule
an email to be sent for account verification for a specific time?

Thanks,

On Thu, Apr 11, 2019 at 5:21 AM Manu Shah  wrote:

> Hello,
>
> Has anyone worked on delaying the account verification email ?
>
> Thanks
> Manu
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.8.0-alpha4 Released!

[Hasanthi Purnima Dissanayake]

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.8.0 alpha4!
Download

You can download WSO2 Identity Server 5.8.0 alpha4 from here

.

You can download WSO2 Identity Server Analytics 5.8.0 alpha4 from here

.
How to run

   1.

   Extract the downloaded zip file.
   2.

   Go to the bin directory in the extracted folder.
   3.

   Run the wso2server.sh file if you are on a Linux/Mac OS or run the
   wso2server.bat file if you are on a Windows OS.
   4.

   Optionally, if you need to start the OSGi console with the server, use
   the -DosgiConsole property when starting the server.

What's new in WSO2 Identity Server 5.8.0 alpha4

A list of all the new features and bug fixes shipped with this release can
be found here 

Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

   -

   IS Runtime 
   -

   IS Analytics 

Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   -

   Developer List: dev@wso2.org
   -

   Architecture List: architect...@wso2.org
   -

   User Forum: StackOverflow
   

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues .

For more information about WSO2 Identity Server, please see https://wso2
.com/identity-and-access-management or visit the WSO2 Oxygen Tank
 developer portal for additional resources.

~ The WSO2 Identity and Access Management Team ~
-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.8.0-alpha3 Released!

[Hasanthi Purnima Dissanayake]

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.8.0 alpha3!
Download

You can download WSO2 Identity Server 5.8.0 alpha3 from here

.

You can download WSO2 Identity Server Analytics 5.8.0 alpha3 from here

.
How to run

   1.

   Extract the downloaded zip file.
   2.

   Go to the bin directory in the extracted folder.
   3.

   Run the wso2server.sh file if you are on a Linux/Mac OS or run the
   wso2server.bat file if you are on a Windows OS.
   4.

   Optionally, if you need to start the OSGi console with the server, use
   the -DosgiConsole property when starting the server.

What's new in WSO2 Identity Server 5.8.0 alpha3

A list of all the new features and bug fixes shipped with this release can
be found here 

Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

   -

   IS Runtime 
   -

   IS Analytics 

Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   -

   Developer List: dev@wso2.org
   -

   Architecture List: architect...@wso2.org
   -

   User Forum: StackOverflow
   

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues .

For more information about WSO2 Identity Server, please see https://wso2
.com/identity-and-access-management or visit the WSO2 Oxygen Tank
 developer portal for additional resources.

~ The WSO2 Identity and Access Management Team ~

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.8.0-M26 Released!

[Hasanthi Purnima Dissanayake]

WSO2 Identity and Access Management team is pleased to announce the release
of Identity Server 5.8.0 M26!
Download

You can download WSO2 Identity Server 5.8.0 M26 from here

.

You can download WSO2 Identity Server Analytics 5.8.0 M26 from here

.
How to run

   1.

   Extract the downloaded zip file.
   2.

   Go to the bin directory in the extracted folder.
   3.

   Run the wso2server.sh file if you are on a Linux/Mac OS or run the
   wso2server.bat file if you are on a Windows OS.
   4.

   Optionally, if you need to start the OSGi console with the server, use
   the -DosgiConsole property when starting the server.

What's new in WSO2 Identity Server 5.8.0 M26

A list of all the new features and bug fixes shipped with this release can
be found here 

Known Issues

All the open issues pertaining to WSO2 Identity Server are reported at the
following location:

   -

   IS Runtime 
   -

   IS Analytics 

Contribute to WSO2 Identity ServerMailing Lists

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   -

   Developer List: dev@wso2.org
   -

   Architecture List: architect...@wso2.org
   -

   User Forum: StackOverflow
   

Reporting Issues

We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 Identity Server GIT
Issues .

For more information about WSO2 Identity Server, please see https://wso2
.com/identity-and-access-management or visit the WSO2 Oxygen Tank
 developer portal for additional resources.

~ The WSO2 Identity and Access Management Team ~

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] JWT WSO2

[Hasanthi Purnima Dissanayake]

Hi Felipe Pinheiro,

As far as I understood your flow is something like this.

   - You are invoking /token endpoint by passing the scope as openid
   - Id_token response you need to add a custom claim like accountid.

So you can achieve that requirement by using following steps.

   - Add a wso2 claim something like 'http://wso2.org/claims/accountid'
   - Add a custom oidc claim something like 'accountid'
   - Map the wso2 'accountid' with the 'http://wso2.org/claims/accountid'
   claim
   - If you are using APIM 2.6.0 or IS 5.7.0 you can add the claim
   'accountid' for the scope 'openid'.  If it is an older version you need to
   add the custom claim 'accountid' for the scope 'openid' in the registry. [1]

You can refer [2] which explains the whole flow.

[1] https://docs.wso2.com/display/IS570/OpenID+Connect+Scopes+and+Claims
[2]
https://medium.com/@dewni.matheesha/claim-mapping-and-retrieving-end-user-information-in-wso2is-cffd5f3937ff

Thanks,
Hasanthi


On Fri, Mar 1, 2019 at 10:26 AM Piraveena Paralogarajah 
wrote:

> Hi,
>
> You can add new claims into id_token by implementing a supplementary OSGi
> service [1] in Identity Server. If you want to add claims into ID Token
> in your own way, rather than changing the existing code base, this service
> can be used. This service can be plugged in and can be used to inject
> claims into ID Token.
>
> Initially you have to implement the ClaimProvider service in
> identity-inbound-oauth[1] component and then you need to publish your
> service. Once you publish your service, org.wso2.carbon.identity.oauth
> component in identity-inbound-oauth is listening to ClaimProvider services.
> Once you register your service, that can be found by the Default
> IDTokenBuilder class [2]. Then your claims will be added to ID token.
>
> You can refer this blog [3] for further information on how to add new
> claims into id_token.
>
> [1]
> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/ClaimProvider.java
> [2]
>  
> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L876
> 
> [3]
> https://medium.com/@piraveenaparalogarajah/how-to-add-new-claims-to-id-token-by-implementing-supplementary-osgi-service-in-wso2-identity-626d19cfecab
>
> Thanks,
> Piraveena
>
> *Piraveena Paralogarajah*
> Software Engineer | WSO2 Inc.
> *(m)* +94776099594 | *(e)* pirave...@wso2.com
>
>
>
> On Fri, Feb 8, 2019 at 6:41 PM Felipe Pinheiro <
> felipe.pinhe...@ifactory.com.br> wrote:
>
>> Hello,
>>
>> I need to add new information in the token, but this information will be
>> sent when to call the /token.
>>
>> For example, I have this return:
>>
>>
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5UQXhabU14TkRNeVpEZzNNVFUxWkdNME16RXpPREpoWldJNE5ETmxaRFUxT0dGa05qRmlNUSJ9.eyJhdWQiOiJodHRwOlwvXC9vcmcud3NvMi5hcGltZ3RcL2dhdGV3YXkiLCJzdWIiOiJhZG1pbiIsImFwcGxpY2F0aW9uIjp7ImlkIjoyLCJuYW1lIjoidGVzdCIsInRpZXIiOiJVbmxpbWl0ZWQiLCJvd25lciI6ImFkbWluIn0sInNjb3BlIjoiZGVmYXVsdCIsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImtleXR5cGUiOiJQUk9EVUNUSU9OIiwic3Vic2NyaWJlZEFQSXMiOltdLCJjb25zdW1lcktleSI6ImhGNG9UTzVONnJtX3d1QWVnWDdGWldFdWRFTWEiLCJleHAiOjE1NDk0ODM2MDQsImlhdCI6MTU0OTQ4MDAwNDgwMSwianRpIjoiOTIwNzM5ZWEtZjE2NS00ZDRjLTliYTEtNDRjYWFjZmZlNzQxIn0=.Gt60ZRnGC7KYUQ6dv7SbVljIA6ION3fp5yqo4qGtbSlvqHCBw6mAYYQlXHDc_5RRVa3xnTsqPvW3f8LcKTHvWZriRjj4j31GTwBobM7nfACEsghGV7cSCkgIyAdqT36Tm7EECi2zkI30KlcznE5bZ6P3ts6yPAHcMi-L_gCH3NDWaqrTg9dXo_YF9grTxoYglaf_T9WiuLlkgohk46uatRTTtEBZQKTrjlXbALK3uPdFYurFY1sQGIa_BTDNgTWRi2yQsjTce6ElgDAxhNyNKKh0x3oksKWoSV6-_pSx2QPTiKt90I1rAvp-P_SOm_Y83QGSFCJ7MlaK5wYQlih-vA==
>>
>> {
>>   "aud" : "http://org.wso2.apimgt/gateway;,
>>   "sub" : "admin",
>>   "application" : {
>> "id" : 2,
>> "name" : "test",
>> "tier" : "Unlimited",
>> "owner" : "admin"
>>   },
>>   "scope" : "default",
>>   "iss" : "https://localhost:9443/oauth2/token;,
>>   "keytype" : "PRODUCTION",
>>   "subscribedAPIs" : [ ],
>>   "consumerKey" : "hF4oTO5N6rm_wuAegX7FZWEudEMa",
>>   "exp" : 1549483604,
>>   "iat" : 1549480004801,
>>   "jti" : "920739ea-f165-4d4c-9ba1-44caacffe741"
>> }
>>
>> But I have to add a new value, as the example below:
>>
>> {
>>   "aud" : "http://org.wso2.apimgt/gateway;,
>>   "sub" : "admin",
>>   "application" : {
>> "id" : 2,
>> "name" : "test",
>> "tier" : "Unlimited",
>> "owner" : "admin"
>>   },
>>   "scope" : "default",
>>   "iss" : "https://localhost:9443/oauth2/token;,
>>   "keytype" : "PRODUCTION",
>>   "subscribedAPIs" : [ ],
>>   "consumerKey" : "hF4oTO5N6rm_wuAegX7FZWEudEMa",
>>   

Re: [Dev] Incorrect permission for 'OIDC Scopes'

[Hasanthi Purnima Dissanayake]

Hi Johann,

Thanks for reporting this issue. We have created a git issue to track this
and we will fix this issue. [1]

[1] https://github.com/wso2/product-is/issues/4169

Thanks,

On Sun, Dec 9, 2018 at 3:17 PM Johann Nallathamby  wrote:

> IAM Devs,
>
> OIDC scopes menu is appearing for users with login permission only in IS
> 5.7.0 WUM updated pack.
>
> [image: Screen Shot 2018-12-09 at 3.15.58 PM.png]
>
> Thanks & Regards,
> Johann.
>
> --
> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect |
> WSO2 Inc.
> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com
> [image: Signature.jpg]
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [VOTE] Release of WSO2 Identity Server 5.6.0 RC3

[Hasanthi Purnima Dissanayake]

Hi,

Tested below scenarios on IS 5.6.0-RC3 pack,

- Register a service provider
- Obtain an access token using JWT grant type
- Invoke user info endpoint using the token.

No blocking issues found.

[+] Stable - Go ahead and release

Thanks,
Hasanthi

On Tue, Jun 19, 2018 at 2:44 PM, Dewni Weeraman  wrote:

> Hi,
>
> Tested below scenarios on IS 5.6.0-RC3 pack,
>
>- Invoke the OAuth Introspection Endpoint.
>- OAuth token revocation.
>- Entitlement policy creation using write policy in xml and publishing.
>- Using REST APIs via XACML to manage entitlement.
>- Create, update, get, delete an OAuth app using Dynamic Client
>Registration endpoint.
>
>
> No blocking issues found.
>
> [+] Stable - Go ahead and release
>
> Thanks,
> Dewni
>
> On Tue, Jun 19, 2018 at 1:43 PM, Sathya Bandara  wrote:
>
>> Hi all,
>>
>> I've tested following scenarios on the IS 5.6.0-RC3 pack.
>>
>> User management (add/update/remove users).
>> User management in secondary userstores (Read-Write LDAP).
>> Consent Management in SAML SSO.
>> SAML to SAML federation.
>> Creating workflows definitions for primary userstore users.
>> Engaging/Disabling workflows on user-store operations.
>> Enable role based authorization using XACML for service providers.
>> Tenant creation/update/disabling.
>>
>> No blocking issues are found.
>>
>> [+] Stable - go ahead and release.
>>
>> Thanks,
>> Sathya
>>
>>
>> On Tue, Jun 19, 2018 at 12:26 PM, Vihanga Liyanage 
>> wrote:
>>
>>> Hi all,
>>>
>>> I've tested following scenarios on the IS 5.6.0-RC3 pack with default
>>> database setup.
>>>
>>>- Enable user self-registration and self-register a new user.
>>>- Add multiple consent purposes with multiple PII categories.
>>>- Login to dashboard and see whether we can see the default consent
>>>and above added PII categories.
>>>- Confirm claims are getting filtered based on consents.
>>>- Configure a service provider with OpenID Connect and acquire
>>>access tokens via Authorization Code, Implicit, Client Credential and
>>>Password grant types.
>>>- Enable ID token encryption for the service provider and test the
>>>flow with decryption for all grant types.
>>>- Delete the self-signed up user, create another user with the exact
>>>same username, log in to the dashboard and see what are the consents
>>>shown.
>>>- Revoke consents of the user via the dashboard and try accessing
>>>the SP to verify the consents are asked again.
>>>- Delete the SP, login to the dashboard and see whether the consents
>>>are deleted for that SP.
>>>
>>> No blocking issues are found.
>>>
>>> [+] Stable - go ahead and release.
>>>
>>> Thanks,
>>> Vihanga.
>>>
>>> On Fri, Jun 15, 2018 at 6:29 PM Madawa Soysa  wrote:
>>>
 Hi all,

 We are pleased to announce the third release candidate of WSO2 Identity
 Server 5.6.0.

 This release fixes the following issues

- 5.6.0-RC Fixes

- 5.6.0-Beta Fixes

- 5.6.0-Alpha2 Fixes

- 5.6.0-Alpha Fixes

- 5.6.0-M7 Fixes

- 5.6.0-M6 Fixes

- 5.6.0-M5 Fixes

- 5.6.0-M4 Fixes

- 5.6.0-M3 Fixes

- 5.6.0-M2 Fixes

- 5.6.0-M1 Fixes


 Source and distribution,
 Runtime -  https://github.com/wso2/pro
 duct-is/releases/tag/v5.6.0-rc3
 Analytics - https://github.com/wso2/anal
 ytics-is/releases/v5.6.0-rc3

 Please download, test the product and vote.

 [+] Stable - go ahead and release
 [-] Broken - do not release (explain why)

 Thanks,
 WSO2 Identity and Access Management Team
 --

 Madawa Soysa / Senior Software Engineer
 mada...@wso2.com / +94714616050

 *WSO2 Inc.*
 lean.enterprise.middleware

   




>>>
>>> --
>>>
>>> Vihanga Liyanage
>>>
>>> Software Engineer | WS*O₂* Inc.
>>>
>>> M : +*94710124103* | http://wso2.com
>>>
>>> [image: http://wso2.com/signature] 
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Sathya Bandara
>> Software 

Re: [Dev] Null Point Exception when calling authorize endpoint in OAuth Request Path Authenticator

[Hasanthi Purnima Dissanayake]

Hi Shavantha,

Is this with IS 5.5.0 GA pack ? I have just followed the doc and I could
execute the curl commands successfully. Please find the requests and
responses I got.

request :

curl -u a2hE7kiVtQonrW3fWUUGDs67mfwa:co4Akgj8UciNrMviwLdroyW1M3oa -d
"grant_type=password=admin=admin=openid" -H
"Content-Type:application/x-www-form-urlencoded"
https://localhost:9443/oauth2/token -k;

response :

{"access_token":"277f0e4e-ce4f-3040-a893-fc360b62e26d","refresh_token":"ee369283-df03-3e05-bc11-ca32f5435a06","scope":"openid","id_token":"eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiUXI5X1FnTE1SS1VTQ29pMmVoTUM0dyIsInN1YiI6ImFkbWluIiwiYXVkIjpbImEyaEU3a2lWdFFvbnJXM2ZXVVVHRHM2N21md2EiXSwiYXpwIjoiYTJoRTdraVZ0UW9uclczZldVVUdEczY3bWZ3YSIsImFtciI6WyJwYXNzd29yZCJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1Mjc0ODM2MTIsImlhdCI6MTUyNzQ4MDAxMn0.WxlTedNKTvgiQhHpc3fvXV8EUSgtE1bxnzE_V4eLEVgs-7bFZ5QCtL-5WIL_m0L4lhMPK1m9v8_KIWWRVGuxD-vnYb8rVqWqBk-QLsmsKmxh6oNYcBXJ8sMoYODF1qSQK2DveMw7fbk6xSTcKzBIHVcArsci4T3EEWFUoP08xG37LLqwdojWLe4MPcmZSn8nGB8ysfXEuav-7CyIXSQMpBS3XfR1gT_CeaILs_gIsdmtuXl9xoENynsCtZAiXrQyFXuQ9ipSB6Ebfbi-XHV732TwKy9uiSCz6knPe7jFD2PSEl4AcU8I8UeFZ5OQ7nUN9L45L4I1VjOnYy_OiUZWhQ","token_type":"Bearer","expires_in":2557


request :

 curl -v -X POST -H "Authorization: Bearer
277f0e4e-ce4f-3040-a893-fc360b62e26d" -H "Content-Type:
application/x-www-form-urlencoded;charset=UTF-8" -k -d
"response_type=code_id=a2hE7kiVtQonrW3fWUUGDs67mfwa_uri="
http://localhost:8080/playground2/oauth2client; =openid"
https://localhost:9443/oauth2/authorize


response :

 Location:
http://localhost:8080/playground2/oauth2client?code=63380aed-2812-3f2c-a120-6bb7702bb4ce_state=98edbe0321cc337560dba789cf7c60635a942c2a98aa35983e144342308f74ea.gS_flCgCVJ17T-iocR2Yyg



request :

curl -v -X POST --basic -u
a2hE7kiVtQonrW3fWUUGDs67mfwa:co4Akgj8UciNrMviwLdroyW1M3oa -H "Content-Type:
application/x-www-form-urlencoded;charset=UTF-8" -k -d
"grant_type=authorization_code_id=a2hE7kiVtQonrW3fWUUGDs67mfwa_uri=
http://localhost:8080/playground2/oauth2client=63380aed-2812-3f2c-a120-6bb7702bb4ce=openid;
https://localhost:9443/oauth2/token;


response :

{"access_token":"277f0e4e-ce4f-3040-a893-fc360b62e26d","refresh_token":"ee369283-df03-3e05-bc11-ca32f5435a06","scope":"openid","id_token":"eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiUXI5X1FnTE1SS1VTQ29pMmVoTUM0dyIsImNfaGFzaCI6Ikc5YUE3LWVSdGR5OWhIcmdYTXFzZ2ciLCJzdWIiOiJhZG1pbiIsImF1ZCI6WyJhMmhFN2tpVnRRb25yVzNmV1VVR0RzNjdtZndhIl0sImF6cCI6ImEyaEU3a2lWdFFvbnJXM2ZXVVVHRHM2N21md2EiLCJhbXIiOltdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1Mjc0ODQ1MTAsImlhdCI6MTUyNzQ4MDkxMCwic2lkIjoiNmEyNTAzMDYtZjUyOC00OWE2LWE1ZTAtNjBlY2I0NTgzODQ4In0.OrmfIJUuCdxZ3Q9VEsRDHykk-PFK-xwTarRo9FjYjq4tgN-xp9IZjd1ofL1vtYcuR6QNKZTokSAujpXyy-j7lC9enGkBLBSm1XV06aONr-oPe4q3r0AlQLbvpbdodrkDcqwOa6Cpe83kBJU-wWEk8QWJEloWhfmoBktr2PXRRlGbBmq-mCCRe5NVe-Sxqb0Vl0lqlT98wQvHdhMtMy-TaR56hNNnhIP10I0Vu9v7kLDlNMxiLg1O2uMn_OBZfDPSN68XZ-MIQFjoHvK8uc_SoZIa8el9uM4vTQRjUA-O6jT56IjfnI6iB_UcRCaigsT_XNy_4tcVj-scXKsJ8PuQuA","token_type":"Bearer","expires_in":1659}


Can you please elaborate much on from which step did you get the above null
pointer ?

Thanks,

On Mon, May 28, 2018 at 8:20 AM, Shavantha Weerasinghe 
wrote:

> Hi All
>
> When following the steps in [1] and when submitting the user consent step
> I get the below exception. Appriciate some input on the possile cause. This
> was with the SkipUserConsent property in identity.xml set to false.
>
> [1]https://docs.wso2.com/display/IS550/OAuth+Request+Path+Authenticator
>
> [2018-05-28 07:50:40,110]  INFO 
> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
> -  'admin@carbon.super [-1234]' logged in at [2018-05-28
> 07:50:40,110+0530]
> [2018-05-28 07:50:41,212] ERROR {org.wso2.carbon.identity.
> application.authenticator.requestpath.oauth.OAuthRequestPathAuthenticator}
> -  RequestPath OAuth authentication failed
> [2018-05-28 07:50:41,219] ERROR {org.wso2.carbon.identity.
> application.authenticator.requestpath.oauth.OAuthRequestPathAuthenticator}
> -  Authentication Failed
> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
> Authentication Failed
> at org.wso2.carbon.identity.application.authenticator.
> requestpath.oauth.OAuthRequestPathAuthenticator.
> processAuthenticationResponse(OAuthRequestPathAuthenticator.java:98)
> at org.wso2.carbon.identity.application.authentication.framework.
> AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticat
> or.java:72)
> at org.wso2.carbon.identity.application.authentication.
> 

Re: [Dev] Is it possible to validate token of Google using it's introspection url

[Hasanthi Purnima Dissanayake]

Hi Shiva,

Hi All,
>
> Can I configure API gateway so that it will validate third party generated
> token like Google, Twitter etc?
>
>
>
Using Wso2 introspection endpoint you can validate tokens generated by wso2
server. There is no such API to validate third party generated tokens.

