Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-07 Thread Harsha Thirimanna
On Mon, Jun 6, 2016 at 1:33 AM, Prabath Siriwardana wrote: > Yes.. We need to have it... Created a public JIRA to track this https://wso2.org/jira/browse/IDENTITY-4666​ ​ > Since we are now talking about client id and client secret - can we also > make the app authentication

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-06 Thread Johann Nallathamby
Aren't we discussing about two requirements. 1. Allow to register applications with user given client id/secret 2. Allow the client id/secret to be changed. While changing client id has complications highlighted above, (1) also has some challenges. Currently we assume the client id is unique

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-03 Thread Pushpalanka Jayawardhana
Hi All, On Fri, Jun 3, 2016 at 5:46 PM, Prabath Siriwardana wrote: > > > On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi, >> I am working on implementing regeneration of client secret/key of an >> oauth app and revocation of an

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-03 Thread Prabath Siriwardana
On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake < indu...@wso2.com> wrote: > Hi, > I am working on implementing regeneration of client secret/key of an oauth > app and revocation of an oauth app for the next milestone release of > Identity Server. Appreciate your feedbacks on the

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-03 Thread Gayan Gunawardana
Hi Indunill, Here are we talking about three things ? *i. Regenerate Client Secret* *ii. Regenerate Consumer Key* *iii. Revoking an oauth app* Specification [1] talk about revoking client secret more like revoking oauth app. In order to use same consumer key again regenerating client secret is

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-03 Thread Harsha Thirimanna
On Fri, Jun 3, 2016 at 11:51 AM, Farasath Ahamed wrote: > compromised ​Yes, It is like when the user wants to change the user name also with or without changing the password.​ So in that case we have to create new account instead of letting to change user name. *Harsha

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-03 Thread Farasath Ahamed
Hi, Since client_id is simply an identifier for the OAuth application, is it really required to regenerate the client_id when the client_secret is compromised? Isn't it be similar to a situation where we are changing our username and password because our password was compromised? Farasath

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-03 Thread Harsha Thirimanna
Hi Farasath, In that case, we have to create a new application if some one wants to reset the consumer key. That will not be a good experience to the user and specification also not specifically saying that only we should revoke consumer key or both. An authorization server may revoke a client's

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-03 Thread Kasun Bandara
Hi Indunil, What are the guidelines given by the OAuth 2.0 specification regarding the $subject?. As stated by @Farzath, i think even Twitter does the same thing. Thanks, Kasun. On Fri, Jun 3, 2016 at 11:11 AM, Farasath Ahamed wrote: > Hi Indunil, > > In a case of

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-02 Thread Farasath Ahamed
Hi Indunil, In a case of client_secret being revealed wouldn't it be sufficient only to regenerate the client_key without regenerating the consumer key? In Google API console I have noticed that you only have the option to reset the client secret of an OAuth application. If you want to regenerate

[Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-02 Thread Indunil Upeksha Rathnayake
Hi, I am working on [1] for implementing regeneration of client secret/key of an oauth app and revocation of an oauth app for the next milestone release of Identity Server. Appreciate your feedbacks on the following approaches I have taken. A trusted client would need to update the client

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

2016-06-02 Thread Indunil Upeksha Rathnayake
Hi, I am working on implementing regeneration of client secret/key of an oauth app and revocation of an oauth app for the next milestone release of Identity Server. Appreciate your feedbacks on the following approaches I have taken. A trusted client would need to update the client secret/key, in