Thanks,

On Thu, May 3, 2018 at 10:49 AM, Shiva Kumar 
wrote:

> Hi All,
>
> Can I configure API gateway so that it will validate third party generated
> token like Google, Twitter etc?
>
>
> Thanks,
>
> Shiva
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>



-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with OIDC Request object

[Hasanthi Purnima Dissanayake]

Hi Gayan,

*Request object *
>
> {
>   "iss": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>   "aud": "https://localhost:9444/oauth2/token;,
>   "response_type": "id_token token",
>   "client_id": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>   "redirect_uri": "http://localhost:8080/playground2/oauth2client;,
>   "scope": "openid",
>   "state": "af0ifjsldkj",
>   "nonce": "n-0S6_WzA2Mj",
>   "max_age": 86400,
>   "claims": {
> "userinfo": {
>   "given_name": {
> "essential": true
>   }
> },
> "id_token": {
>   "given_name": {
> "essential": true
>   },
>   "acr": {
> "values": [
>   "urn:mace:incommon:iap:silver"
> ]
>   }
> }
>   }
> }
>
>
Can you please provide the full authorization request that you are using.
For your reference I will add a sample request as below.

https://server.example.com/authorize?
response_type=code%20id_token
_id=s6BhdRkqt3
_uri=https%3A%2F%2Fclient.example.org%2Fcb
=openid
=af0ifjsldkj
=n-0S6_WzA2Mj
=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ew0KICJpc3MiOiA
iczZCaGRSa3F0MyIsDQogImF1ZCI6ICJodHRwczovL3NlcnZlci5leGFtcGxlLmN
vbSIsDQogInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsDQogImNsaWV
udF9pZCI6ICJzNkJoZFJrcXQzIiwNCiAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8
vY2xpZW50LmV4YW1wbGUub3JnL2NiIiwNCiAic2NvcGUiOiAib3BlbmlkIiwNCiA
ic3RhdGUiOiAiYWYwaWZqc2xka2oiLA0KICJub25jZSI6ICJuLTBTNl9XekEyTWo
iLA0KICJtYXhfYWdlIjogODY0MDAsDQogImNsYWltcyI6IA0KICB7DQogICAidXN
lcmluZm8iOiANCiAgICB7DQogICAgICJnaXZlbl9uYW1lIjogeyJlc3NlbnRpYWw
iOiB0cnVlfSwNCiAgICAgIm5pY2tuYW1lIjogbnVsbCwNCiAgICAgImVtYWlsIjo
geyJlc3NlbnRpYWwiOiB0cnVlfSwNCiAgICAgImVtYWlsX3ZlcmlmaWVkIjogeyJ
lc3NlbnRpYWwiOiB0cnVlfSwNCiAgICAgInBpY3R1cmUiOiBudWxsDQogICAgfSw
NCiAgICJpZF90b2tlbiI6IA0KICAgIHsNCiAgICAgImdlbmRlciI6IG51bGwsDQo
gICAgICJiaXJ0aGRhdGUiOiB7ImVzc2VudGlhbCI6IHRydWV9LA0KICAgICAiYWN
yIjogeyJ2YWx1ZXMiOiBbInVybjptYWNlOmluY29tbW9uOmlhcDpzaWx2ZXIiXX0
NCiAgICB9DQogIH0NCn0.nwwnNsk1-ZkbmnvsF6zTHm8CHERFMGQPhos-EJcaH4H
h-sMgk8ePrGhw_trPYs8KQxsn6R9Emo_wHwajyFKzuMXZFSZ3p6Mb8dkxtVyjoy2
GIzvuJT_u7PkY2t8QU9hjBcHs68PkgjDVTrG1uRTx0GxFbuPbj96tVuj11pTnmFC
UR6IEOXKYr7iGOCRB3btfJhM0_AKQUfqKnRlrRscc8Kol-cSLWoYE9l5QqholImz
jT_cMnNIznW9E7CDyWXTsO70xnB4SkG6pXfLSjLLlxmPGiyon_-Te111V8uE83Il
zCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzw

>From the above mail what I understand is that you have provided a plain
text value for the request parameter.  But here the value of the request
parameter should be a JWT/JWS or  JWE. After using a JWT if you still
observe the error please get back to us.

Thanks,



On Tue, Apr 10, 2018 at 9:37 AM, gayan gunawardana 
wrote:

> Hi All,
>
> Sent below request, expecting *given_name* claim but ID Token doesn't
> have given_name claim when obtaining ID Token from Implicit grant type.
>
> *Request object *
>
> {
>   "iss": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>   "aud": "https://localhost:9444/oauth2/token;,
>   "response_type": "id_token token",
>   "client_id": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>   "redirect_uri": "http://localhost:8080/playground2/oauth2client;,
>   "scope": "openid",
>   "state": "af0ifjsldkj",
>   "nonce": "n-0S6_WzA2Mj",
>   "max_age": 86400,
>   "claims": {
> "userinfo": {
>   "given_name": {
> "essential": true
>   }
> },
> "id_token": {
>   "given_name": {
> "essential": true
>   },
>   "acr": {
> "values": [
>   "urn:mace:incommon:iap:silver"
> ]
>   }
> }
>   }
> }
>
> *ID Token*
>
> {
>   "at_hash": "A73K_CSStq6fs611ZzFs7A",
>   "sub": "admin",
>   "aud": [
> "KqpUgGLpJaW5n5_OiAJlSnMiCiIa"
>   ],
>   "azp": "KqpUgGLpJaW5n5_OiAJlSnMiCiIa",
>   "amr": [],
>   "iss": "https://localhost:9444/oauth2/token;,
>   "exp": 1523335098,
>   "nonce": "n-0S6_WzA2Mj",
>   "iat": 1523331498,
>   "sid": "e7278e7c-224b-45c2-a8e0-e5f36cb77b47"
> }
>
>
> [1] https://docs.wso2.com/display/IS550/Passing+OIDC+
> Authentication+Request+Parameters+in+a+Request+Object
> [2] https://docs.wso2.com/display/IS550/Request+Object+Support
>
> Thanks,
> Gayan
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Clarification on Private key JWT Client Authentication for OIDC

[Hasanthi Purnima Dissanayake]

Hi Shanika,

Thank you for the clarification. In the same doc [1] under step 15 it is
> asking to replace the   in the CURL command but no
> guidance for a user on how to get thisvalue.
> Appreciate any guidance on this.
>
> +Shiraz   as these details need to be added to the doc
>
>
We do have a doc jira for this and Shiraz is working on it.  We do have a
section to explain the jwt needed here in the document as below. Seems it
should be more descriptive.

"The JWT *must* contain some REQUIRED claim values and *may* contain some
OPTIONAL claim values. For more information on the required and optional
claim values needed for the JWT for private_key_jwt authentication, click
here

."

Here the privet_key_jwt should be a signed jwt with following format.
issREQUIRED. Issuer. This MUST contain the client_id of the OAuth
Client.subREQUIRED.
Subject. This MUST contain the client_id of the OAuth Client.audREQUIRED.
Audience. The aud (audience) Claim. Value that identifies the Authorization
Server as an intended audience. The Authorization Server MUST verify that
it is an intended audience for the token. The Audience SHOULD be the URL of
the Authorization Server's Token Endpoint.jtiREQUIRED. JWT ID. A unique
identifier for the token, which can be used to prevent reuse of the token.
These tokens MUST only be used once, unless conditions for reuse were
negotiated between the parties; any such negotiation is beyond the scope of
this specification.expREQUIRED. Expiration time on or after which the ID
Token MUST NOT be accepted for processing.iatOPTIONAL. Time at which the
JWT was issued.


A sample token is as follows before encoding.
{
  "alg": "RS256",
  "kid": ">",
  "typ": "JWT"
}

{
  "iss": "<>",
  "sub": "<>",
  "exp": >,
  "iat":  >,
  "jti": " an incremental unique value",
  "aud": 
}
<> with public and private key

Please refer the spec [1] for additional details.

[1] http://openid.net/specs/openid-connect-core-1_0.html#OAuth.Assertions

Thanks,



On Wed, Mar 7, 2018 at 6:56 PM, Shanika Wickramasinghe 
wrote:

> Hi All,
>
> Thank you for the clarification. In the same doc [1] under step 15 it is
> asking to replace the   in the CURL command but no
> guidance for a user on how to get thisvalue.
> Appreciate any guidance on this.
>
> +Shiraz   as these details need to be added to the doc
>
> [1]. https://docs.wso2.com/display/IS550/Private+Key+JWT+
> Client+Authentication+for+OIDC
>
> Thanks,
> Shanika.
>
> On Tue, Mar 6, 2018 at 4:26 PM, Abimaran Kugathasan 
> wrote:
>
>> Hi Shanika,
>>
>> 11th, 12th, and 13th are subsets of 10th (Import the public key of the
>> private_key_jwt issuer). You have to rename because management console
>> takes the file name of the public key as the alias which is clientID.
>>
>> The 14th step is an alternative way to install public key through keytool
>> and it requires a server restart.
>>
>> On Tue, Mar 6, 2018 at 2:56 PM, Shanika Wickramasinghe > > wrote:
>>
>>> Hi All,
>>>
>>> I tried the steps included under the section Deploying and configuring
>>> JWT client-handler artifacts in [1]. There in step 10 it says to Import the
>>> public key of the private_key_jwt issuer. Document does not have a detailed
>>> explanation on this or does not include any command to use. Is this
>>> referring to export the certificate from the key store and convert the
>>> binary encoded certificate into a PEM encoded certificate and import it
>>> under the Application certificate in the service provider as in [2].
>>>
>>> Under step 11 again it is asking to rename the public certificate with
>>> OAuth App client ID name
>>>
>>> Further step 14 specify as to import the above certificate to the
>>> default keystore [1]
>>>
>>> I am not clear with step 10, 11, 14 appreciate any guidance on how to
>>> proceed with these steps.
>>>
>>>
>>>
>>> [1]. https://docs.wso2.com/display/IS550/Private+Key+JWT+Cli
>>> ent+Authentication+for+OIDC
>>> [2]. https://docs.wso2.com/display/IS550/Adding+and+Configur
>>> ing+a+Service+Provider
>>>
>>> Thanks,
>>> Shanika.
>>>
>>>
>>> --
>>> *Shanika Wickramasinghe*
>>> Software Engineer - QA Team
>>>
>>> Email: shani...@wso2.com
>>> Mobile  : +94713503563 <+94%2071%20350%203563>
>>> Web : http://wso2.com
>>>
>>> 
>>>
>>
>>
>>
>> --
>> Thanks
>> Abimaran Kugathasan
>> Senior Software Engineer - API Technologies
>>
>> Email : abima...@wso2.com
>> Mobile : +94 773922820 <+94%2077%20392%202820>
>>
>> 
>> 
>>   
>> 
>>
>>
>
>
> --
> *Shanika Wickramasinghe*
> Software Engineer - QA Team
>
> Email: shani...@wso2.com
> Mobile  : +94713503563 

Re: [Dev] Error occurs on server startup IS 5.5.0 (built from Product-IS 5.5.X branch) with Postgres DB.

[Hasanthi Purnima Dissanayake]

Hi ,

Added [1] to fix this.
[1] https://github.com/wso2/carbon-identity-framework/pull/1312

Thanks,
Hasanthi

On Wed, Feb 7, 2018 at 4:19 PM, Isura Karunaratne  wrote:

> Hi all,
>
> The following error can be seen at server startup. There was another issue
> related to consent tables and it was fixed with [1]
>
>
> org.wso2.carbon.identity.base.IdentityRuntimeException:
> org.postgresql.util.PSQLException: ERROR: relation
> "idn_oidc_req_object_reference" does not exist
> at org.wso2.carbon.identity.base.IdentityRuntimeException.error
> (IdentityRuntimeException.java:71)
> at org.wso2.carbon.identity.core.persistence.IdentityDBInitiali
> zer.executeSQL(IdentityDBInitializer.java:351)
> at org.wso2.carbon.identity.core.persistence.IdentityDBInitiali
> zer.executeSQLScript(IdentityDBInitializer.java:264)
> at org.wso2.carbon.identity.core.persistence.IdentityDBInitiali
> zer.createIdentityDatabase(IdentityDBInitializer.java:141)
> at org.wso2.carbon.identity.core.persistence.JDBCPersistenceMan
> ager.initializeDatabase(JDBCPersistenceManager.java:112)
> at org.wso2.carbon.identity.core.internal.IdentityCoreServiceCo
> mponent.activate(IdentityCoreServiceComponent.java:133)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
> ssorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> thodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.eclipse.equinox.internal.ds.model.ServiceComponent.activ
> ate(ServiceComponent.java:235)
> at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.a
> ctivate(ServiceComponentProp.java:146)
> at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.b
> uild(ServiceComponentProp.java:345)
> at org.eclipse.equinox.internal.ds.InstanceProcess.buildCompone
> nt(InstanceProcess.java:620)
> at org.eclipse.equinox.internal.ds.InstanceProcess.buildCompone
> nts(InstanceProcess.java:197)
> at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
> at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SC
> RManager.java:222)
> at org.eclipse.osgi.internal.serviceregistry.FilteredServiceLis
> tener.serviceChanged(FilteredServiceListener.java:107)
> at org.eclipse.osgi.framework.internal.core.BundleContextImpl.d
> ispatchEvent(BundleContextImpl.java:861)
> at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEve
> nt(EventManager.java:230)
> at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEv
> entSynchronous(ListenerQueue.java:148)
> at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.pu
> blishServiceEventPrivileged(ServiceRegistry.java:819)
> at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.pu
> blishServiceEvent(ServiceRegistry.java:771)
> at org.eclipse.osgi.internal.serviceregistry.ServiceRegistratio
> nImpl.register(ServiceRegistrationImpl.java:130)
> at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.re
> gisterService(ServiceRegistry.java:214)
> at org.eclipse.osgi.framework.internal.core.BundleContextImpl.r
> egisterService(BundleContextImpl.java:433)
> at org.eclipse.osgi.framework.internal.core.BundleContextImpl.r
> egisterService(BundleContextImpl.java:451)
> at org.wso2.carbon.core.init.CarbonServerManager.initializeCarb
> on(CarbonServerManager.java:515)
> at org.wso2.carbon.core.init.CarbonServerManager.removePendingI
> tem(CarbonServerManager.java:291)
> at org.wso2.carbon.core.init.PreAxis2ConfigItemListener.bundleC
> hanged(PreAxis2ConfigItemListener.java:118)
> at org.eclipse.osgi.framework.internal.core.BundleContextImpl.d
> ispatchEvent(BundleContextImpl.java:847)
> at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEve
> nt(EventManager.java:230)
> at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread
> .run(EventManager.java:340)
> Caused by: org.postgresql.util.PSQLException: ERROR: relation
> "idn_oidc_req_object_reference" does not exist
> at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorRespons
> e(QueryExecutorImpl.java:2161)
> at org.postgresql.core.v3.QueryExecutorImpl.processResults(Quer
> yExecutorImpl.java:1890)
> at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecut
> orImpl.java:255)
> at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(Abstract
> Jdbc2Statement.java:559)
> at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags
> (AbstractJdbc2Statement.java:403)
> at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(Abstract
> Jdbc2Statement.java:395)
> at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> thodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.tomcat.jdbc.pool.StatementFacade$StatementProxy.
> invoke(StatementFacade.java:114)
> at com.sun.proxy.$Proxy18.execute(Unknown Source)
> at 

Re: [Dev] [IAM]Implementing Eventing Mechanism in token/code insertion/deletion or revocation

[Hasanthi Purnima Dissanayake]

Hi Darshana,


> Hi Hasanthi,
>
> On Tue, Jan 23, 2018 at 10:54 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> Requirement :
>> We have a requirement to insert/update or delete a row from a db table
>> once access token or authorization code is generated, revoked, code or
>> token status changed or a refresh token is issued. Without directly
>> invoking the db, we thought of implementing events to trigger when one of
>> the above scenario happens.
>>
>
> Can you explain the need of a event mechanism for these use cases.. What
> are the problems that we try to overcome using the new method?
>

The actual flow is as below. In OIDC RO(Request Object) implementation we
persist RO against the Session Data Key and we update the row of RO table
once the code or a token is generated. And once the token/code is
revoked/state changed we need to delete the row accordingly. So we need to
insert/update/delete rows to the RO table based on the inserts revokes and
deletions of the relevent tables. Actually I don't see a huge advantage by
engaging event mechanism here. When introducing new APIS or features which
effects to tokens or codes flow in future, then we ned to put the same
logic to update RO table everywhere if we don't use events. So it will be
clean if we can engage the event mechanism here.

Thanks,

On Tue, Jan 23, 2018 at 11:17 PM, Darshana Gunawardana <darsh...@wso2.com>
wrote:

> Hi Hasanthi,
>
> On Tue, Jan 23, 2018 at 10:54 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> Requirement :
>> We have a requirement to insert/update or delete a row from a db table
>> once access token or authorization code is generated, revoked, code or
>> token status changed or a refresh token is issued. Without directly
>> invoking the db, we thought of implementing events to trigger when one of
>> the above scenario happens.
>>
>
> Can you explain the need of a event mechanism for these use cases.. What
> are the problems that we try to overcome using the new method?
>
> Thanks,
>
>
>> So the existing architecture is kind of service layer is responsible of
>> issuing/revoking/deleting tokens or codes and this layer is directly
>> invoking the DAO layer for db calls. So we have two places to implement
>> events in the service layer or the DAO layer.
>>
>> Problem :
>> If we are implementing the events in the service layer, then we have to
>> trigger multiple events in multiple places as we are doing above operations
>> in multiple places in the service layer. Also some of the service layer
>> classes are extensible so we cannot guarantee that a third party extension
>> developer will implement the events in the extended code.
>>
>> If we are implementing the events in the DAO layer, then the DAO layer
>> isolation will be violated.
>>
>> Ideally there should be a middle layer in between the service layer and
>> the DAO layer for such kind of situations. As we don't have such a middle
>> layer, ATM we have implemented the events in the DAO layer.
>>
>> Highly appreciate any feedback on above.
>>
>> Thanks,
>>
>> --
>>
>> Hasanthi Dissanayake
>>
>> Senior Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
> Middleware
>



-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IAM]Implementing Eventing Mechanism in token/code insertion/deletion or revocation

[Hasanthi Purnima Dissanayake]

Hi All,

Requirement :
We have a requirement to insert/update or delete a row from a db table once
access token or authorization code is generated, revoked, code or token
status changed or a refresh token is issued. Without directly invoking the
db, we thought of implementing events to trigger when one of the above
scenario happens. So the existing architecture is kind of service layer is
responsible of issuing/revoking/deleting tokens or codes and this layer is
directly invoking the DAO layer for db calls. So we have two places to
implement events in the service layer or the DAO layer.

Problem :
If we are implementing the events in the service layer, then we have to
trigger multiple events in multiple places as we are doing above operations
in multiple places in the service layer. Also some of the service layer
classes are extensible so we cannot guarantee that a third party extension
developer will implement the events in the extended code.

If we are implementing the events in the DAO layer, then the DAO layer
isolation will be violated.

Ideally there should be a middle layer in between the service layer and the
DAO layer for such kind of situations. As we don't have such a middle
layer, ATM we have implemented the events in the DAO layer.

Highly appreciate any feedback on above.

Thanks,

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] OAuth2 Client Authentication Error Response when authorization header is malformed

[Hasanthi Purnima Dissanayake]

Hi,


> On Mon, Jan 22, 2018 at 8:40 PM, Nilasini Thirunavukkarasu <
> nilas...@wso2.com> wrote:
>
>> Hi,
>>
>>
>> Client password is just one of the client authentication methods and also
>> client authentication can be extensible according to OAuth2. So why can't
>> we say this as an unsupported authentication method?. According to the spec
>> If it falls under unsupported authentication method then it will be an
>> invalid client.
>>
>
> Sending out basic authorization header is one of the ways to authenticate.
> Hence the client would expect to authenticate by sending out basic
> authentication headers. Since we do support basic authentication it's not
> correct to say unsupported authentication mechanism in my point of view.
> Rather this is something wrong with the format.
>

 For a specific request if it expects a header based on the authentication
mechanism, malformed header can be considered as a malformed credentials or
malformed request. So +1 to proceed with 'invalid request'.

Thanks,



On Mon, Jan 22, 2018 at 9:13 PM, Hasintha Indrajee 
wrote:

>
>
> On Mon, Jan 22, 2018 at 8:40 PM, Nilasini Thirunavukkarasu <
> nilas...@wso2.com> wrote:
>
>> Hi,
>>
>>
>> Client password is just one of the client authentication methods and also
>> client authentication can be extensible according to OAuth2. So why can't
>> we say this as an unsupported authentication method?. According to the spec
>> If it falls under unsupported authentication method then it will be an
>> invalid client.
>>
>
> Sending out basic authorization header is one of the ways to authenticate.
> Hence the client would expect to authenticate by sending out basic
> authentication headers. Since we do support basic authentication it's not
> correct to say unsupported authentication mechanism in my point of view.
> Rather this is something wrong with the format.
>
>>
>> Please correct me if I'm wrong.
>>
>> Thanks,
>> Nila.
>>
>> On Fri, Jan 19, 2018 at 3:43 PM, Pushpalanka Jayawardhana > > wrote:
>>
>>> Hi Hasintha,
>>>
>>> On Fri, Jan 19, 2018 at 3:32 PM, Hasintha Indrajee 
>>> wrote:
>>>
 WDYT about the $subject ? Below quoted the descriptions of two types of
 error codes from spec [1]. It looks like "invalid_request" is more
 appropriate here. Any thoughts ? . An example authorization header is
 Base64Encoded (randomString which doesn't have the format
 clientid:clientSecret format)


  invalid_request
The request is missing a required parameter, includes an
unsupported parameter value (other than grant type),
repeats a parameter, includes multiple credentials,
utilizes more than one mechanism for authenticating the
client, or is otherwise malformed.

  invalid_client
Client authentication failed (e.g., unknown client, no
client authentication included, or unsupported
authentication method).  The authorization server MAY
return an HTTP 401 (Unauthorized) status code to indicate
which HTTP authentication schemes are supported.  If the
client attempted to authenticate via the "Authorization"
request header field, the authorization server MUST
respond with an HTTP 401 (Unauthorized) status code and
include the "WWW-Authenticate" response header field
matching the authentication scheme used by the client.


>>> +1 for using 'invalid request' in this case, where client authentication
>>> is happening with the method 'client password'.
>>> We will have consider that other authentication mechanism can also be
>>> available as per [2], which won't adhere this format of
>>> 'Base64Encoded(clientid:clientSecret).
>>>
>>>

 [1] https://tools.ietf.org/html/rfc6749

>>> [2] - https://tools.ietf.org/html/rfc6749#section-2.3
>>>


 --
 Hasintha Indrajee
 WSO2, Inc.
 Mobile:+94 771892453 <077%20189%202453>


>>>
>>> Thanks,
>>> --
>>> Pushpalanka.
>>> --
>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>>> Mobile: +94779716248
>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>>> ushpalanka/ | Twitter: @pushpalanka
>>>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Nilasini Thirunavukkarasu
>> Software Engineer - WSO2
>>
>> Email : nilas...@wso2.com
>> Mobile : +94775241823 <+94%2077%20524%201823>
>> Web : http://wso2.com/
>>
>>
>> 
>>
>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <+94%2077%20189%202453>
>
>
> ___
> Dev 

[Dev] [IAM] Access Token revocation in OAuthAdminService

[Hasanthi Purnima Dissanayake]

Hi All,

In the method [1] which is used to revoke access tokens by resource owners,
it iterates all ACTIVE or EXPIRED access tokens for the particular client
authorized by the user.

// retrieve all ACTIVE or EXPIRED access tokens for particular client
authorized by this user


Set accessTokenDOs = OAuthTokenPersistenceFactory.
getInstance()
.getAccessTokenDAO().getAccessTokens(appDTO.getOauthConsumerKey(),
user, userStoreDomain, true);
Inside the foreach the auth cache is cleared for the tokens one by one
which is fetched from the accessTokenDOs.

for (AccessTokenDO accessTokenDO : accessTokenDOs) { ...
OAuthUtil.clearOAuthCache(accessTokenDO.getAccessToken());


// retrieve latest access token for particular client, user and scope
combination if its ACTIVE or EXPIRED
scopedToken = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().
getLatestAccessToken(appDTO.getOauthConsumerKey(), user, userStoreDomain,
Auth2Util.buildScopeString(accessTokenDO.getScope()), true);  //Revoking
token from database
OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO()
.revokeAccessTokens(new String[]{scopedToken.getAccessToken()});

...
}

Then inside the for each it self it retrieves the latest access token for
the particular client, user and for the particular scope if the token is
ACTIVE or EXPIRED. This token is revoked from the db inside the for each.

I have two questions here.

1. We clear the auth cache based on the access token which is fetched from
accessTokensDo  and revoke the scopedToken from the db which can be
different.

2. As there are multiple db calls are happening here can't we move the
logic of revoking token from db to out side of the for each as the DAO
method is supporting for batch operations.

Highly appreciate your feedback on this.

[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminService.java#L627

Thanks.

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Login to Identity Server using another Identity Server - OAuth2

[Hasanthi Purnima Dissanayake]

Hi Isuru,

What you need to do is as follows,

1. Create an OIDC SP in the second IS instance.
2. Create an IDP in the first IS instance
3. Add an authenticator for the above configured IDP by configuring
'Oauth2/Openid connect configuration' in the 'Federated Authenticators'
section.
(Take the client_id , client_secret from the sp of the first IS instance
and use it as client id and secret when configuring the federated
authenticator)
4. Configure a SP in the first IS (May be Playground sample or travelocity
sample based on the requirement)
5. Configure previously created IDP for the SP in the first IS instance.

When you trying to logging to the SP of the first IS instance you will get
the login page of second IS.

Thanks,

On Fri, Dec 15, 2017 at 1:23 PM, Isuru Uyanage  wrote:

> Hi All,
>
> I'm trying to login to Identity Server using another Identity Server. I
> followed doc[1].
> It has been asked to follow the below steps.
>
>- Configure an IDP(Idp9443) in Identity Server1.
>- Configure an SP(SP9444) in Identity Server2.
>- In the second Identity Server, in Service Provider Configuration,
>select Idp9443, which is created in first IS, as the federated
>authenticator in Local and Outbound Authentication Configuration.
>
>
> My question is it only displays the IDPs created in its own Identity
> Server in Service Provider/Outbound Authentication Configuration. We
> created the IDP in IS1. How is it going to be displayed in Federated
> Authenticators in IS2?
>
> It would be highly appreciated if these steps can be verified and specify
> if I have missed any configuration step here.
>
> [1]- https://docs.wso2.com/display/IS540/Login+to+
> Identity+Server+using+another+Identity+Server+-+OAuth2
>
>
>
> *Thanks and Best Regards,*
>
> *Isuru Uyanage*
> *Software Engineer - QA | WSO2*
> *Mobile : **+94 77 <+94%2077%20767%201807> 55 30752*
> *LinkedIn: **https://www.linkedin.com/in/isuru-uyanage/
> *
>
>
>
>


-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS 5.3.0] How to configure OIDC claims globally?

[Hasanthi Purnima Dissanayake]

Hi Javier,

When using OIDC protocol, the returned clams from id token or user info
endpoint will be decided based on the requested scopes, requested claims
and the service provider configurations. The supported scopes and related
claims are listed in registry located in "/oidc/". Users can add any custom
scope or a claim here in the registry as supported scopes rather than the
default ones existing. With the current implementation we don't have a
global configuration to configure this for all service providers.

As this seems a valid requirement, it is great if you can report an issue
in the git repo 'https://github.com/wso2/product-is' to track the
requirement for a future release.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Thu, Nov 2, 2017 at 12:35 AM, Vazquez-Hidalgo, Javier <
javier.vazquez-hida...@tdsecurities.com> wrote:

> Hello,
>
>
>
> I’ve been trying to return claims embedded in the “id_token” (JWT) but it
> only works if I configure them in the Service Provider -> Claim
> Configuration section.
>
>
>
> Is there a way to configure them globally for all service providers?
>
>
>
>
>
> Regards,
>
> Javier Vazquez
>
>
>
>
>
>
>
>
>
>
>
> If you wish to unsubscribe from receiving commercial electronic messages
> from TD Bank Group, please click here  or go
> to the following web address: www.td.com/tdoptout
> Si vous souhaitez vous désabonner des messages électroniques de nature
> commerciale envoyés par Groupe Banque TD veuillez cliquer ici
>  ou vous rendre à l'adresse www.td.com/tddesab
>
>
> NOTICE: Confidential message which may be privileged. Unauthorized
> use/disclosure prohibited. If received in error, please go to
> www.td.com/legal for instructions.
> AVIS : Message confidentiel dont le contenu peut être privilégié.
> Utilisation/divulgation interdites sans permission. Si reçu par erreur,
> prière d'aller au www.td.com/francais/avis_juridique pour des
> instructions.
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] NULL as default value in DB2

[Hasanthi Purnima Dissanayake]

Hi Nilasini,

The IBM documentations states below when we don't define any default value
after the column name [1] .

"Omission of NOT NULL and DEFAULT from a column-definition, for a column
other than an identity column, is an implicit specification of DEFAULT
NULL. For an identity column, it is an implicit specification of NOT NULL,
and DB2 generates default values."

So in your case as *'REMAINING_SETS' *is not a primary key column then, if
we don't define anything it will take 'Null' as the default value. But if
you don't define a default value for a primary key column, then the default
value will be NOT NULL.

[1]
https://www.ibm.com/support/knowledgecenter/en/SSEPEK_10.0.0/sqlref/src/tpc/db2z_sql_createtable.html

Thanks,


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Fri, Sep 8, 2017 at 5:56 PM, Nilasini Thirunavukkarasu  wrote:

> Hi,
>
> In DB2 if we want to set default value as null for a column, do we need to
> specify it explicitly?. According to the following[1] blog we don't need to
> specify the NULL as default since it will implicitly take the default value
> as NULL if we didn't specify it.
>
> For the following script do we need to specify the default value as null
> for the column *REMAINING_SETS?*
>
> CREATE TABLE IDN_RECOVERY_DATA (
>   USER_NAME VARCHAR(255) NOT NULL,
>   USER_DOMAIN VARCHAR(127) NOT NULL,
>   TENANT_ID INTEGER DEFAULT -1 NOT NULL,
>   CODE VARCHAR(255) NOT NULL,
>   SCENARIO VARCHAR(255) NOT NULL,
>   STEP VARCHAR(127) NOT NULL,
>   TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
> *  REMAINING_SETS VARCHAR(2500) WITH DEFAULT NULL,*
>   PRIMARY KEY(USER_NAME, USER_DOMAIN, TENANT_ID, SCENARIO,STEP),
>   UNIQUE(CODE))
>
> [1] https://www.datavail.com/blog/using-nulls-db2/
>
> --
> Nilasini Thirunavukkarasu
> Software Engineer - WSO2
>
> Email : nilas...@wso2.com
> Mobile : +94775241823 <+94%2077%20524%201823>
> Web : http://wso2.com/
>
>
> 
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Regarding auth_time claim in OIDC id_token

[Hasanthi Purnima Dissanayake]

Hi Hasini,

Spec does not speak directly about the auth_time directly when the user
have previous session. IMO when we send the request without prompt =none,
as 'auth_time' indicates user authenticated time, if the user does not have
a previous session then the 'auth_time' should be the session created time
and if the user have a previous session then it should be the session
updated time.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Wed, Aug 30, 2017 at 10:56 AM, Hasini Witharana  wrote:

> Hi Asela,
>
> We take the session updated time as the new auth_time.
>
> Thank you.
>
> On Tue, Aug 29, 2017 at 5:59 PM, Asela Pathberiya  wrote:
>
>>
>>
>> On Tue, Aug 29, 2017 at 4:29 PM, Hasini Witharana 
>> wrote:
>>
>>> Hi Asela,
>>>
>>> If SP sends a force auth request, we update the existing session.
>>>
>>
>> So;  Are we generating new auth_time when session is updated ?
>>
>>
>>>
>>> Thanks,
>>> Hasini
>>>
>>>
>>>
>>> On Wed, Aug 23, 2017 at 1:27 PM, Asela Pathberiya 
>>> wrote:
>>>


 On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana 
 wrote:

> Hi,
>
> In the OIDC specification auth_time is defined as below.[1]
>
> Time when the End-User authentication occurred. Its value is a JSON
> number representing the number of seconds from 1970-01-01T0:0:0Z as
> measured in UTC until the date/time. When a max_age request is made
> or when auth_time is requested as an Essential Claim, then this Claim
> is REQUIRED; otherwise, its inclusion is OPTIONAL.
>
> In the current implementation when the user is authenticated for the
> first time using user credentials, auth_time is considered as the session
> created time. After that when user is implicitly login in using a cookie
> without giving user credentials, auth_time is considered as session 
> updated
> time.
>

 If SP sends a force authe request,  Are we creating a new session or
 update the existing session ?

 If max_age is expired,  Does SP need to send a force auth request or
 just an authentication request ?

 Thanks,
 Asela.

>
> As I think the auth_time should be the first time user authenticated
> using credentials.
> [2] is the fix made for this issue.
>
> Thank you.
>
> [1] - http://openid.net/specs/openid-connect-core-1_0.html
> [2] - https://github.com/wso2-extensions/identity-inbound-auth-oau
> th/pull/455
>
> --
>
> *Hasini Witharana*
> Software Engineering Intern | WSO2
>
>
> *Email : hasi...@wso2.com *
>
> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
> http://wso2.com/signature] *
>



 --
 Thanks & Regards,
 Asela

 ATL
 Mobile : +94 777 625 933 <+94%2077%20762%205933>
  +358 449 228 979

 http://soasecurity.org/
 http://xacmlinfo.org/

>>>
>>>
>>>
>>> --
>>>
>>> *Hasini Witharana*
>>> Software Engineering Intern | WSO2
>>>
>>>
>>> *Email : hasi...@wso2.com *
>>>
>>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>>> http://wso2.com/signature] *
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Asela
>>
>> ATL
>> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>>  +358 449 228 979
>>
>> http://soasecurity.org/
>> http://xacmlinfo.org/
>>
>
>
>
> --
>
> *Hasini Witharana*
> Software Engineering Intern | WSO2
>
>
> *Email : hasi...@wso2.com *
>
> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
> http://wso2.com/signature] *
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Usage of "kid" JWT header parameter

[Hasanthi Purnima Dissanayake]

Hi Gayan,

It seems we can use [1] which contains the exact logic to generate 'kid'
value. WDYT?

[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L1568

Thanks,



Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Fri, Sep 1, 2017 at 10:10 AM, Gayan Gunawardana  wrote:

> In order to retrieve tenant public key to calculate kid value we can use
> same logic as in [1].
>
> boolean isJWTSignedWithSPKey = 
> OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey();
> String tenantDomain = null;
> if(isJWTSignedWithSPKey) {
> tenantDomain = (String) 
> request.getProperty(MultitenantConstants.TENANT_DOMAIN);
> } else {
> tenantDomain = 
> request.getAuthorizationReqDTO().getUser().getTenantDomain();
> }
>
>
> [1] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/
> DefaultIDTokenBuilder.java#L434
>
> On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana 
> wrote:
>
>> Will prioritize this for IS 5.4.0.
>>
>> Thanks,
>>
>> On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena 
>> wrote:
>>
>>> Hope we will fix this for IS 5.4.0..?
>>>
>>> Thanks & regards,
>>> -Prabath
>>>
>>> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
>>> indu...@wso2.com> wrote:
>>>
 Hi,

 On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana 
 wrote:

>
>
> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> In IS, when signing the ID token, we are passing the "kid" header
>> parameter in the response.
>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT
>> okenBuilder.java#L122
>>
>> As per the specification (Refer [1]) :
>>
>>> *The kid value is a key identifier used in identifying the key to be
>>> used to verify the signature.If the kid value is unknown to the RP, it
>>> needs to retrieve the contents of the OP's JWK Set again to obtain the 
>>> OP's
>>> current set of keys. *
>>>
>>
>> We have hard coded this "kid" value in the implementation level. What
>> happens if the signing key is a different one than the default one?
>>
>> Seems like this "kid" is like a hint to identify which specific key
>> to be used to validate the signature, when there are multiple keys. Is 
>> it a
>> valid use case in IS, since there cannot be multiple certs available in
>> resident IDP? And also is it correct to use a hard coded value from
>> back-end?
>>
> Having hard coded value is not correct. "kid" value should be
> generated based on certificate "thumbprint". Hard coded value would work
> for super tenant default keystore.
>

 Thanks. I have created a public JIRA in [1] to handle this.

 [1] https://wso2.org/jira/browse/IDENTITY-6311


>
>>
>>
>>
>> This is hard coded in JwksEndpoint as well.
>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>> th/blob/master/components/org.wso2.carbon.identity.oauth.end
>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint/
>> jwks/JwksEndpoint.java#L54
>>
>> But in JWTTokenGenerator, we are not setting the "kid" parameter.
>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo
>> kenGenerator.java#L293
>>
>> In which scenarios, this "kid" header parameter should be sent and
>> should not be sent? Recently we have implemented to sign the user info 
>> JWT
>> response and need to verify whether "kid" parameter should be sent there 
>> as
>> well.
>>
>>
>>
>> Appreciate your ideas on above concerns.
>>
>> [1] http://openid.net/specs/openid-connect-core-1_0.html
>>
>>
>> Thanks and Regards
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>> Mobile   0772182255 <077%20218%202255>
>>
>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>



 --
 Indunil Upeksha Rathnayake
 Software Engineer | WSO2 Inc
 Emailindu...@wso2.com
 Mobile   0772182255 <077%20218%202255>

>>>
>>>
>>>
>>> --
>>> Thanks & Regards,

Re: [Dev] Improve Default Claim Handler logic

[Hasanthi Purnima Dissanayake]

Hi Farasath,

The logic behind returning claims in 'oidc' is based on the intersection of
both sp requested claims and the registry defined claims for the scope. So
in order to return a specific claims it should define in the registry and
it should define as a requested claims.

2. Improve the fix[2] to return all claims for *openid *flow only when
> service provider has no requested claims.
>
>  So why do we need to return all the claims for openid flow when the SP
has no requested claims?

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Mon, Aug 21, 2017 at 9:11 AM, Rushmin Fernando  wrote:

> yes, we should get rid of unwanted processing.
>
> IMO we should honour the configured requested claims in the service
> provider. But I'm not aware whether there was a need to send all the claims
> for open id.
>
>
>
> On Sat, Aug 19, 2017 at 7:48 PM, Farasath Ahamed 
> wrote:
>
>> Hi All,
>>
>> In the current implementation of the DefaultClaimHandler[1] claim
>> handling logic involves the below steps when retrieving claims for local
>> and federated scenarios,
>>
>> 1. Loading local claims and claims mappings
>> 2. Loading all non-empty claims of the user
>>
>> #1 involves several DB calls where as step #2 results in a call to the
>> user store which means either a DB call or LDAP/AD call depending on the
>> user store configured.
>>
>> Here are few shortcoming I noticed,
>>
>>1. If a service provider has configured no requested claims, we
>>simply return an empty map of claims after going through the whole process
>>#1 and #2.
>>2. For authentication involved with flows like OAuth which do not
>>involve claims going through this claims handling logic doesn't make any
>>sense.
>>
>>
>> To give an idea of the performance impact, An authentication request
>> coming into the Authentication Framework takes about 950ms to complete. Of
>> this around 550ms is spent on handling claims (that's close to ~60%). So
>> for an OAuth flow with authorization code or implicit flow, this is a
>> performance hit.
>>
>> I initially did a fix for this[2], by returning an empty map of claims if
>> the there were no requested claims. But this doesn't seem to work since we
>> seem to return all available claims for *openid *flow[3].
>>
>> Do we have a specific reason for return all available claims in the
>> openid flow? Shouldn't we honour service provider requested claims when
>> sending out user claims out of the framework?
>>
>>
>> I have a few improvements in my mind to overcome the problem,
>>
>> 1. Specifically, check for the *oauth *request type and stop executing
>> claim handling logic.
>> 2. Improve the fix[2] to return all claims for *openid *flow only when
>> service provider has no requested claims.
>>
>> Do you see any complexities that could arise with the suggested
>> improvements?
>>
>>
>> [1] https://github.com/wso2/carbon-identity-framework/blob/m
>> aster/components/authentication-framework/org.wso2.carbon.id
>> entity.application.authentication.framework/src/main/java/
>> org/wso2/carbon/identity/application/authentication/
>> framework/handler/claims/impl/DefaultClaimHandler.java
>>
>> [2] https://github.com/wso2/carbon-identity-framework/pull/961
>>
>> [3] https://github.com/wso2/carbon-identity-framework/blob/m
>> aster/components/authentication-framework/org.wso2.carbon.id
>> entity.application.authentication.framework/src/main/java/
>> org/wso2/carbon/identity/application/authentication/
>> framework/handler/claims/impl/DefaultClaimHandler.java#L422
>>
>>
>> Thanks,
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>> 
>>
>>
>>
>
>
> --
> *Best Regards*
>
> *Rushmin Fernando*
> *Technical Lead*
>
> WSO2 Inc.  - Lean . Enterprise . Middleware
>
> mobile : +94775615183
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Admin/Tenant Admin Users cannot be filtered to get the SCIM ID

[Hasanthi Purnima Dissanayake]

Hi Indunil,

Please refer following mail in Architecture [1]. Seems Sathya is going to
provide SCIM support for admin users by generating admin users' SCIM
userId. After this implementation it seems this issue will be fixed.

[1] mail : [Architecture] [IS] SCIM Support for Admin Users

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Fri, Jul 21, 2017 at 2:11 PM, Gayan Gunawardana  wrote:

>
>
> On Fri, Jul 21, 2017 at 2:06 PM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> I have checked followings with IS 5.3.0 WUM updated pack.
>>
>> 1) List users
>> curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users
>> Result: *{"Errors":[{"description":"Users not found in the user
>> store.","code":"404"}]}*
>>
>> 2) Filter admin user
>> curl -v -k --user admin:admin https://localhost:9443/wso2/sc
>> im/Users?filter=userName+Eq+%22admin%22
>> Result:
>> *{"schemas":["urn:scim:schemas:core:1.0"],"totalResults":1,"Resources":[{"userName":"admin"}]}*
>>
>> Seems like there is a contradiction here. When listing all the users,
>> admin user details won't retrieved, but retrieved with the filtering. Since
>> admin user doesn't have a SCIM ID, it shouldn't retrieved in any scenarios.
>> WDT?
>>
> Yes so filter command should not return admin user if it doesn't have SCIM
> ID.
>
>>
>> Thanks and Regards
>>
>>
>> On Fri, Nov 6, 2015 at 9:33 AM, Nadeesha Meegoda 
>> wrote:
>>
>>> Thanks Chamila. Unerstood!
>>>
>>> On Thu, Nov 5, 2015 at 9:48 PM, Chamila Wijayarathna 
>>> wrote:
>>>
 Hi Nadeesha,

 As I mentioned in my previous mail, super admin and tenant admin are
 not created with a SCIM ID, so you can't retrieve them using SCIM GET.

 I was suggesting above request to get other users of tenant, if you are
 interested, since the command you were using previously for retrieving
 tenant users were wrong.

 Thanks

 On Thu, Nov 5, 2015 at 5:03 PM, Nadeesha Meegoda 
 wrote:

> Hi all,
>
> So I requested to get the SCIM ID as what Chamila mentioned by the
> following command
> curl -v -k --user ten...@new.com:123456 https://localhost:9443/wso2/sc
> im/Users?filter=userNameEqtenant
>
> But still this doesn't give any result only a http 404 error. So
> tenant admins also are considered for the special flaw?
>
> On Thu, Nov 5, 2015 at 3:41 PM, Gayan Gunawardana 
> wrote:
>
>>
>>
>> On Thu, Nov 5, 2015 at 3:13 PM, Darshana Gunawardana <
>> darsh...@wso2.com> wrote:
>>
>>>
>>>
>>> On Thu, Nov 5, 2015 at 12:45 PM, Gayan Gunawardana 
>>> wrote:
>>>


 On Thu, Nov 5, 2015 at 11:26 AM, Chamila Wijayarathna <
 cham...@wso2.com> wrote:

> Hi Nadeesha,
>
> When creating super admin or tenant admin users, they don't get
> created with a SCIM ID since they are considered as special users in 
> IS.
> Because of this when listing users through scim, those users will not 
> get
> listed.
> But if you want, you can add a SCIM ID manually by updating the
> user and then you will be able to list the also as SCIM Users.
>
> When listing users of tenants, you need to use credentials of
> tenant admin users. When sending SCIM request with admin:admin, you 
> will
> only see users at super tenant. Also for filter, don't use @
> tenant.com, because if u logged in as tenant admin and list
> users, there you won't see user name with @tenant.com, so your
> curl command to filter a user at tenant should be as follows.
>
> curl -v -k --user ad...@tenant.com:admin123 http
> s://localhost:9443/wso2/scim/Users?filter=userNameEqtenant
> 
>
> Thanks
>
> On Wed, Nov 4, 2015 at 8:40 PM, Nadeesha Meegoda <
> nadees...@wso2.com> wrote:
>
>> Hi Chamila,
>>
>> I'm using the embedded ldap which comes default in IS. In that
>> SCIM comes enabled as default.
>>
>> On Wed, Nov 4, 2015 at 6:27 PM, Chamila Wijayarathna <
>> cham...@wso2.com> wrote:
>>
>>> Hi Nadeesha,
>>>
>>> What is the value of SCIMEnabled configuration in your
>>> user-mgt.xml?
>>>
>>> Are you using LDAP or JDBC user store manager?
>>>
>> @Chamila

 admin user is added in very fist server start up by calling
 "addInitialAdminData" in AbstractUserStoreManager. In embedded ldap
 scenario concrete "doAddUser" method will be invoked in
 

Re: [Dev] [IS]User account locking

[Hasanthi Purnima Dissanayake]

Hi Hanen,

Yes the feature is tested in IS 5.3.0. Did you configure. Please refer the
'Configuring the WSO2 Identity Server for account locking' part of [1]. In
IS 5.3.0 we need to configure some properties using UI as well. So please
use the document to configure account locking in IS 5.3.0. If still you
can't make this to work please get back to us.

[1]
https://docs.wso2.com/display/IS530/User+Account+Locking+and+Account+Disabling#04a3bc93b073466dae2c618e35801c93

Thanks,
Hasanthi


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Fri, Jul 21, 2017 at 1:02 PM, Hanen Ben Rhouma 
wrote:

> Hello guys,
>
> I have a question related to user account locking. I tried locking admin
> and even a simple user (with only login permission) via GUI as well as via
> SOAP call but nothing worked, the accounts are still able to login. Was
> this feature tested for the 5.3.0 version?
>
>
> Regards,
> Hanen
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] xml based IdP configuration within a tenant

[Hasanthi Purnima Dissanayake]

Hi Henan,

If you create an IDP with out 'SHARED' prefix this will only allow the file
based identity provider to be visible in file based service providers and
it will only be visible to the super tenant. When you use the 'SHARED'
prefix as Indunil suggested above this will be visible across tenants and
in the SP registration UI. One of the main advantages of using file based
IDPs is providing the accessibility for the same identity provider from
multiple tenants. So please make note that we can't restrict this IDP to a
specific tenant.

Thanks,


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Thu, Jul 13, 2017 at 6:34 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> To make a file based IDP visible across tenants and in the SP registration
> UI as federated IDP, you can add the prefix "SHARED_" before the IDP name
> to the element.
> SHARED_identityProvider1
>
> But then that IDP will be shared for all the SPs in all the tenants.
> AFAIK, we can't configure a file based IDP to make it visible in only one
> tenant.
>
> Thanks and Regards
>
>
>
> On Thu, Jul 13, 2017 at 6:15 PM, Hanen Ben Rhouma 
> wrote:
>
>> Yes this is not an issue, all we're trying to achieve is a specific IdP
>> config residing within a tenant attached to a SaaS based SP config residing
>> within the super tenant. Is such scenario possible for a federation case?
>>
>>
>>
>>
>> Regards,
>> Hanen
>>
>> On Thu, Jul 13, 2017 at 12:56 PM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi Hanen,
>>>
>>> In the current IS release version, file based SP and IDPs will not be
>>> visible in the management console.
>>>
>>> Thanks and Regards
>>>
>>> On Thu, Jul 13, 2017 at 3:53 PM, Hanen Ben Rhouma 
>>> wrote:
>>>
 Hello Guys,

 Is it possible to create an IdP via xml file and make it visible only
 to a specific tenant?


 Regards,
 Hanen

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


>>>
>>>
>>> --
>>> Indunil Upeksha Rathnayake
>>> Software Engineer | WSO2 Inc
>>> Emailindu...@wso2.com
>>> Mobile   0772182255 <07%2072%2018%2022%2055>
>>>
>>
>>
>
>
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Role mapping through config file

[Hasanthi Purnima Dissanayake]

Hi Henan,

There is a sample command if the IDP is WSO2 Identity Server where you can
export the public certificate in PEM format.

keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore
wso2carbon.jks -storepass wso2carbon -rfc -file ispublic_crt.pem

Then, you can open the certificate file with a notepad so you see the
certificate value. You can copy this certificate value and put in the file
with in the  tag.

Please note that above is only if the IDP is WSO2 IS. If the IDP is a third
party IDP, then you can get the certificate in PEM format and read the
value. And the you need to copy the entire content of the PEM file and
place it between the tags.


Thanks,

Hasanthi.


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Wed, Jul 5, 2017 at 11:40 PM, Farasath Ahamed  wrote:

> Hi Hanen,
>
> I have attached a sample file based IDP file that demonstrates how to add
>  tag and the IDP role mapping as well.
>
>
> Thanks,
> Farasath
>
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
> On Wed, Jul 5, 2017 at 9:09 PM, Hanen Ben Rhouma 
> wrote:
>
>> Same question for the tag  please. We're using a certificate
>> so what should we mention in the xml file.
>>
>>
>>
>> Regards,
>> Hanen
>>
>>
>>
>>
>>
>>
>> On Wed, Jul 5, 2017 at 5:36 PM, Hanen Ben Rhouma 
>> wrote:
>>
>>> Hello guys,
>>>
>>> Could you please tell me what are the xml tags I can use within an IDP
>>> xml config file for role mapping. I mean the properties I can add for
>>> mapping roles in the tag 
>>> in default.xml for example
>>>
>>>
>>> Rehards,
>>> Hanen
>>>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Implemeting Scope Validator

[Hasanthi Purnima Dissanayake]

Hi Isura,

As we discussed, client credential grant type should not return an ID
> token. So, we have to change the identity.xml file to enable scope
> validator by default and make IdTokenAllowed=true in implicit and
> password grant handlers.
>

+1

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Fri, May 26, 2017 at 11:41 AM, Isura Karunaratne <is...@wso2.com> wrote:

> Hi Hasanthi,
>
> As we discussed, client credential grant type should not return an ID
> token. So, we have to change the identity.xml file to enable scope
> validator by default and make IdTokenAllowed=true in implicit and
> password grant handlers.
>
> Thanks
> Isura.
>
>
> On Fri, May 26, 2017 at 7:18 AM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Isura,
>>
>> If the scope validator is enabled and IdTokenAllowed is not defined for
>> a grant type, other than authorization_code grant it wont return any id
>> token.
>>
>> Thanks,
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>> On Thu, May 25, 2017 at 11:46 AM, Isura Karunaratne <is...@wso2.com>
>> wrote:
>>
>>> Hi Hasanthi,
>>>
>>> If the property IdTokenAllowed is not defined for a grant type, what is
>>> the default behavior?
>>>
>>> Thanks
>>> Isura.
>>>
>>> On Wed, May 17, 2017 at 3:29 PM, Hasanthi Purnima Dissanayake <
>>> hasan...@wso2.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> We have suggested a new property  for the parent
>>>>  along with the  segment  to
>>>> on/off the functionality of issuing the id token for grant types. For
>>>> oauthorization_code grant type we ignore this property and issue id token
>>>> by default for the 'openid' scope.
>>>>
>>>> Thanks,
>>>>
>>>> Hasanthi Dissanayake
>>>>
>>>> Software Engineer | WSO2
>>>>
>>>> E: hasan...@wso2.com
>>>> M :0718407133| http://wso2.com <http://wso2.com/>
>>>>
>>>> On Wed, May 17, 2017 at 7:52 AM, Pushpalanka Jayawardhana <
>>>> la...@wso2.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> On Tue, May 16, 2017 at 10:56 PM, Hasanthi Purnima Dissanayake <
>>>>> hasan...@wso2.com> wrote:
>>>>>
>>>>>> Hi Farasath, Lanka
>>>>>>>
>>>>>>> What about extension grant types like SAML2BearerGrant, JWTBearer or
>>>>>>> any other custom grant type we write?
>>>>>>> AFAIR we do issue id_tokens to any grant type when "openid" scope is
>>>>>>> present.
>>>>>>
>>>>>>
>>>>>> IMO using "openid" scope to issue id_tokens like SAML2Bearer ,etc is
>>>>>> not required.
>>>>>>
>>>>>> If our current implementation allows id_token generation for all
>>>>>>> types wouldn't this break existing clients?
>>>>>>
>>>>>>
>>>>>> This is an optional configuration, so we don't break any existing
>>>>>> clients here.
>>>>>>
>>>>>> @Lanka,
>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>> 
>>>>>>> authorization_code
>>>>>>> org
>>>>>>> .wso2.carbon.identity.oauth2.token.handlers.grant.Authorizat
>>>>>>> ionCodeGrantHandler
>>>>>>> *true*
>>>>>>> 
>>>>>>> ..
>>>>>>> 
>>>>>>>
>>>>>>> We can ship default configuration as the behavior we currently have,
>>>>>>> so none of the existing scenarios break.
>>>>>>> OIDC scope validator can consume this information from here.
>>>>>>>
>>>>>>
>>>>>> We already have below configuration for the APIM for JDBC Scope
>>>>>> validation.
>>>>>>
>>>>>> 

Re: [Dev] Implemeting Scope Validator

[Hasanthi Purnima Dissanayake]

Hi Isura,

If the scope validator is enabled and IdTokenAllowed is not defined for a
grant type, other than authorization_code grant it wont return any id
token.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Thu, May 25, 2017 at 11:46 AM, Isura Karunaratne <is...@wso2.com> wrote:

> Hi Hasanthi,
>
> If the property IdTokenAllowed is not defined for a grant type, what is
> the default behavior?
>
> Thanks
> Isura.
>
> On Wed, May 17, 2017 at 3:29 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> We have suggested a new property  for the parent
>>  along with the  segment  to
>> on/off the functionality of issuing the id token for grant types. For
>> oauthorization_code grant type we ignore this property and issue id token
>> by default for the 'openid' scope.
>>
>> Thanks,
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>> On Wed, May 17, 2017 at 7:52 AM, Pushpalanka Jayawardhana <la...@wso2.com
>> > wrote:
>>
>>> Hi,
>>>
>>> On Tue, May 16, 2017 at 10:56 PM, Hasanthi Purnima Dissanayake <
>>> hasan...@wso2.com> wrote:
>>>
>>>> Hi Farasath, Lanka
>>>>>
>>>>> What about extension grant types like SAML2BearerGrant, JWTBearer or
>>>>> any other custom grant type we write?
>>>>> AFAIR we do issue id_tokens to any grant type when "openid" scope is
>>>>> present.
>>>>
>>>>
>>>> IMO using "openid" scope to issue id_tokens like SAML2Bearer ,etc is
>>>> not required.
>>>>
>>>> If our current implementation allows id_token generation for all types
>>>>> wouldn't this break existing clients?
>>>>
>>>>
>>>> This is an optional configuration, so we don't break any existing
>>>> clients here.
>>>>
>>>> @Lanka,
>>>>
>>>>>
>>>>> 
>>>>> 
>>>>> authorization_code
>>>>> org
>>>>> .wso2.carbon.identity.oauth2.token.handlers.grant.Authorizat
>>>>> ionCodeGrantHandler
>>>>> *true*
>>>>> 
>>>>> ..
>>>>> 
>>>>>
>>>>> We can ship default configuration as the behavior we currently have,
>>>>> so none of the existing scenarios break.
>>>>> OIDC scope validator can consume this information from here.
>>>>>
>>>>
>>>> We already have below configuration for the APIM for JDBC Scope
>>>> validation.
>>>>
>>>> 

Re: [Dev] Validating OAuth App state during Token Requests

[Hasanthi Purnima Dissanayake]

Hi,

If the APP_STATE value is NULL we can say that the a valid OAuth client
could not be found. Based on this we have done the fix as below.

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/368

Thanks,


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Thu, May 25, 2017 at 11:52 AM, Isura Karunaratne  wrote:

>
> On Fri, May 19, 2017 at 3:35 PM, Farasath Ahamed 
> wrote:
>
>> Created https://wso2.org/jira/browse/IDENTITY-5959 to track this.
>>
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>> 
>>
>>
>>
>> On Thu, May 18, 2017 at 9:10 PM, Pushpalanka Jayawardhana > > wrote:
>>
>>> Hi,
>>>
>>> On Thu, May 18, 2017 at 4:58 PM, Farasath Ahamed 
>>> wrote:
>>>
 Hi,

 With our current implementation, we check whether an OAuth app is
 active at [1]. This happens before we complete client authentication at
 [2].

 Therefore even for an invalid client_id value, the error message that
 we would get will be "Oauth App is not in active state." which is not
 the expected behaviour.

 To fix this I see two options,

 1. Handle the APP_STATE value being NULL (ie. no app was found for
 given consumer key) properly. APP_STATE column allows NULL as a value so we
 can't exactly say that APP_STATE == 'NULL' would imply that there is no app
 for a give consumer key

>>> +1.
>
> Thanks
> Isura.
>
>> +1 for this approach. With this we can avoid some processing done in vain
>>> and respond invalid requests much early. Saving NULL for APP_STATE seems
>>> something we should investigate and fix.
>>>

 2. Move the APP_STATE validation logic to be done after [2]

 WDYT?

 [1] https://github.com/wso2-extensions/identity-inbound-auth
 -oauth/blob/master/components/org.wso2.carbon.identity.oauth
 .endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpo
 int/token/OAuth2TokenEndpoint.java#L87-L97

 [2] https://github.com/wso2-extensions/identity-inbound-auth
 -oauth/blob/master/components/org.wso2.carbon.identity.oauth
 /src/main/java/org/wso2/carbon/identity/oauth2/token/AccessT
 okenIssuer.java#L168

 Thanks,
 Farasath Ahamed
 Software Engineer, WSO2 Inc.; http://wso2.com
 Mobile: +94777603866
 Blog: blog.farazath.com
 Twitter: @farazath619 
 



>>>
>>>
>>> --
>>> Pushpalanka.
>>> --
>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>>> Mobile: +94779716248
>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>>> ushpalanka/ | Twitter: @pushpalanka
>>>
>>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Senior Software Engineer | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Implemeting Scope Validator

[Hasanthi Purnima Dissanayake]

Hi All,

We have suggested a new property  for the parent
 along with the  segment  to on/off
the functionality of issuing the id token for grant types. For
oauthorization_code grant type we ignore this property and issue id token
by default for the 'openid' scope.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Wed, May 17, 2017 at 7:52 AM, Pushpalanka Jayawardhana <la...@wso2.com>
wrote:

> Hi,
>
> On Tue, May 16, 2017 at 10:56 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Farasath, Lanka
>>>
>>> What about extension grant types like SAML2BearerGrant, JWTBearer or any
>>> other custom grant type we write?
>>> AFAIR we do issue id_tokens to any grant type when "openid" scope is
>>> present.
>>
>>
>> IMO using "openid" scope to issue id_tokens like SAML2Bearer ,etc is not
>> required.
>>
>> If our current implementation allows id_token generation for all types
>>> wouldn't this break existing clients?
>>
>>
>> This is an optional configuration, so we don't break any existing clients
>> here.
>>
>> @Lanka,
>>
>>>
>>> 
>>> 
>>> authorization_code
>>> org
>>> .wso2.carbon.identity.oauth2.token.handlers.grant.Authorizat
>>> ionCodeGrantHandler
>>> *true*
>>> 
>>> ..
>>> 
>>>
>>> We can ship default configuration as the behavior we currently have, so
>>> none of the existing scenarios break.
>>> OIDC scope validator can consume this information from here.
>>>
>>
>> We already have below configuration for the APIM for JDBC Scope
>> validation.
>>
>> 

Re: [Dev] Implemeting Scope Validator

[Hasanthi Purnima Dissanayake]

Hi Farasath, Lanka
>
> What about extension grant types like SAML2BearerGrant, JWTBearer or any
> other custom grant type we write?
> AFAIR we do issue id_tokens to any grant type when "openid" scope is
> present.


IMO using "openid" scope to issue id_tokens like SAML2Bearer ,etc is not
required.

If our current implementation allows id_token generation for all types
> wouldn't this break existing clients?


This is an optional configuration, so we don't break any existing clients
here.

@Lanka,

>
> 
> 
> authorization_code
> org.wso2.carbon.identity.
> oauth2.token.handlers.grant.AuthorizationCodeGrantHandler<
> /GrantTypeHandlerImplClass>
> *true*
> 
> ..
> 
>
> We can ship default configuration as the behavior we currently have, so
> none of the existing scenarios break.
> OIDC scope validator can consume this information from here.
>

We already have below configuration for the APIM for JDBC Scope validation.

[Dev] Implemeting Scope Validator

[Hasanthi Purnima Dissanayake]

Hi All,
In our current OIDC implementation we support below four grant types and
issue id tokens and user info claims for all the below grant type.

   - authorization_code
   - implicit
   - client_credential
   - password

Among those 4 grant types that we have implemented, OIDC spec discusses
about only implict and authorization_code grant types. According to the
spec "openid" scope value is a must to Inform the Authorization Server that
the client is making an OpenID Connect request. So we have introduced a new
property in identity.xml as below and we have implemented a scope validator
to validate whether the grant types are authorization_code , implicit or
password if the scope is openid.

Re: [Dev] Clarification on 'Use tenant domain in local subject identifier' attribute

[Hasanthi Purnima Dissanayake]

Hi Maduranga,

When we added this configuration, the expectation was to add the tenant
> domain to the subject identifier no matter what is used as the subject
> claim or it is a requested claim (it can be username or telephone number,
> if this is enabled tenant domain should be appended). If we deviate from
> this there can be lots of unexpected inconsistencies.


I have analyzed the source in IS 5.3.0 and the behavior is bit different.
We are appending the tenant domain and user domain only when the subject
identifier is user name [1]. Otherwise we are not appending them [2]. IMO
as this is an option which can be decided by the user, if the user checked
the check boxes we should append tenant domain and userstore domain to the
subject identifier whether it is user name or not. If the user does not
wish to append those domains he can use the default configurations. So
shall we change the existing behavior?

WDYT?

[1]
https://github.com/wso2-attic/carbon-identity/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/model/AuthenticatedUser.java#L175
[2]
https://github.com/wso2-attic/carbon-identity/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/model/AuthenticatedUser.java#L143

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Fri, May 5, 2017 at 11:21 PM, Maduranga Siriwardena <madura...@wso2.com>
wrote:

> Hi Hasanthi,
>
> When we added this configuration, the expectation was to add the tenant
> domain to the subject identifier no matter what is used as the subject
> claim or it is a requested claim (it can be username or telephone number,
> if this is enabled tenant domain should be appended). If we deviate from
> this there can be lots of unexpected inconsistencies.
>
> Thanks,
>
> Maduranga Siriwardena
> Senior Software Engineer
> WSO2 Inc; http://wso2.com/
>
> On May 5, 2017 2:03 PM, "Isura Karunaratne" <is...@wso2.com> wrote:
>
>> Hi,
>>
>> On Fri, May 5, 2017 at 10:59 AM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> There are few jiras [1],[2],[3],[4] reported related to the above
>>> attribute and thought of discussing the expected behavior of this attribute.
>>>
>>> AFAIU if the above attribute is checked in both federated and local
>>> scenarios:
>>> -  the tenant domain should append with the sub claim even when the
>>> username is added as a requested claim or username is set as the subject
>>> claim uri.
>>>
>>> If the above attribute is unchecked :
>>> - The tenant domain should not append with the sub claim even when the
>>> user name is subject claim uri or a requested claim.
>>>
>>
>>> [1] https://wso2.org/jira/browse/IDENTITY-5013
>>> [2] https://wso2.org/jira/browse/IDENTITY-4931
>>> [3]https://wso2.org/jira/browse/IDENTITY-4956
>>> [4]https://wso2.org/jira/browse/IDENTITY-4470
>>>
>>> Please let me know if the behavior of this attribute is something
>>> different.
>>>
>> Yes. That is the behavior of 'Use tenant domain in local subject
>> identifier" attribute.
>>
>> Thanks
>> Isura.
>>
>>>
>>>
>>> Thanks,
>>>
>>> Hasanthi Dissanayake
>>>
>>> Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com
>>> M :0718407133| http://wso2.com <http://wso2.com/>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Senior Software Engineer | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Authorization granted for a SP for a different tenant's user when SaaS is disabled

[Hasanthi Purnima Dissanayake]

Hi Sathya,

Does the spec [1] contains any detail about access token revocation?

It is evident that we should revoke the refresh token such that user is not
> permitted to obtain further access tokens for the application.


yes it is obvious that we should not allow to generate access tokens using
refresh tokens when SaaS is disabled.

In addition to this is it required to invalidate the already-issued access
> token?


IMO the authorization server should revoke even already issued access
tokens when it disabled SaaS. From disabling Saas it conveys that this
application is no longer shared among other tenants. WDYT?

[1] https://tools.ietf.org/html/rfc7009

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Mon, May 8, 2017 at 11:20 PM, Farasath Ahamed  wrote:

>
>
> On Monday, May 8, 2017, Pulasthi Mahawithana  wrote:
>
>> Hi Sathya,
>>
>> I think it would be better to do this with a application mgt listener
>> rather than doing this at the validation time. We can use a
>> "ApplicationMgtListener.doPostUpdateApplication()"[1] implementation and
>> invalidate all the tokens issued to users from other tenants when the
>> application is updated.
>>
>
> I think we need to be careful if we go down the listener path and use
> ApplicationMgtListener.doPostUpdateApplication() method. The reason is
> that this method gets triggered even if you simply press the update button
> in the Service Provider UI without doing any change. Also what is passed to
> the method as arguments is the updated Service Provider object.
> Therefore, it is a bit tricky to figure out whether a change happened at
> all.
>
> Say, if we wrote the token revocation logic when SaaS option changes
> within this method. So whenever someone presses the Service Provider UI
> after doing a change(or not). It will be a tricky situation to figure out
> what the change was basically. (Did someone disable Saas or was it already
> off?). This method will also be called for unrelated changes like an update
> to description etc.
>
> And as of now we only remove cache entries for any update in SP triggered
> in [1]. That is safe even no change happened to SP at all. What we lose is
> the cached entries which we can retrieve from DB. But what we are proposing
> here is to revoke tokens upon an update in SP, therefore, we need to be
> careful.
>
> IMO considering that we don't have a straightforward way to identify the
> change in the update SP passed to [1] it would be better to have a SaaS
> check required places whenever the user tenant domain and SP tenant domain
> are different.
>
> or else we need to figure out a way to pass that SaaS option was changed
> explicitly.
>
>
> [1] https://github.com/wso2/carbon-identity-framework/blob/m
> aster/components/application-mgt/org.wso2.carbon.identity.ap
> plication.mgt/src/main/java/org/wso2/carbon/identity/applica
> tion/mgt/listener/AbstractApplicationMgtListener.java#L43
>
>
>
>>
>> On Mon, May 8, 2017 at 7:03 PM, Sathya Bandara  wrote:
>>
>>> Hi All,
>>>
>>> This is in relation to issue [1] which happens when using a valid access
>>> token issued to a SaaS enabled application (application in a separate
>>> domain. User from another tenant domain). After disabling SaaS, it is still
>>> possible to use the same access token to access the UserInfo endpoint for
>>> this user from another tenant. Also it is possible to obtain a new access
>>> token for the saas-disabled application by using the issued refresh token
>>> for a different tenant user.
>>>
>>> For this I have added functionality to validate tenant domain and to
>>> check if the SP is SaaS enabled before granting access to the userInfo
>>> endpoint. It is evident that we should revoke the refresh token such that
>>> user is not permitted to obtain further access tokens for the application.
>>> In addition to this is it required to invalidate the already-issued access
>>> token?
>>>
>>> Appreciate your help on this.
>>>
>>> [1] https://wso2.org/jira/browse/IDENTITY-4981
>>>
>>> Best regards,
>>> Sathya
>>>
>>> --
>>> Sathya Bandara
>>> Software Engineer
>>> WSO2 Inc. http://wso2.com
>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>>
>>> <+94%2071%20411%205032>
>>>
>>
>>
>>
>> --
>> *Pulasthi Mahawithana*
>> Senior Software Engineer
>> WSO2 Inc., http://wso2.com/
>> Mobile: +94-71-5179022 <+94%2071%20517%209022>
>> Blog: https://medium.com/@pulasthi7/
>>
>> 
>>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Client credential grant type for ID token generation

[Hasanthi Purnima Dissanayake]

Hi All,

As discussed there is no use case of issuing an id token with the pay load
of application owners details. Further there is no usage of providing user
claims from the user info endpoint. So we have fixed this issue for IS
5.4.0. Please find the PR as below. By removing this functionality we can
get rid of some reported jiras as well.

[1]https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/348/

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Fri, May 5, 2017 at 11:48 AM, Ishara Karunarathna 
wrote:

> Hi,
>
> On Fri, May 5, 2017 at 11:42 AM, Isura Karunaratne  wrote:
>
>> Hi all,
>>
>> On Thu, May 4, 2017 at 3:03 PM, Gayan Gunawardana  wrote:
>>
>>>
>>>
>>> On Thu, May 4, 2017 at 2:41 PM, Pushpalanka Jayawardhana >> > wrote:
>>>
 Hi All,

 This is in relation to issue [1] which happened when we issue ID_token
 for client credentials grant.

 Client credentials grant type is not really a part of OpenID Connect
 specification, as it only mentions of authorization code grant flow(Basic
 Profile) and implicit grant flow (Implicit profile), and hybrid flow.
 This is an additional thing when we issue id_token for client
 credentials grant.

 Also this does not make much sense when we issue an ID_token to an
 application which is presented in client credentials grant.
 In my opinion we should get rid of this, if noone is currently using
 it. Appreciate your inputs.

>>> Also OpenID Connect specification does not talk about issuing ID_token
>>> for password grant type as well. Apart from specification POV issuing
>>> ID_token for password grant type is not logically wrong.
>>> Issuing ID_token for client credentials grant type is logically wrong
>>> hence +1 to remove the functionality.
>>>
>> Yes. +1 to remove ID token for client credentials grant type.
>>
>> +1
> Since there is no user authentication, this is logically wrong. so better
> to fix this with removing ID token. But in the password grant type even its
> not there in the spec still there are usecases with this to let keep it and
> fix related issues.
>
> -Ishara
>
>>
>> Thanks
>> Isura.
>>
>>>
 [1] - https://wso2.org/jira/browse/IDENTITY-4915

 Thanks,
 --
 Pushpalanka.
 --
 Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
 Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
 Mobile: +94779716248
 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
 ushpalanka/ | Twitter: @pushpalanka


>>>
>>>
>>> --
>>> Gayan Gunawardana
>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: ga...@wso2.com
>>> Mobile: +94 (71) 8020933
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Senior Software Engineer | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
> Ishara Karunarathna
> Associate Technical Lead
> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>
> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
> +94717996791 <+94%2071%20799%206791>
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Clarification on 'Use tenant domain in local subject identifier' attribute

[Hasanthi Purnima Dissanayake]

Hi All,

There are few jiras [1],[2],[3],[4] reported related to the above attribute
and thought of discussing the expected behavior of this attribute.

AFAIU if the above attribute is checked in both federated and local
scenarios:
-  the tenant domain should append with the sub claim even when the
username is added as a requested claim or username is set as the subject
claim uri.

If the above attribute is unchecked :
- The tenant domain should not append with the sub claim even when the user
name is subject claim uri or a requested claim.

[1] https://wso2.org/jira/browse/IDENTITY-5013
[2] https://wso2.org/jira/browse/IDENTITY-4931
[3]https://wso2.org/jira/browse/IDENTITY-4956
[4]https://wso2.org/jira/browse/IDENTITY-4470

Please let me know if the behavior of this attribute is something different.


Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Please review and merge

[Hasanthi Purnima Dissanayake]

Hi Kathees

Fixed the comments.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Fri, May 5, 2017 at 9:45 AM, Kathees Rajendram <kath...@wso2.com> wrote:

> Thanks Hasanthi for your fix.
>
> Please fix those comments in the PR.
>
> Thanks,
> Kathees
>
> On Thu, May 4, 2017 at 3:16 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi connector team,
>> Please review and merge [1] which fixes [2].
>> [1]https://github.com/wso2-extensions/identity-oauth2-grant-jwt/pull/14
>> [2]https://wso2.org/jira/browse/IDENTITY-5888
>>
>> Thanks,
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>
>
>
> --
> Kathees
> Software Engineer,
> email: kath...@wso2.com
> mobile: +94772596173 <+94%2077%20259%206173>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Please review and merge

[Hasanthi Purnima Dissanayake]

Hi connector team,
Please review and merge [1] which fixes [2].
[1]https://github.com/wso2-extensions/identity-oauth2-grant-jwt/pull/14
[2]https://wso2.org/jira/browse/IDENTITY-5888

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Using Multiple PreparedStatements with a single ResultSet

[Hasanthi Purnima Dissanayake]

[+ dev]

Hi All,

We are maintaining below two methods in [1]. Those methods are expecting
multiple PreparedStatements and one or two ResultSets. IMO it is
conceptually wrong to have multiple PreparedStatements with one or two
ResultSets.

public static void closeAllConnections(Connection dbConnection,
ResultSet rs, PreparedStatement... prepStmts) {

closeResultSet(rs);
closeStatements(prepStmts);
closeConnection(dbConnection);
}

public static void closeAllConnections(Connection dbConnection,
ResultSet rs1, ResultSet rs2,
   PreparedStatement... prepStmts) {
closeResultSet(rs1);
closeResultSet(rs2);
closeStatements(prepStmts);
closeConnection(dbConnection);
}


In the references of this method [2], we have assigned multiple
PreparedStatement execution results to a single ResultSet. (without closing
the resultset we have re-used it). This is useless and it can cause to a
memory leak as well.

So IMO we should depreciate using above two methods and introduce a new
method to close connections.

 [1] https://github.com/wso2-support/carbon4-kernel/blob/
support-4.4.11/core/org.wso2.carbon.user.core/src/main/
java/org/wso2/carbon/user/core/util/DatabaseUtil.java
[2] https://github.com/wso2-support/carbon4-kernel/blob/
support-4.4.11/core/org.wso2.carbon.user.core/src/main/
java/org/wso2/carbon/user/core/authorization/PermissionTree.java#L1012


WDYT?

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Tue, Apr 25, 2017 at 4:58 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote:

> Hi All,
> I think we should mark these methods as Deprecated and remove all
> references from IS and user-code side. They promote careless mistakes,
> which are difficult to detect by human or automated tools.
>
> public static void closeAllConnections(Connection dbConnection, 
> PreparedStatement... prepStmts) {
>
> public static void closeAllConnections(Connection dbConnection, ResultSet rs, 
> PreparedStatement... prepStmts) {
>
> public static void closeAllConnections(Connection dbConnection, ResultSet 
> rs1, ResultSet rs2,
>PreparedStatement... prepStmts) {
>
>
> Also we should be able to rewrite the code to use
> newer AutoCloseable thing with java7 for IS 5.3.0+.
>
> Cheers,
> Ruwan
>
> On Tue, Apr 25, 2017 at 4:37 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>>
>> We are maintaining below two methods in [1]. Those methods are expecting
>> multiple PreparedStatements and one or two ResultSets. IMO it is
>> conceptually wrong to have multiple PreparedStatements with one or two
>> ResultSets.
>>
>> public static void closeAllConnections(Connection dbConnection, ResultSet 
>> rs, PreparedStatement... prepStmts) {
>>
>> closeResultSet(rs);
>> closeStatements(prepStmts);
>> closeConnection(dbConnection);
>> }
>>
>> public static void closeAllConnections(Connection dbConnection, ResultSet 
>> rs1, ResultSet rs2,
>>PreparedStatement... prepStmts) {
>> closeResultSet(rs1);
>> closeResultSet(rs2);
>> closeStatements(prepStmts);
>> closeConnection(dbConnection);
>> }
>>
>>
>> In the references of this method [2], we have assigned multiple
>> PreparedStatement execution results to a single ResultSet. (without
>> closing the resultset we have re-used it). This is useless and it can cause
>> to a memory leak as well.
>>
>> So IMO we should depreciate using above two methods and introduce a new
>> method to close connections.
>>
>>  [1] https://github.com/wso2-support/carbon4-kernel/blob/support-
>> 4.4.11/core/org.wso2.carbon.user.core/src/main/java/org/
>> wso2/carbon/user/core/util/DatabaseUtil.java
>> [2] https://github.com/wso2-support/carbon4-kernel/blob/support-
>> 4.4.11/core/org.wso2.carbon.user.core/src/main/java/org/
>> wso2/carbon/user/core/authorization/PermissionTree.java#L1012
>>
>>
>> WDYT?
>>
>> Thanks,
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Please review and merge

[Hasanthi Purnima Dissanayake]

Hi kernel team,

Please review and merge [1] which fixes [2]

[1] https://github.com/wso2-support/carbon4-kernel/pull/211
[2] https://wso2.org/jira/browse/IDENTITY-5314

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Bhaviour of OIDC 'prompt=none' when logged in

[Hasanthi Purnima Dissanayake]

Hi All,
I got a response from OIDC community and according them handling consent is
implementation specific. So in other words both the behaviors
1. Considering 'approve' in the same session as pre-configured consent
2. Not considering 'approve' in the same session as pre-configured consent
 can be acceptable.

If we are moving ahead with the current implementation we need to provide
'approve_always' instead of 'approve' in that test case in order to pass
it. So I will keep the implementation as it is and wont introduce the new
behavior.

Thanks,


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Mon, Jul 18, 2016 at 4:56 PM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Johann,
>
> No the spec directly says 'If does not have *per-configured consent*'.
> Those days when we were implementing this we interpreted per-configured
> session as 'approve-always' or file based 'skip-consent=true'.
>
> Anyway I will raise this to OIDC community.
>
> Thanks,
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com <http://wso2.com/>
>
> On Mon, Jul 18, 2016 at 4:11 PM, Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>> Hmm.. does the spec say anything related to this. If not better we send a
>> mail to OIDC community and check this out. But if the compliance tests are
>> failing lets go ahead with this new behaviour but let's introduce a
>> property to turn back the old behaviour and make the new the default.
>>
>> On Mon, Jul 18, 2016 at 4:05 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi All,
>>> According to the spec [1] when prompt=none the result should as below.
>>>
>>>> The Authorization Server MUST NOT display any authentication or consent
>>>> user interface pages. An error is returned if an End-User is not already
>>>> authenticated or the Client does not have per-configured consent for the
>>>> requested Claims or does not fulfill other conditions for processing the
>>>> request
>>>
>>>
>>> So if we consider a scenario like
>>> 1. User sends authorization request without any prompt value to the IS
>>> server
>>> 2. Server gives the login page
>>> 3. User provides credentials
>>> 4. Authentication successful and server returns consent page
>>> 5. User provides consent as 'Approve'
>>> 6. User send a authorization request with prompt =none
>>>
>>> According to our current implementation it gives an error page with
>>> consent-required error as the server does not have "trusted_always" in the
>>> db table or "skipConsent=true" in file. But when executing the OIDC
>>> compliance test cases in such a scenario it expects this as a successful
>>> authentication as we have set the consent as approve in the same session.
>>>
>>> So if we are doing this we need to skip the consent page if the their is
>>> a session with consent=approve. Do we need to change our implementation
>>> according to this? Any suggestions will be highly appreciated.
>>>
>>>
>>> The output of the test case is as below.
>>> Trace output
>>>
>>>
>>> 0.000497  AuthorizationRequest 
>>> 0.000903 --> URL: 
>>> https://210.90.95.XXX:9443/oauth2/authorize?scope=openid=hwcw3vhktnBaM99R_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb_type=code_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa
>>> 0.000910 --> BODY: None
>>> 70.472175 <-- 
>>> code=de0696cf-7183-3c31-a13c-92695101e589=hwcw3vhktnBaM99R_state=927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg
>>> 70.472683 AuthorizationResponse: {
>>>   "code": "de0696cf-7183-3c31-a13c-92695101e589",
>>>   "session_state": 
>>> "927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg",
>>>   "state": "hwcw3vhktnBaM99R"
>>> }
>>> 70.473121  AccessTokenRequest 
>>> 70.473556 --> URL: https://210.90.95.XXX:9443/oauth2/token
>>> 70.473561 --> BODY: 
>>> code=de0696cf-7183-3c31-a13c-92695101e589_type=authorization_code_uri=https%3A%2F

Re: [Dev] Bhaviour of OIDC 'prompt=none' when logged in

[Hasanthi Purnima Dissanayake]

Hi Johann,

No the spec directly says 'If does not have *per-configured consent*'.
Those days when we were implementing this we interpreted per-configured
session as 'approve-always' or file based 'skip-consent=true'.

Anyway I will raise this to OIDC community.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Mon, Jul 18, 2016 at 4:11 PM, Johann Nallathamby <joh...@wso2.com> wrote:

> Hmm.. does the spec say anything related to this. If not better we send a
> mail to OIDC community and check this out. But if the compliance tests are
> failing lets go ahead with this new behaviour but let's introduce a
> property to turn back the old behaviour and make the new the default.
>
> On Mon, Jul 18, 2016 at 4:05 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi All,
>> According to the spec [1] when prompt=none the result should as below.
>>
>>> The Authorization Server MUST NOT display any authentication or consent
>>> user interface pages. An error is returned if an End-User is not already
>>> authenticated or the Client does not have per-configured consent for the
>>> requested Claims or does not fulfill other conditions for processing the
>>> request
>>
>>
>> So if we consider a scenario like
>> 1. User sends authorization request without any prompt value to the IS
>> server
>> 2. Server gives the login page
>> 3. User provides credentials
>> 4. Authentication successful and server returns consent page
>> 5. User provides consent as 'Approve'
>> 6. User send a authorization request with prompt =none
>>
>> According to our current implementation it gives an error page with
>> consent-required error as the server does not have "trusted_always" in the
>> db table or "skipConsent=true" in file. But when executing the OIDC
>> compliance test cases in such a scenario it expects this as a successful
>> authentication as we have set the consent as approve in the same session.
>>
>> So if we are doing this we need to skip the consent page if the their is
>> a session with consent=approve. Do we need to change our implementation
>> according to this? Any suggestions will be highly appreciated.
>>
>>
>> The output of the test case is as below.
>> Trace output
>>
>>
>> 0.000497  AuthorizationRequest 
>> 0.000903 --> URL: 
>> https://210.90.95.XXX:9443/oauth2/authorize?scope=openid=hwcw3vhktnBaM99R_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb_type=code_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa
>> 0.000910 --> BODY: None
>> 70.472175 <-- 
>> code=de0696cf-7183-3c31-a13c-92695101e589=hwcw3vhktnBaM99R_state=927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg
>> 70.472683 AuthorizationResponse: {
>>   "code": "de0696cf-7183-3c31-a13c-92695101e589",
>>   "session_state": 
>> "927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg",
>>   "state": "hwcw3vhktnBaM99R"
>> }
>> 70.473121  AccessTokenRequest 
>> 70.473556 --> URL: https://210.90.95.XXX:9443/oauth2/token
>> 70.473561 --> BODY: 
>> code=de0696cf-7183-3c31-a13c-92695101e589_type=authorization_code_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb
>> 70.473575 --> HEADERS: {'Content-Type': 'application/x-www-form-urlencoded', 
>> 'Authorization': u'Basic 
>> NHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYTpBdE8wenhmNjJLb1lhc1lUb2JPR1JYVlJaWHNh'}
>> 74.644260 <-- STATUS: 200
>> 74.644479 <-- BODY: 
>> {"access_token":"399d4582-967f-3083-831e-f5c4a6665e4a","refresh_token":"e9f533c3-a867-3758-8edc-2c10b2be0cd3","scope":"openid","id_token":"eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiIxNTA4MzI3Zjg1M2RlODkzZWVhYTg2YzIwMTUyNjg5NWQxZTk1MTQzIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQ1dSTWNFSkNDUURWeUtGMVlDWklmZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIjRyWUNsd0duWTRDRV9YWEFrTUNvV3VJNG1uSWEiXSwiYXpwIjoiNHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYSIsImF1dGhfdGltZSI6MTQ2ODgzNTEwMCwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4yMTU6OTQ0M1wvIiwiZXhwIjoxNDY4ODM5OTQ0LCJpYXQiOjE0Njg4MzYzNDR9.M3Er8G4M05JPXmm-YOsOVcimGrzr9GwSmKeqGQBMTP0ZCpJ9NlFN-SR5HJ9xcH8Tc-dh201euilqPLzkfq2annbIS8V7gkS2ttnryjp0eTDIX3p4gKoLo1HfEARb4iB6r6ovDIzqytYMPacZj5t7uxBxSz2Aiu6qjkNOb5uY7Ss","token_type":"Bearer","expires_in":2056}
>> 76.777209 Acc

[Dev] Bhaviour of OIDC 'prompt=none' when logged in

[Hasanthi Purnima Dissanayake]

Hi All,
According to the spec [1] when prompt=none the result should as below.

> The Authorization Server MUST NOT display any authentication or consent
> user interface pages. An error is returned if an End-User is not already
> authenticated or the Client does not have per-configured consent for the
> requested Claims or does not fulfill other conditions for processing the
> request


So if we consider a scenario like
1. User sends authorization request without any prompt value to the IS
server
2. Server gives the login page
3. User provides credentials
4. Authentication successful and server returns consent page
5. User provides consent as 'Approve'
6. User send a authorization request with prompt =none

According to our current implementation it gives an error page with
consent-required error as the server does not have "trusted_always" in the
db table or "skipConsent=true" in file. But when executing the OIDC
compliance test cases in such a scenario it expects this as a successful
authentication as we have set the consent as approve in the same session.

So if we are doing this we need to skip the consent page if the their is a
session with consent=approve. Do we need to change our implementation
according to this? Any suggestions will be highly appreciated.


The output of the test case is as below.
Trace output


0.000497  AuthorizationRequest 
0.000903 --> URL:
https://210.90.95.XXX:9443/oauth2/authorize?scope=openid=hwcw3vhktnBaM99R_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb_type=code_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa
0.000910 --> BODY: None
70.472175 <-- 
code=de0696cf-7183-3c31-a13c-92695101e589=hwcw3vhktnBaM99R_state=927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg
70.472683 AuthorizationResponse: {
  "code": "de0696cf-7183-3c31-a13c-92695101e589",
  "session_state":
"927dc2d850b486e4a5d76a5f0d0dd3c1829b4e0007e11e58b1a9fbf17a3fff18._ynyYSwWWERr2-QI1X8sDg",
  "state": "hwcw3vhktnBaM99R"
}
70.473121  AccessTokenRequest 
70.473556 --> URL: https://210.90.95.XXX:9443/oauth2/token
70.473561 --> BODY:
code=de0696cf-7183-3c31-a13c-92695101e589_type=authorization_code_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb
70.473575 --> HEADERS: {'Content-Type':
'application/x-www-form-urlencoded', 'Authorization': u'Basic
NHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYTpBdE8wenhmNjJLb1lhc1lUb2JPR1JYVlJaWHNh'}
74.644260 <-- STATUS: 200
74.644479 <-- BODY:
{"access_token":"399d4582-967f-3083-831e-f5c4a6665e4a","refresh_token":"e9f533c3-a867-3758-8edc-2c10b2be0cd3","scope":"openid","id_token":"eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiIxNTA4MzI3Zjg1M2RlODkzZWVhYTg2YzIwMTUyNjg5NWQxZTk1MTQzIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQ1dSTWNFSkNDUURWeUtGMVlDWklmZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIjRyWUNsd0duWTRDRV9YWEFrTUNvV3VJNG1uSWEiXSwiYXpwIjoiNHJZQ2x3R25ZNENFX1hYQWtNQ29XdUk0bW5JYSIsImF1dGhfdGltZSI6MTQ2ODgzNTEwMCwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4yMTU6OTQ0M1wvIiwiZXhwIjoxNDY4ODM5OTQ0LCJpYXQiOjE0Njg4MzYzNDR9.M3Er8G4M05JPXmm-YOsOVcimGrzr9GwSmKeqGQBMTP0ZCpJ9NlFN-SR5HJ9xcH8Tc-dh201euilqPLzkfq2annbIS8V7gkS2ttnryjp0eTDIX3p4gKoLo1HfEARb4iB6r6ovDIzqytYMPacZj5t7uxBxSz2Aiu6qjkNOb5uY7Ss","token_type":"Bearer","expires_in":2056}
76.777209 AccessTokenResponse: {
  "access_token": "399d4582-967f-3083-831e-f5c4a6665e4a",
  "expires_in": 2056,
  "id_token": {
"claims": {
  "at_hash": "CWRMcEJCCQDVyKF1YCZIfg",
  "aud": [
"4rYClwGnY4CE_XXAkMCoWuI4mnIa"
  ],
  "auth_time": 1468835100,
  "azp": "4rYClwGnY4CE_XXAkMCoWuI4mnIa",
  "exp": 1468839944,
  "iat": 1468836344,
  "iss": "https://210.90.95.XXX:9443/;,
  "sub": "admin"
},
"jws header parameters": {
  "alg": "RS256",
  "kid": "1508327f853de893eeaa86c201526895d1e95143",
  "x5t": "NmJmOGUxMzZlYjM2ZDRhNTZlYTA1YzdhZTRiOWE0NWI2M2JmOTc1ZA"
}
  },
  "refresh_token": "e9f533c3-a867-3758-8edc-2c10b2be0cd3",
  "scope": "openid",
  "token_type": "Bearer"
}
76.788640  AuthorizationRequest 
76.789114 --> URL:
https://210.90.95.XXX:9443/oauth2/authorize?prompt=none=AstNRnS88v73aAjI_uri=https%3A%2F%2Fop.certification.openid.net%3A60746%2Fauthz_cb_type=code_id=4rYClwGnY4CE_XXAkMCoWuI4mnIa=openid
76.789121 --> BODY: None
108.266371 <-- 
code=684a2084-b823-35fc-baed-d73fdb6a9694=AstNRnS88v73aAjI_state=62a0bd33903999d7245654681f715e9700377e6b5ccaaf84ecb98b40311d8214.9iW0pFCokaZQXs4mZAp1jg
108.266883 AuthorizationResponse: {
  "code": "684a2084-b823-35fc-baed-d73fdb6a9694",
  "session_state":
"62a0bd33903999d7245654681f715e9700377e6b5ccaaf84ecb98b40311d8214.9iW0pFCokaZQXs4mZAp1jg",
  "state": "AstNRnS88v73aAjI"
}
108.268413  AccessTokenRequest 
108.268842 --> URL: https://210.90.95.XXX:9443/oauth2/token
108.268848 --> BODY:

Re: [Dev] Kerberos communication fails with java server to C# client

[Hasanthi Purnima Dissanayake]

Hi All,
The name-formats used in GSS-API are somewhat different than the
name-formats used in SSPI.  So the C# client could not identify the   SPN,
as the SPN name of the Java server is not windows compatible. After
providing the SPN name without realm when creating the client credentials
in C# client side the above problem solved.

Thanks Fara and Shazni for the suggestions and all the help. :)

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Tue, Jun 21, 2016 at 4:36 PM, Farasath Ahamed <farasa...@wso2.com> wrote:

> Hi Hasanthi,
>
>
> On Tue, Jun 21, 2016 at 3:01 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Fara/Shazni,
>>
>> Thanks for the feedback. Here I'm using a sample standalone Java server
>> and C# client which communicates through a socket. And I'm using the fully
>> qualified name as you suggested.
>>
>> As this error comes when validating the server token the the issue should
>> be with the SPN of java server. Following is the code snippet which I'm
>> using generate the server token.
>>
>> GSSName serviceName =
>> manager.createName("wso2@IS.LOCAL", GSSName.NT_USER_NAME);
>>
>
> You seem to be using the service account here. Can you try using the
> Service Principal name under which you registered the java sever (that will
> be something like HTTP/server.is.local@IS.LOCAL) instead. As Shazni has
> pointed out use the SPN name along with realm at all places. I faced a
> similar situation during implementing IWA using Kerberos, and giving the
> SPN name along with the domain did the trick for me.
>
>
>
>> GSSCredential serviceCredentials =
>> manager.createCredential(serviceName,
>> GSSCredential.INDEFINITE_LIFETIME, spnegoOid,
>> GSSCredential.ACCEPT_ONLY);
>> GSSContext context =
>> manager.createContext(serviceCredentials);
>> serverToken = context.acceptSecContext(serviceTicket,
>> 0, serviceTicket.length);
>>
>> Here IS.LOCAL is the realm name and wso2 is the account name. When
>> executing this I got a value for 'serverToken' and the exception occurs
>> when the client uses this 'serverToken' to validate.
>>
>> Thanks,
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>> On Tue, Jun 21, 2016 at 2:32 PM, Shazni Nazir <sha...@wso2.com> wrote:
>>
>>> HI Hasanthi,
>>>
>>> I've one question. What's this Java Server? Is it a standalone server
>>> you have custom written or is it a WSO2 server?
>>>
>>> When it comes to Kerberos related work for SOAP, we faced a couple of
>>> issues with related to service principal (SPN) name. In that discrepancies
>>> were noticed when using service principal name without a realm. For
>>> example, if the service principal name is, esb/localhost and the realm is
>>> WSO2.ORG, you have to specify the SPN as a fully qualified name; like
>>> esb/localh...@wso2.org. I'm not sure whether your issue is related to
>>> this. Maybe you can check if that's the case.
>>>
>>> Shazni Nazeer
>>> Mob : +94 37331
>>> LinkedIn : http://lk.linkedin.com/in/shazninazeer
>>> Blog : http://shazninazeer.blogspot.com
>>>
>>> On Tue, Jun 21, 2016 at 2:20 PM, Farasath Ahamed <farasa...@wso2.com>
>>> wrote:
>>>
>>>> Hi Hasanthi,
>>>>
>>>> Assuming that you are using an AD as the Kerberos Server, Have you
>>>> registered a Service Principal for both the C# client and Java Server in
>>>> the AD?
>>>>
>>>> You can do this using the setspn.exe. Also, when you registering the
>>>> SPN register all possible value that principal can take.
>>>> For eg: Let's say the hostname of your java server is *server.is.local*,
>>>> you can do
>>>>
>>>> setspn -A HTTP/server.is.local 
>>>> setspn -A HTTP/server 
>>>>
>>>> to add your java server as a service principal in the Kerberos Server.
>>>> You can do the same for the C# client as well. Can you check whether you
>>>> have already registered the Service Principals by listing them out using
>>>> commands specified in [1]
>>>>
>>>> [1]
>>>> https://blogs.msdn.microsoft.com/psssql/2009/02/13/searching-for-du

Re: [Dev] Kerberos communication fails with java server to C# client

[Hasanthi Purnima Dissanayake]

Hi Fara/Shazni,

Thanks for the feedback. Here I'm using a sample standalone Java server and
C# client which communicates through a socket. And I'm using the fully
qualified name as you suggested.

As this error comes when validating the server token the the issue should
be with the SPN of java server. Following is the code snippet which I'm
using generate the server token.

GSSName serviceName = manager.createName("wso2@IS.LOCAL",
GSSName.NT_USER_NAME);
GSSCredential serviceCredentials =
manager.createCredential(serviceName,
GSSCredential.INDEFINITE_LIFETIME, spnegoOid,
GSSCredential.ACCEPT_ONLY);
GSSContext context =
manager.createContext(serviceCredentials);
serverToken = context.acceptSecContext(serviceTicket,
0, serviceTicket.length);

Here IS.LOCAL is the realm name and wso2 is the account name. When
executing this I got a value for 'serverToken' and the exception occurs
when the client uses this 'serverToken' to validate.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com <http://wso2.com/>

On Tue, Jun 21, 2016 at 2:32 PM, Shazni Nazir <sha...@wso2.com> wrote:

> HI Hasanthi,
>
> I've one question. What's this Java Server? Is it a standalone server you
> have custom written or is it a WSO2 server?
>
> When it comes to Kerberos related work for SOAP, we faced a couple of
> issues with related to service principal (SPN) name. In that discrepancies
> were noticed when using service principal name without a realm. For
> example, if the service principal name is, esb/localhost and the realm is
> WSO2.ORG, you have to specify the SPN as a fully qualified name; like esb/
> localh...@wso2.org. I'm not sure whether your issue is related to this.
> Maybe you can check if that's the case.
>
> Shazni Nazeer
> Mob : +94 37331
> LinkedIn : http://lk.linkedin.com/in/shazninazeer
> Blog : http://shazninazeer.blogspot.com
>
> On Tue, Jun 21, 2016 at 2:20 PM, Farasath Ahamed <farasa...@wso2.com>
> wrote:
>
>> Hi Hasanthi,
>>
>> Assuming that you are using an AD as the Kerberos Server, Have you
>> registered a Service Principal for both the C# client and Java Server in
>> the AD?
>>
>> You can do this using the setspn.exe. Also, when you registering the SPN
>> register all possible value that principal can take.
>> For eg: Let's say the hostname of your java server is *server.is.local*,
>> you can do
>>
>> setspn -A HTTP/server.is.local 
>> setspn -A HTTP/server 
>>
>> to add your java server as a service principal in the Kerberos Server.
>> You can do the same for the C# client as well. Can you check whether you
>> have already registered the Service Principals by listing them out using
>> commands specified in [1]
>>
>> [1]
>> https://blogs.msdn.microsoft.com/psssql/2009/02/13/searching-for-duplicate-spns-got-a-little-easier/
>>
>> Thanks,
>>
>> Farasath Ahamed
>> Software Engineer,
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>>
>> Email: farasa...@wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>
>> On Tue, Jun 21, 2016 at 2:03 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi I'm implementing Kerberos communication between java (GSSAPI) to
>>> C#(SSPI).
>>>
>>> The KDC is an Active Directory. When it comes to Java client vs Java
>>> server and C# client vs C# Server, for both the scenarios this works fine.
>>>
>>> When using Java client - server the process happens as below and it
>>> works fine:
>>> * Client uses JAAS and creates TGT in client side
>>> * Server uses JAAS and creates TGT in server side
>>> * Client uses service principle name of the server to create the context
>>> and using that context it invokes initSecContext and creates SGT and pass
>>> it to the server
>>> * Server uses acceptSecContext() to validate the SGT
>>>
>>> When using C# client  -server the process happens as below and it works
>>> fine too
>>> *  Client creates credentials and invokes init() to create client TGT
>>> * Client passes this TGT to the server and server passes this TGT to
>>> accept(), to validate the TGT , then generates server TGT and passes it to
>>> client
>>> * Client gets the TGT from server and passes it to int() to create the
>>> SGT
>>> * Client passes this SGT to server and server use

[Dev] Kerberos communication fails with java server to C# client

[Hasanthi Purnima Dissanayake]

Hi I'm implementing Kerberos communication between java (GSSAPI) to
C#(SSPI).

The KDC is an Active Directory. When it comes to Java client vs Java server
and C# client vs C# Server, for both the scenarios this works fine.

When using Java client - server the process happens as below and it works
fine:
* Client uses JAAS and creates TGT in client side
* Server uses JAAS and creates TGT in server side
* Client uses service principle name of the server to create the context
and using that context it invokes initSecContext and creates SGT and pass
it to the server
* Server uses acceptSecContext() to validate the SGT

When using C# client  -server the process happens as below and it works
fine too
*  Client creates credentials and invokes init() to create client TGT
* Client passes this TGT to the server and server passes this TGT to
accept(), to validate the TGT , then generates server TGT and passes it to
client
* Client gets the TGT from server and passes it to int() to create the SGT
* Client passes this SGT to server and server uses accept() to validate the
SGT

When using C# client  - Java server te process happens as below. [1][2]
* Client creates credentials and invokes init() to create TGT
* Client passes this TGT to the server and server use this TGT and passes
it to acceptSecContext() to validate the TGT and to generate server TGT and
passes it to client
* Client gets the TGT from server and passes it to int() to create the SGT
and pass the SGT to server.
* Server uses acceptSecContext() to validate the SGT

When I'm implementing the third use case it fails to validate the TGT of
Java server from the C# client side with the following exception.

"Failed to invoke InitializeSecurityContext for a client. The specified
principle is not known in the authentication system."

[1]
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380496(v=vs.85).aspx
[2] https://msdn.microsoft.com/en-us/library/ms995352.aspx

Any suggestion is highly appreciated to recover this issue.

Thanks,



Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [dev][BAM] Format of the Row_ID in EVENT_KS : bam_mediation_stats_data_publisher table

[Hasanthi Purnima Dissanayake]

Hi All,

In EVENT_KS : bam_mediation_stats_data_publisher table the primary key is
(Row_ID) a composite key.
E.g : 1457935867059::127.0.0.1::9443::2448
Can someone please explain me the format of this key. Is it Timestamp :: IP
address :: Port :: Random Number?

Any feedback is highly appreciated.

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Publish data set in DAS

[Hasanthi Purnima Dissanayake]

Hi Lakshitha,

I have recently published data from ESB(4.9.0) custom proxy to DAS(3.0.0).
For your reference you can use [1].

[1]
http://lcbolgger.blogspot.com/2015/11/publish-data-from-wso2-esb-to-wso2-das_42.html

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Wed, Mar 2, 2016 at 2:41 PM, Sinthuja Ragendran 
wrote:

> Hi Lakshitha,
>
> On Wed, Mar 2, 2016 at 2:26 PM, Lakshitha Warnakulasuriya <
> lakshitha...@gmail.com> wrote:
>
>> Thanx Sinthuja.
>>
>> But when I persisted the steam, there is no column for the string that
>> return by soap service.
>>
>
> Do you mean the response, as the 'string retuned by soap service'
> statement?
>
>
>> And also there is no string in Data Explorer.
>>
>
> WDYM by this? Can you attach the screen shot of the Data Explorer output?
>
>
>> Is there any work around I should follow for solve this.
>>
>
> Are you actually extracting the response and sending from the BAM
> mediator?  Can you share the BAM mediator configuration, and proxy
> configuration?
>
> Thanks,
> Sinthuja.
>
>>
>> Thanks and Regards,
>> Lakshitha.
>>
>> On Wed, Mar 2, 2016 at 1:41 PM, Sinthuja Ragendran 
>> wrote:
>>
>>> Hi Lakshitha,
>>>
>>>
>>>
>>> On Wed, Mar 2, 2016 at 1:36 PM, Lakshitha Warnakulasuriya <
>>> lakshitha...@gmail.com> wrote:
>>>
 Thanx Sinthuja.

 But after create wso2 event receiver, where can I see the string that
 return by soap service.,

>>>
>>> I believe you wanted to see the fields that were sent along with the
>>> event, and if so, you can use the data explorer [1] to see the results.
>>>
>>> Thanks,
>>> Sinthuja.
>>>
>>> [1] https://docs.wso2.com/display/DAS300/Data+Explorer
>>>

 Regards,
 Lakshitha.

 On Wed, Mar 2, 2016 at 1:22 PM, Sinthuja Ragendran 
 wrote:

> Hi Lakshitha,
>
>
> On Wed, Mar 2, 2016 at 1:20 PM, Lakshitha Warnakulasuriya <
> lakshitha...@gmail.com> wrote:
>
>> Thanx Ayyoob.
>>
>> I'm using ESB(4.8.1) and DAS(3.0.0) for publish data from ESB to DAS.
>>
>> For the testing, I want to publish string from ESB to DAS. I followed
>> below steps for do that. But it's not working.
>>
>>1. First I create a soap service for return a simple string like
>>'Hello World'.
>>2. Create BAM Profile in ESB.
>>3. Create a *Pass Through Proxy* in ESB using this soap wsdl.
>>4. Create *BAM Mediator* using above proxy service.
>>5. After invoke the service, there is a new stream created in DAS.
>>6. Create *soap event receiver* for the above stream.
>>
>> This needs to be wso2event receiver, not soap event receiver because
> the events are published as wso2 events not soap events.
>
> Thanks,
> Sinthuja.
>
>>
>>1. Check Data Explore in DAS.
>>
>> Any help can be really appreciated.
>>
>>
>> Thanks and Regards,
>> Lakshitha.
>>
>> On Tue, Mar 1, 2016 at 7:19 PM, Ayyoob Hamza  wrote:
>>
>>> Hi Lakshitha,
>>> WSO2 DAS has different event receivers[1] to receive events and
>>> there is one for soap[2]. Please refer the sample give in [2] which 
>>> receive
>>> xml based events.
>>>
>>> [1] https://docs.wso2.com/display/DAS300/Configuring+Event+Receivers
>>> [2] https://docs.wso2.com/display/DAS300/SOAP+Event+Receiver
>>>
>>> Thanks
>>>
>>> *Ayyoob Hamza*
>>> *Software Engineer*
>>> WSO2 Inc.; http://wso2.com
>>> email: ayy...@wso2.com cell: +94 77 1681010 <%2B94%2077%207779495>
>>>
>>> On Tue, Mar 1, 2016 at 1:01 PM, Lakshitha Warnakulasuriya <
>>> lakshitha...@gmail.com> wrote:
>>>
 I'll get some backend data set using soap service. I want to
 publish that data set in WSO2 DAS. How can i do this?
 Any help can be really appreciated.

 Thanks and Regards,
 Lakshitha.

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


>>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Sinthuja Rajendran*
> Associate Technical Lead
> WSO2, Inc.:http://wso2.com
>
> Blog: http://sinthu-rajan.blogspot.com/
> Mobile: +94774273955
>
>
>

>>>
>>>
>>> --
>>> *Sinthuja Rajendran*
>>> Associate Technical Lead
>>> WSO2, Inc.:http://wso2.com
>>>
>>> Blog: http://sinthu-rajan.blogspot.com/
>>> Mobile: +94774273955
>>>
>>>
>>>
>>
>
>
> --
> *Sinthuja Rajendran*
> Associate Technical Lead
> WSO2, Inc.:http://wso2.com
>
> Blog: http://sinthu-rajan.blogspot.com/
> Mobile: +94774273955
>

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.1.0 RC2

[Hasanthi Purnima Dissanayake]

Hi Devs,

I have tested following functionalities in both super tenant and tenant
modes.

1.SAML to Facebook/Google Federation
2.OIDC to Facebook/Google Federation
3.Claim Mappings with Facebook/Google Federation
4.Account Association with Facebook/Google Federation
5.JIT provisioning with Facebook/Google user

No issues found.
[x] -Stable -go ahead and release



Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Tue, Dec 22, 2015 at 5:53 PM, Maduranga Siriwardena 
wrote:

> Hi Devs,
>
> I have tested following functionality in both super tenant and tenant
> modes.
>
> 1. Token generation with password, authorization code, implicit, client
> credentials and refresh token grant types
> 2. Oauth token validation
> 4. Oauth token revocation
> 4. IS to IS federation with OIDC
>
> No issues found.
> [x] - Stable - go ahead and release
>
> On Tue, Dec 22, 2015 at 4:59 PM, Jayanga Kaushalya 
> wrote:
>
>> Hi Devs,
>>
>> I have tested following,
>>
>> 1. Federation with Yahoo (SAML/OIDC/OpenID) (Super Tenant/Tenant).
>> 2. Federation with Live (SAML/OIDC/OpenID) (Super Tenant/Tenant).
>>
>> No issues found.
>>
>> [x] - Stable - Go ahead and release.
>>
>> Thanks!
>>
>> *Jayanga Kaushalya*
>> Software Engineer
>> Mobile: +94777860160
>> WSO2 Inc. | http://wso2.com
>> lean.enterprise.middleware
>>
>> On Tue, Dec 22, 2015 at 3:32 PM, Damith Senanayake 
>> wrote:
>>
>>> Hi Devs,
>>> I have tested the following :
>>>
>>> 1. user addition/deletion/update operations with super tenant + Primary
>>> user store
>>> 2 . user operations with super tenant  + secondary
>>> userstore(JDBC+LDAP/AD) .
>>> 3. User operations with tenant + secondary + primary user stores.
>>>
>>> No issues found.
>>>
>>> My vote : [x] - Stable - Go ahead and release
>>>
>>> On Tue, Dec 22, 2015 at 11:44 AM, Isura Karunaratne 
>>> wrote:
>>>
 Hi Devs,

 I tested following functionality in both super tenant and tenant mode


 ** Identity Management*


1. Set security questions for tenant
2. Set security questions for user
3. Account Recovery - using notificaiton
4. Account Recovery -using security questions
5. Ask Password
6. Account locking from wrong credentials
7. Self User Registraiton
8. User Identity Management Admin Service - lockUserAccount
9. User Identity Management Admin Service - unlockUserAccount
10. User Identity Management Admin Service - resetUserPassword
11. User Identity Management Admin Service - changeUserPassword
12. Password Patterns



 So here is my vote.
 [x] -Stable - go ahead and release

 Thanks
 Isura

 On Tue, Dec 22, 2015 at 5:24 AM, Prabath Siriwardana 
 wrote:

> Smoke tested local account mapping feature with..
>
> 1. Multiple tenants
> 2. Multiple user stores (LDAP and MySQL)
> 3. Add/Delete user operations
> 4. Activate/Deactivate tenant operations
> 5. Activate/Deactivate user store operations
>
> All working fine except one minor issue (
> https://wso2.org/jira/browse/IDENTITY-4245 - reported as L3).
>
> Will test further on other features and update the status..
>
> Thanks & regards,
> -Prabath
>
> On Mon, Dec 21, 2015 at 4:59 AM, Hasintha Indrajee 
> wrote:
>
>> Hi Devs,
>>
>> This is the second release candidate of WSO2 Identity Server 5.1.0.
>>
>> This release fixes the following issues:
>> https://wso2.org/jira/issues/?filter=12586
>>
>> Please download, test and vote.
>>
>> Source & binary distribution files:
>> https://github.com/wso2/product-is/releases/tag/v5.1.0-rc2
>>
>> Maven staging repo:
>> http://maven.wso2.org/nexus/content/repositories/orgwso2is-218/
>>
>> The tag to be voted upon:
>> https://github.com/wso2/product-is/tree/v5.1.0-rc2
>>
>>
>> [ ]  Stable - go ahead and release
>> [ ]  Broken - do not release (explain why)
>>
>> Thanks and Regards,
>> WSO2 Identity Server Team.
>>
>> --
>> Hasintha Indrajee
>> Software Engineer
>> WSO2, Inc.
>> Mobile:+94 771892453
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +1 650 625 7950
>
> http://blog.facilelogin.com
> http://blog.api-security.org
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Clarification Regarding the behavior of Multiple Local Account Associations via the Dashboard

[Hasanthi Purnima Dissanayake]

Hi Nadeesha,

When you are associating 'Account A' and 'Account B' to 'Account admin',
you are logically associating all the three accounts together. So when you
switch to account A and if you view the association you will able to see
'Account admin' and 'Account B' are associated.

So AFAIK this is the expected behavior of this scenario.

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Fri, Dec 4, 2015 at 12:29 PM, Nadeesha Meegoda 
wrote:

> Hi all,
>
> What is the expected behavior when two or more accounts are associated to
> one account? For example Assume there is 3 Local Accounts as "Admin", "A"
> and "B"
>
> Login as "Admin" to dashboard and Associate Account "A" and Account "B",
> Now Switch Account to  Account "A". Currently Account "Admin" and Account
> "B" both are shown as Associated Accounts for Account "A". I thought
> Account "A" should only be associated with Account "Admin" and if Account
> "A" wants to Associate with Account "B", "B" should be separately
> associated.
>
> I need to know whether what is happening currently is the expected
> behavior? Please Clarify!
>
>
> Thanks
> Nadeesha
>
> --
> *Nadeesha Meegoda*
> Software Engineer - QA
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> email : nadees...@wso2.com
> mobile: +94783639540
> <%2B94%2077%202273555>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Carbon Kernel 4.4.2 RC2

[Hasanthi Purnima Dissanayake]

Hi Kishanthan,
Please find the requested information for [1] as a jira attchement. Please
consider that I observed this issue only when both proxy context path and
web context root is enabled as I mentioned in the JIRA.

[1] https://wso2.org/jira/browse/CARBON-15475

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com 
M :0718407133| http://wso2.com 

On Fri, Oct 16, 2015 at 2:38 PM, Kishanthan Thangarajah  wrote:

>
>
> On Fri, Oct 16, 2015 at 11:27 AM, Johann Nallathamby 
> wrote:
>
>> Hi Kishanthan/Kernel Team,
>>
>> We have added the test case as well to the same PR.
>>
>
> Thanks Johann.
>
> @MB Team, could you guys verify that all your scenarios are now passing?.
> We will start the next RC build once this is confirmed ASAP.
>
>>
>> Also can we get CARBON-15505 merged? The PR for master is a very old PR
>> which we have missed to review and merge. This mainly contains some
>> reordering of fields in the UI to make it more consistent and reorder
>> properties in user-mgt.xml to be consistent with UI. Hope we don't need any
>> tests for this.
>>
>
> I think its better not to add any more changes at this stage. We will
> merge this for next patch release.
>
>>
>> Any update on the 3 issues raised above ?
>>
>
> For [1], we need more information to reproduce (LB & IS config, example
> requests, HTTP access logs on both LB and IS side with this issue). Will
> send a separate mail on that, but I believe its not a blocker for the IS
> release right?
> [2] and [3], we haven't seen this error previously and according the
> trace, it looks like the "distributedCache" instance is becoming null in
> CacheImpl class. If the exact steps can be found or given on how to
> reproduce this, then we can work on finding the root cause for this.
>
>
>> Thanks,
>> Johann.
>>
>> On Thu, Oct 15, 2015 at 3:30 PM, Johann Nallathamby 
>> wrote:
>>
>>> Hi Kishanthan/Kernel Team,
>>>
>>> We are in the process writing the test case for the issue. Should be
>>> able to send it before end of day.
>>>
>>> [1] has been reported in another thread. This issue in particular looks
>>> critical to me, because AFAIK there are many users using proxyContextPath.
>>> Not sure about WebContextRoot though. Apart from that WSO2 QA has reported
>>> [2,3] in IS 5.1.0 SNAPSHOT pack. May be its harmless, but looks like it is
>>> coming from kernel and would like to get your thoughts on this if this is
>>> critical and needs to be fixed.
>>>
>>> [1] https://wso2.org/jira/browse/CARBON-15475
>>> [2] https://wso2.org/jira/browse/IDENTITY-3815
>>> [3] https://wso2.org/jira/browse/IDENTITY-3817
>>>
>>> And also it will be great if we can change the default value of
>>> XSSPreventionConfig.Enabled to 'false' because this was added in order to
>>> prevent XSS centrally, however the approach is not 100% bug free. Whoever
>>> has this enabled needs to test all their functionality well. Therefore what
>>> I suggest is to make it 'false' by default and whatever product that needs
>>> it can enable it at product level. WDYT ? Can we do this ?
>>>
>>> Regards,
>>> Johann.
>>>
>>>
>>> On Wed, Oct 14, 2015 at 6:30 PM, Kishanthan Thangarajah <
>>> kishant...@wso2.com> wrote:
>>>
 Can we also have test case for this fix please?

 On Wed, Oct 14, 2015 at 6:13 PM, Isura Karunaratne 
 wrote:

> Hi,
>
> This issue is fixed in [1].
>
>
> Thanks
> isura
>
>
> [1] https://wso2.org/jira/browse/CARBON-15517
>
>
> On Wed, Oct 14, 2015 at 11:25 AM, Johann Nallathamby 
> wrote:
>
>> Hi Isura,
>>
>> Can you look into this issue urgently. I remember you fixing an issue
>> related to this.
>>
>> Thanks.
>>
>> On Wed, Oct 14, 2015 at 7:16 AM, Indika Sampath 
>> wrote:
>>
>>> Hi All,
>>>
>>> I debug code of our and found issue. It seems implementation of some
>>> API changed in user-core. Let me explain the flow.
>>>
>>> Our queue/topic creation has two call.
>>>
>>> 1. We create internal role when adding queue and assign
>>> "changePermission", "publish", "consume"  permissions to it. Which means
>>> that, user who created particular queue can update permission, publish 
>>> or
>>> consume.
>>>
>>> - Below code line used to get internal role name:
>>>
>>> UserCoreUtil.addInternalDomainName(QUEUE_ROLE_PREFIX +
>>> queueName.replace(".","-").replace("/", "-"))
>>>
>>> result = {java.lang.String@10289}"*Internal/Q_userQueue*"
>>> value = {char[21]@10290}
>>> hash = 0
>>> hash32 = 0
>>>
>>> - assign permission as below:
>>>
>>> userStoreManager.addRole(roleName, user, null);
>>> userRealm.getAuthorizationManager().authorizeRole(roleName, queueId,
>>> PERMISSION_CHANGE_PERMISSION);
>>> 

Re: [Dev] [Carbon]Can't login in to management console when both proxycontextpath and webcontextroot is used together

[Hasanthi Purnima Dissanayake]

Hi Krishanthan,

As you suggested I checked the configurations of proxy and reverse proxy
and they seems correct. I followed [1] as the reference. We can use IS and
LB with default web context root. The problem occurs when we try to login
to management console with both proxycontextpath and webcontextroot is
specified.

 [1]
http://arunasujith.blogspot.com/2014/12/adding-custom-proxy-path-for-wso2.html

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com <nirosh...@wso2.com>
M :0718407133| http://wso2.com <http://wso2.com/>

On Tue, Oct 13, 2015 at 9:39 PM, Kishanthan Thangarajah <kishant...@wso2.com
> wrote:

>
>
> On Tue, Oct 13, 2015 at 12:58 PM, Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>> [adding kernel team members]
>>
>> On Wed, Oct 7, 2015 at 7:07 PM, Hasanthi Purnima Dissanayake <
>> hasan...@wso2.com> wrote:
>>
>>> Hi,
>>> I configured both ProxyContextPath and WebContextRoot together in
>>> carbon.xml and tried to log in to the management console. But it did not
>>> redirect to the index page even I got  success information in the console
>>> as below.
>>>
>>
> Is your load-balancer configuration correct (proxy and reverse proxy
> settings)? Can we double check that?
>
> Also does your config (both LB and IS) work with default web context root?
>
>
>> INFO{org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
>>>
>>> - 'admin@carbon.super [-1234]' logged in at [2015-10-07
>>> 12:13:38,200+0530]
>>>
>>> I have referred [1] to configure ProxyContextPath and created a jira for
>>> the issue [2]
>>>
>>> [1]
>>> http://arunasujith.blogspot.com/2014/12/adding-custom-proxy-path-for-wso2.html
>>>
>>> [2] https://wso2.org/jira/browse/CARBON-15475
>>>
>>> Thanks
>>>
>>> Hasanthi Dissanayake
>>>
>>> Software Engineer | WSO2
>>>
>>> E: hasan...@wso2.com <nirosh...@wso2.com>
>>> M :0718407133| http://wso2.com <http://wso2.com/>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Thanks & Regards,
>>
>> *Johann Dilantha Nallathamby*
>> Technical Lead & Product Lead of WSO2 Identity Server
>> Governance Technologies Team
>> WSO2, Inc.
>> lean.enterprise.middleware
>>
>> Mobile - *+9476950*
>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>
>
>
>
> --
> *Kishanthan Thangarajah*
> Associate Technical Lead,
> Platform Technologies Team,
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - +94773426635
> Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>*
> Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>*
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Using unregistered realm in PassiveSTS request

[Hasanthi Purnima Dissanayake]

Hi,

This is regarding the passive sts logout scenario which is mentioned in
[1]. According to the specification [2] in Sign-Out Request Syntax part it
has mentioned to use the 'wsreply' parameter if it is specified and to use
realm-specified if it is not specified. But when considering the security
considerations mentioned in the section 8 of [2] it is  RECOMMENDED that
the Identity Provider should  verify the 'wsreply' url. So we decided to
redirect the logout request to the 'wsreply' url configured in Identity
Provider side in the case if the 'wsreply' url we get from the request and
the url configured in the Identity Provider are different.

Further as Chamara mentioned above, at the moment we don't expect wtreply
must be a sub domain of wtrealm as mentioned in the specification.

[1] https://wso2.org/jira/browse/IDENTITY-2835
[2]http://public.dhe.ibm.com/software/dw/specs/ws-fedpass/ws-fedpass.pdf

Thanks




Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com 
M :0718407133| http://wso2.com 

On Thu, Oct 8, 2015 at 12:01 PM, Chamara Philips  wrote:

> Hi,
>
> This is regarding [1] .
> Currently when we send an unregistered realm or no realm with the
> parameter 'wtrealm' in the Passive STS request, we receive the same
> response as it is with the correct realm, but without the claim attributes.
> When an unregistered realm is passed a log is printed at back-end
> from RegistryBasedTrustedServiceStore. This is the expected behavior at the
> moment.
> The specification at [2]
> ,
> doesn't specify what to do when a invalid 'wtrealm' is passed. How ever
> according to [2]
>  both
> the 'wtreply' and 'wtrealm' are optional parameters. In section 8 in [2]
> ,
> as security concerns, there is a possibility of man-in-the -middle-attack
> when the Identity Provider doesn't verify whether the 'wtreply' is same or
> is in 'wtrealm'. The following part is quoted from [2]
> .
>
>
> [Man-in-the-Middle attacks: The wtreply must be in wtrealm (i.e., the same
> URL, or, e.g., wtreply is a host within the domain of wtrealm). It is
> strongly RECOMMENDED that the Identity Provider verifies this, and that
> wtreply is an valid HTTP/S address.
>
> • The wtrealm SHOULD be a security realm of the resource in which nobody
> can control URLs.
>
> • For Kerberos tokens the key distribution SHOULD distribute correct
> realms for the keys, so that Identity Providers know what the correct
> realms are for keys that they use.
>
> • For SAML tokens the resource SHOULD verify that exactly this realm is in
> one of the two (fix one!) fields of the ticket.
>
> • For other token types similar considerations SHOULD be made before using
> them.
>
> It is strongly RECOMMENDED that the resourceSTS secure information or use
> HTTP/S or some other transport-level security mechanism for all
> communications. ]
>
> As far as I understand the behavior when an unregistered realm is passed
> in request, is OK according to the spec [2]
> .
> Though we don't support the verification of 'wtreply' and 'wtrealm' as
> described in spec [2]
> 
> at the moment, we can enforce to verify the provided 'wtreply' in the
> request to be similar to the provided 'Passive STS WReply URL' when
> registering the Service Provider in IS. If they are not similar the user
> will be redirected to the given 'Passive STS WReply URL'.
>
> As far as I understand overall realm validation workflow is ok to proceed.
> Any suggestions on any improvement are welcome.
>
> [1] https://wso2.org/jira/browse/IDENTITY-2803
> 
> [2] http://public.dhe.ibm.com/software/dw/specs/ws-fedpass/ws-fedpass.pdf
>
> Thank you.
> --
> Hareendra Chamara Philips
> *Software  Engineer*
> Mobile : +94 (0) 767 184161 <%2B94%20%280%29%20773%20451194>
> chama...@wso2.com 
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] - [Federated Setup - Openid-connect as IDP and SAML as SP] - Custom Claims are not sent in Response

[Hasanthi Purnima Dissanayake]

Hi Nadeesha,

We could reproduce the scenario. Please raise a Jira for this. The number
you are getting in the travelocity app is the numeric id associated with
the email account. If we don't set a Subject Claim URI this will get as the
default value. We will fix it as to display the email address as the
default one when we don't set a  Subject Claim URI.

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com 
M :0718407133| http://wso2.com 

On Fri, Oct 9, 2015 at 11:31 AM, Nadeesha Meegoda 
wrote:

> Hi IS team,
>
> I setup the federated setup for the above scenario and added custom claims
> mapped with wso2 claims. Resource in [1] to get the claims supported by
> Google OpenID-connect
>
> "claims_supported": [
>   "aud",
>   "email",
>   "email_verified",
>   "exp",
>   "family_name",
>   "given_name",
>   "iat",
>   "iss",
>   "locale",
>   "name",
>   "picture",
>   "sub"
>  ]
>
> Steps
> 1. Added "email" custom claim and mapped it to wso2 email address claim in
> IDP
> 2. Added Requested claims for wso2 email address claim in the SP
> 3. Enabled "Include Attributes in the Response Always"  in SP
>
> After configuring all these, still I don't seem to get the claims in
> response. Any idea about this? Sending Requested claims worked for us with
> federated scenario (SAML to SAML with two IS and Facebook as IDP to SAML)
>
>
> Also what is the reason to show a auto generated number stream as
> authenticated google username in authentication response and also as logged
> in user for travelocity? Refer the attachment.
>
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">105510008867410463807
>
>
> [1] - https://developers.google.com/identity/protocols/OpenIDConnect?hl=en
>
>
> Thanks!
>
> --
> *Nadeesha Meegoda*
> Software Engineer - QA
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> email : nadees...@wso2.com
> mobile: +94783639540
> <%2B94%2077%202273555>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [Carbon]Can't login in to management console when both proxycontextpath and webcontextroot is used together

[Hasanthi Purnima Dissanayake]

Hi,
I configured both ProxyContextPath and WebContextRoot together in
carbon.xml and tried to log in to the management console. But it did not
redirect to the index page even I got  success information in the console
as below.

INFO{org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}

- 'admin@carbon.super [-1234]' logged in at [2015-10-07 12:13:38,200+0530]

I have referred [1] to configure ProxyContextPath and created a jira for
the issue [2]

[1]
http://arunasujith.blogspot.com/2014/12/adding-custom-proxy-path-for-wso2.html

[2] https://wso2.org/jira/browse/CARBON-15475

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com 
M :0718407133| http://wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Identity] traveolcity.com app doesn't redirect to Facebook login page.

[Hasanthi Purnima Dissanayake]

Hi Lakshani,

In IS-5.1.0 when you are adding FB as a federated authenticator you need to
enter comma-separated user information fields you want to retrieve in 'User
Information Fields' textbox. By using this parameter IS sends a query param
named 'feilds' to Facebook. Though the previous FB API versions supported
without 'feilds' parameter, the latest API (v2.4) expects this. The
documentation you followed was for IS 5.0 and for the FB APIs before v2.4
the steps are perfectly fine.

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com 
M :0718407133| http://wso2.com 

On Thu, Sep 24, 2015 at 3:01 PM, Lakshani Gamage  wrote:

> Hi Devs,
>
> Following steps in [1], I tried login to travelocity.com app using
> facebook credentials. I followed the all the steps in the document
> correctly. But travelocity.com app doesn't redirect to Facebook login
> page.
>
> IS server version and facebook API version are mentioned in below.
>
> *IS server version - IS-5.1.0* ( build from the latest github code)
> *Facebook API version - v2.4*
>
> Are there any additional steps, should I follow to fix $subject?
>
> [1].
> https://docs.wso2.com/display/IS500/Logging+into+the+Identity+Server+using+Facebook+Credentials
>
> Thanks,
> --
> Lakshani Gamage
>
> *Software Engineer*
> Mobile : +94 (0) 71 5478184 <%2B94%20%280%29%20773%20451194>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] - Single Sign out is not working when integrated with Google OpenID - Connect Authentication

[Hasanthi Purnima Dissanayake]

Hi Nadeesha,

Once you logout from the travelocity app, please make sure to logout from
the google account too. Otherwise if there is a session of the google
account it will automatically redirect to travelocity app in the second
attempt without asking the permission. Please let us know if you face the
same issue even after logging out from the google account too.

Thanks.

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com 
M :0718407133| http://wso2.com 

On Thu, Sep 17, 2015 at 2:57 PM, Nadeesha Meegoda 
wrote:

> Hi,
>
> Followed the blog in [1] and configured Google as OpenID Connect IDP.
> Login in to travelocity.com with SAML was successful with google
> authentication. Also when the logout was clicked it directed to
> http://localhost:8080/travelocity.com/index.jsp from the home.jsp so I
> thought the logout was successful. But when I tried to sign in with SAML
> again I got logged in automatically without asking for the Google
> authentication credentials. Have I missed some configurations?
>
> Note : I have enabled single logout in the SP I created and double checked
> the travelocity.properties file and there also it is marked as true.
> (SAML.EnableSLO=true). With the SAML tracer I monitored the logout but I
> couldn't see any request sent to google where I think is the issue.
>
> [1] - http://xacmlinfo.org/2014/12/02/621/
>
> Any help on above is highly appreciated.
>
>
> Thank you
> --
> *Nadeesha Meegoda*
> Software Engineer - QA
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> email : nadees...@wso2.com
> mobile: +94783639540
> <%2B94%2077%202273555>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Error adding provider in wso2 identity server 5

[Hasanthi Purnima Dissanayake]

Hi Akila,

Did you install SP1 with IS 5.0.0? If not please make sure to install it by
following the instructions in readme file. You can find the service pack
from the place where you have downloaded IS 5.0.0 pack in wso2 site. There
was a public jira [1] with the issue you have mentioned and now it has been
resolved.

[1] https://wso2.org/jira/browse/IDENTITY-2089

Thanks and regards,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Fri, Aug 21, 2015 at 11:48 AM, Akila Nimantha [IT/EKO/LOITS] 
aki...@lolctech.com wrote:

 Hi all,



 I’m using IDS 5.0



 Created a SP and then deleted and tried to add the same service provider
 but it displays the following error,

 “could not add service provider. You might be entering a duplicate service
 provider”.

 And Below is the snapshot.





 When I list down service providers it’s listed but without any entered
 details.



 Regards,

 Akila Rathnayake

 This message (including any attachments) is intended only for the use of
 the individual or entity to which it is addressed and may contain
 information that is non-public, proprietary, privileged, confidential, and
 exempt from disclosure under applicable law or may constitute as attorney
 work product. If you are not the intended recipient, you are hereby
 notified that any use, dissemination, distribution, or copying of this
 communication is strictly prohibited. If you have received this
 communication in error, notify us immediately by telephone and (i) destroy
 this message if a facsimile or (ii) delete this message immediately if this
 is an electronic communication. Thank you.

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Review and Merge the PR

[Hasanthi Purnima Dissanayake]

Hi,
$subject please for [1].
[1] https://github.com/wso2/carbon-identity/pull/749/

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Review and Merge the PR

[Hasanthi Purnima Dissanayake]

Hi,
$subject please for [1] which fixes public jira [2].
[1]https://github.com/wso2/carbon-identity/pull/739
[2]https://wso2.org/jira/browse/IDENTITY-3422

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Please Review and Merge

[Hasanthi Purnima Dissanayake]

Hi Johann,
Please note the $subject for [1] as the fix of [2].
[1]https://github.com/wso2/carbon-identity/pull/667
[2]https://wso2.org/jira/browse/IDENTITY-3431

Thanks and Regards,


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Please Review and Merge

[Hasanthi Purnima Dissanayake]

Hi Johann,
$subject please for the PR [1] as the fix of [2].
[1] https://github.com/wso2/carbon-identity/pull/667
[2] https://wso2.org/jira/browse/IDENTITY-3431

Thanks and regards,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Review and Merge the PR

[Hasanthi Purnima Dissanayake]

Hi,
Please review and merge the PR [1] for public jira [2].

[1] https://github.com/wso2/carbon-identity/pull/623
[2] https://wso2.org/jira/browse/IDENTITY-3253

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Review and Merge the PR

[Hasanthi Purnima Dissanayake]

Hi,
Please review and merge the fix [1] for public jira [2].
[1]https://github.com/wso2/product-is/pull/146
[2]https://wso2.org/jira/browse/IDENTITY-3220

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [DEV] - How to send a AJAX call when User finish typing at the textbox

[Hasanthi Purnima Dissanayake]

Hi Rajee,
I think you can trigger the validation when the textbox looses it's focus.
In jquery there is a focusout function. I think you can use it.
Just a sample:

$('#text1, #textarea1').focusout(function() {
alert(this.id +  loose the focus);
});

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Thu, Jul 9, 2015 at 10:50 AM, Irham Iqbal iq...@wso2.com wrote:

 Hi Rajee,

 You can use a timer to call back. It will wait for sometime to check
 whether there is textArea.onkeypress and trigger callback. Reference[1].
 [1]
 http://stackoverflow.com/questions/1620602/javascript-jquery-make-an-ajax-request-when-a-user-is-typing-in-a-textarea

 Thanks,
 Iqbal

 On Thu, Jul 9, 2015 at 10:16 AM, Lakshani Gamage laksh...@wso2.com
 wrote:

 Hi Rajee,

 You can use .onblur()[2] event also.

 [2] http://www.w3schools.com/jsref/event_onblur.asp

 Thanks,
 Lakshani

 On Thu, Jul 9, 2015 at 9:56 AM, Himasha Guruge himas...@wso2.com wrote:

 Hi Rajeenthini,

 You could use a time out or .blur() ( user focus out from the text box)
 depending on your requirement. You could look into [1].

 [1] how-to-trigger-an-event-in-input-text-after-i-stop-typing-writing
 http://stackoverflow.com/questions/14042193/how-to-trigger-an-event-in-input-text-after-i-stop-typing-writing
 Thanks,
 Himasha

 On Thu, Jul 9, 2015 at 9:52 AM, Thusitha Thilina Dayaratne 
 thusit...@wso2.com wrote:

 Hi Rajeenthini,

 I think you can use jquery focusout method to detect when the textfiled
 focus get put.
 That might help https://api.jquery.com/focusout/

 Thanks

 On Thu, Jul 9, 2015 at 9:45 AM, Rajeenthini Satkunam 
 rajeenth...@wso2.com wrote:

 Hi all,

 Currently I am working on a task validating CRUD forms of Enterprise
 store publisher.So I need to check with the overview name is already 
 exists
 or not.So I will make a AJAX call through server side to get the exactly
 matching asset in the publisher.I am using jQuery validation plugin as 
 well
 as I have an custom method to validate this overview name field on the
 client side.

 //custom validator for remote ajax call to validate asset name
 $.validator.addMethod(FieldValidate, function (value, element) {
 var data = '%22name%22 : %22' + value + '%22';
 var result = false;
 $.ajax({
 type: GET,
 url: caramel.url(/apis/assets?type=gadgetq= + data),
 dataType: json,
 async: false,
 success: function (data, textStatus, xhr) {
 var obj = data;
 if (obj.list.length  0) {
 result = false;
 } else {
 result = true;
 }
 },
 error: function (xhr, thrownError) {
 console.log(error  + xhr.responseText ++ thrownError);
 }
 });
 return result;

 }, The name already taken);

 By the way I need to trigger the validation only if the user finish
 typing at the text box.But now the Ajax call sends for each and every 
 input
 those are given by user.So can anyone suggest me any idea to handle this?
 Suggestion would appreciate.
 --

 *Thank You.*

 *Rajeenthini Satkunam*

 *Associate Software Engineer | WSO2*


 *E:rajeenth...@wso2.com rajeenth...@wso2.com*

 *M :+94770832823 %2B94770832823   *


 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Thusitha Dayaratne
 Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 Mobile  +94712756809
 Blog  alokayasoya.blogspot.com
 Abouthttp://about.me/thusithathilina


 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Himasha Guruge
 *Software Engineer*
 WS*O2* *Inc.*
 Mobile: +94 777459299
 himas...@wso2.com

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Lakshani Gamage

 *Software Engineer*
 Mobile : +94 (0) 71 5478184 %2B94%20%280%29%20773%20451194

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Irham Iqbal
 Software Engineer - Test Automation
  WSO2, Inc.: http://wso2.com
 lean. enterprise. middleware
 phone: +94 777888452

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Review and Merge the PR

[Hasanthi Purnima Dissanayake]

Please review and merge the fix [1] for public jira [2].
[1] https://github.com/wso2/product-is/pull/142
[2] https://wso2.org/jira/browse/IDENTITY-2541

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] error in running ESB sample 153

[Hasanthi Purnima Dissanayake]

Hi Rukshan,
Can you please check whether you have placed bcprov-jdk15.jar in the
correct place.  ($ESB_HOME/repository/plugins) I think this exception
should come when BouncyCastle jar is not in the classpath.

Thanks and Regards,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Mon, Jun 29, 2015 at 8:03 PM, Indunil Upeksha Rathnayake 
indu...@wso2.com wrote:

 Hi Rukshan,
 If you are using java 1.7, use the unlimited strength policy files in [1].

 [1]
 http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

 Thanks and Regards
 --
 Indunil Upeksha Rathnayake
 Software Engineer | WSO2 Inc
 Emailindu...@wso2.com
 Mobile  +94713695179

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [APIM] Changing the default timeout of published APIs

[Hasanthi Purnima Dissanayake]

Hi All,
By editing the templates according to [1] we can change the timeout of
default APIs. I think this will change the default time out of all APIs
that will publish in future too. Please correct me if I'm wrong. Is there a
way to change the timeout of already published APIs only without affecting
to the future publishing APIs.

[1]https://docs.wso2.com/display/AM160/Editing+API+Templates

Thanks and Regards,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Review and Merge the PR

[Hasanthi Purnima Dissanayake]

Hi ,
This is the fix [1] for Public JIRA issue [2].
$subject please.

[1] https://github.com/wso2/carbon-identity/pull/475
[2] https://wso2.org/jira/browse/IDENTITY-3364
https://wso2.org/jira/browse/IDENTITY-3358

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Review and Merge the PR

[Hasanthi Purnima Dissanayake]

Correcting the web address:
[2] https://wso2.org/jira/browse/IDENTITY-3364

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Wed, Jun 24, 2015 at 5:38 PM, Hasanthi Purnima Dissanayake 
hasan...@wso2.com wrote:

 Hi ,
 This is the fix [1] for Public JIRA issue [2].
 $subject please.

 [1] https://github.com/wso2/carbon-identity/pull/475
 [2] https://wso2.org/jira/browse/IDENTITY-3364
 https://wso2.org/jira/browse/IDENTITY-3358

 Thanks,

 Hasanthi Dissanayake

 Software Engineer | WSO2

 E: hasan...@wso2.com nirosh...@wso2.com
 M :0718407133| http://wso2.com http://wso2.com/

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Please Review and Merge the PR

[Hasanthi Purnima Dissanayake]

Hi ,
This is the fix [1] for Public JIRA issue [2].
$subject
[1]https://github.com/wso2/carbon-identity/pull/449
[2]https://wso2.org/jira/browse/IDENTITY-3358

Thanks.

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Please Review and merge Pull Request

[Hasanthi Purnima Dissanayake]

Please review and merge pull request[1] for the same issue to modify the
Playground sample.

[1] https://github.com/wso2/product-is/pull/117

Thanks.

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Wed, Jun 17, 2015 at 8:56 AM, Hasanthi Purnima Dissanayake 
hasan...@wso2.com wrote:

 Hi,
 Please review and merge pull request for
 https://redmine.wso2.com/issues/3737

 https://github.com/wso2/carbon-identity/pull/443

 Thank You!

 Hasanthi Dissanayake

 Software Engineer | WSO2

 E: hasan...@wso2.com nirosh...@wso2.com
 M :0718407133| http://wso2.com http://wso2.com/

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Please Review and merge Pull Request

[Hasanthi Purnima Dissanayake]

Hi,
Please review and merge pull request for
https://redmine.wso2.com/issues/3737

https://github.com/wso2/carbon-identity/pull/443

Thank You!

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Findbugs Error : is provided externally to the method and not sanitized before use.

[Hasanthi Purnima Dissanayake]

Hi Chamila,

Some programs accept untrusted data originated from invalid sources and
then passes to different trusted domains. Most of the times the data is in
the form of a string with some internal syntactic structure, which the
subsystem must parse. Such data must be sanitized both because the
subsystem may be unprepared to handle the malformed input and because
unsanitized input may include an injection attack.

As an example:

The problem:

The sqlString, mentioned below accepts unsanitized input arguments. So it
may permits a sql injection attack

public void accessPermission(String username,char[] password)throws
SQLException {

String sqlString = SELECT * FROM db_user
WHERE username = ' + username +' AND password =' + pwd + ';

}


The solution:

public void accessPermission(String username,
char[] password)throws SQLException{

String sqlString = select * from db_user whereusername=? and password=?;
PreparedStatement stmt =connection.prepareStatement(sqlString);

stmt.setString(1, username);
stmt.setString(2, pwd);

}

 This API can be used for building SQL commands that sanitize untrusted data

Thanks
and Reagards,






Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Thu, Jun 4, 2015 at 4:38 PM, Chamila Wijayarathna cham...@wso2.com
wrote:

 Hi Rajeevan,

 Value of CHECK_EXIST_USER_DATA is SELECT  + DATA_VALUE  + FROM
 IDN_IDENTITY_USER_DATA  + WHERE TENANT_ID = ? AND USER_NAME = ? AND
 DATA_KEY=?.
 I tried SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID =
 ? AND USER_NAME = ? AND DATA_KEY=? and
 SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID=? AND
 USER_NAME=? AND DATA_KEY=? as well. But getting the same result still.

 Thanks.

 On Thu, Jun 4, 2015 at 4:05 PM, Rajeevan Vimalanathan rajeev...@wso2.com
 wrote:

 Hi Chamila,

 What is the value of SQLQuery.CHECK_EXIST_USER_DATA? Is this a constant?
 You can find a similar issue reported at [1].

 [1]
 http://stackoverflow.com/questions/398179/findbugs-not-finding-potential-sql-injection-vulnerability

 Thanks,
 Rajeevan

 On Wed, Jun 3, 2015 at 9:57 AM, Chamila Wijayarathna cham...@wso2.com
 wrote:

 Hello all,

 When profiling using Sonar, I'm getting error as in $subject
 (squid:S2077)  from [1]. What is the reason for this warning? how can I
 solve this?

 1.
 https://github.com/wso2/carbon-identity/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/carbon/identity/mgt/store/JDBCIdentityDataStore.java#L92

 Thank You!

 --
 *Chamila Dilshan Wijayarathna,*
 Software Engineer
 Mobile:(+94)788193620
 WSO2 Inc., http://wso2.com/

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --

 Vimalanathan Rajeevan
 Software Engineer
 WSO2 Inc.:http://wso2.com
 lean.enterprise.middleware


 Mobile : +94 773090875




 --
 *Chamila Dilshan Wijayarathna,*
 Software Engineer
 Mobile:(+94)788193620
 WSO2 Inc., http://wso2.com/

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Fwd: Creating the carbon UI component

[Hasanthi Purnima Dissanayake]

Hi Jane,
Do you get any error message in the console? Please provide more
information.

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Fri, May 29, 2015 at 10:00 AM, Supun Sethunga sup...@wso2.com wrote:

 Hi Jane,

 Can you try starting server with -DosgiConsole option, and check whether
 created bundles are all in ACTIVE state?

 Thanks,
 Supun

 On Thu, May 28, 2015 at 2:19 PM, Jane Mariathas j...@wso2.com wrote:

 Hi,

 I created a simple carbon component.after building the component, I added
 all the OSGI bundles(jar files) in the
 $CARBON_HOME/repository/components/dropins/
 but after starting the server i couldn't see the component in the carbon
 management console.
 Any idea on this?


 Thanks


 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 *Supun Sethunga*
 Software Engineer
 WSO2, Inc.
 http://wso2.com/
 lean | enterprise | middleware
 Mobile : +94 716546324

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] WSO2 Committers += Dinithi De Silva

[Hasanthi Purnima Dissanayake]

Congratzz Dinithi !!!

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Thu, May 28, 2015 at 11:47 AM, Lakshani Gamage laksh...@wso2.com wrote:

 Congratz Dinithi!!

 Thanks,
 Lakshani

 On Thu, May 28, 2015 at 11:40 AM, Imesh Gunaratne im...@wso2.com wrote:

 Hi Devs,

 It's my pleasure to welcome Dinithi De Silva as a WSO2 Committer. She has
 contributed to WSO2 Private PaaS and other WSO2 products in many different
 ways. In recognition of her contributions she was voted as a WSO2 Committer.

 Dinithi, Congratulations! Keep up the good work!

 Thanks

 --
 *Imesh Gunaratne*
 Senior Technical Lead
 WSO2 Inc: http://wso2.com
 T: +94 11 214 5345 M: +94 77 374 2057
 W: http://imesh.gunaratne.org
 Lean . Enterprise . Middleware


 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --
 Lakshani Gamage

 *Software Engineer*
 Mobile : +94 (0) 71 5478184 %2B94%20%280%29%20773%20451194

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Returning ArrayList in axis2 web service

[Hasanthi Purnima Dissanayake]

Hi Isuru,

Usually a web service needs to be accessible from any language. So they are
not using the same collection frameworks as in java or any other language.
So you should not use language specific collection types when returning
data from Axis2.

Thanks

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Tue, May 12, 2015 at 9:29 AM, Thusitha Thilina Dayaratne 
thusit...@wso2.com wrote:

 Hi Isuru,

 ArrayList is a Java specific implementation (Most of the Collections are
 too). Since Webservices have to deal with in language independent manner it
 is always good to return an POJO/bean So you can return a array instead of
 ArrayList

 Thanks

 On Tue, May 12, 2015 at 8:22 AM, Isuru Wijesinghe isur...@wso2.com
 wrote:

 Hi All,

 I have a method which I am trying to expose as a web service and the
 response object is an array list. On creating the web service in axis 2
 can't I use Collection types such as ArrayList when returning data from
 Axis2 Web Service Objects?.

  But when I return arrays of objects it  works correctly. Any help will
 be appreciated.

 --
 Isuru Wijesinghe
 *Software Engineer*
 Mobile: 0710933706
 isur...@wso2.com




 --
 Thusitha Dayaratne
 Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 Mobile  +94712756809
 Blog  alokayasoya.blogspot.com
 Abouthttp://about.me/thusithathilina


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Sending mails to OpenIDConnect mail list

[Hasanthi Purnima Dissanayake]

hi all,
I have subscribed to the openID Connect mail list and I got subscription
successful mail form them too. I am receiving their mails but the problem
is I can't send mails to the thread. Once I sent a mail to the thread, I'm
getting an auto generated mail by mentioning the mail awaits moderator
approval. If any one have subscribed to the above mail list please advice
me on this.

Thanks and regards,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] SSLHandshakeException when running PlayGround sample

[Hasanthi Purnima Dissanayake]

Hi,
I need to run sample PlayGround application which is mentioned in [1]. When
I'm trying to get the access token, I'm getting below exception.

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

It is highly appreciated if you can provide me a solution for this.
[1] : https://docs.wso2.com/display/IS500
/OpenID+Connect+with+the+WSO2+Identity+Server+and+WSO2+OAuth2+Playground

Thanks and Regards,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] SSLHandshakeException when running PlayGround sample

[Hasanthi Purnima Dissanayake]

 Hi Rajith,
Thanks for the response.
Hi Tharindu,
Thanks for the response. Will do it.


Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com nirosh...@wso2.com
M :0718407133| http://wso2.com http://wso2.com/

On Thu, Apr 9, 2015 at 3:23 PM, Tharindu Edirisinghe tharin...@wso2.com
wrote:

 [correction in bold]

 But in the playground app source, when creating the SSLContext, it is
 *NOT* initializing a TrustManager with the truststore.

 On Thu, Apr 9, 2015 at 3:21 PM, Tharindu Edirisinghe tharin...@wso2.com
 wrote:

 Hi Hasanthi,

 PKIX path building failed error occurs when the client application cannot
 find the public certificate of the Identity Server for creating the SSL
 connection. This can happen if the public certificate of the Identity
 Server is not available in the client application's trust store. Or else if
 the client application is retrieving the truststore path from the java
 system property javax.net.ssl.trustStore the value may not be set. But in
 the playground app source, when creating the SSLContext, it is initializing
 a TrustManager with the truststore. So in your case, you can export the
 public certificate of Identity Server and import it to the Java JVM cacerts.

 On Thu, Apr 9, 2015 at 1:53 PM, Hasanthi Purnima Dissanayake 
 hasan...@wso2.com wrote:

 Hi,
 I need to run sample PlayGround application which is mentioned in [1].
 When I'm trying to get the access token, I'm getting below exception.

 javax.net.ssl.SSLHandshakeException:
 sun.security.validator.ValidatorException: PKIX path building failed:
 sun.security.provider.certpath.SunCertPathBuilderException: unable to find
 valid certification path to requested target

 It is highly appreciated if you can provide me a solution for this.
 [1] : https://docs.wso2.com/display/IS500
 /OpenID+Connect+with+the+WSO2+Identity+Server+and+WSO2+OAuth2+Playground

 Thanks and Regards,

 Hasanthi Dissanayake

 Software Engineer | WSO2

 E: hasan...@wso2.com nirosh...@wso2.com
 M :0718407133| http://wso2.com http://wso2.com/

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




 --

 Tharindu Edirisinghe
 Software Engineer | WSO2 Inc
 Identity Server Team
 mobile : +94 775 181586




 --

 Tharindu Edirisinghe
 Software Engineer | WSO2 Inc
 Identity Server Team
 mobile : +94 775 181586

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev