Fwd: [IS][DEV][OAUTH][SAML2.0-BEARER] Should ID_TOKEN User Claims Tally with the Requested Scope When Obtaining an OAuth Access-Token with SAML2.0-Bearer Grant Type

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fwd: [IS][DEV][OAUTH][SAML2.0-BEARER] Should ID_TOKEN User Claims Tally with the Requested Scope When Obtaining an OAuth Access-Token with SAML2.0-Bearer Grant Type

Thilina Madumal

---------- Forwarded message ----------
From: Thilina Madumal <[hidden email]>
Date: Thu, Jun 15, 2017 at 1:37 PM
Subject: [IS][DEV][OAUTH][SAML2.0-BEARER] Should ID_TOKEN User Claims Tally with the Requested Scope When Obtaining an OAuth Access-Token with SAML2.0-Bearer Grant Type
To: [hidden email]
Cc: Ishara Karunarathna <[hidden email]>, Johann Nallathamby <[hidden email]>, Ruwan Abeykoon <[hidden email]>, Sagara Gunathunga <[hidden email]>, Hasanthi Purnima Dissanayake <[hidden email]>, Pushpalanka Jayawardhana <[hidden email]>, Isura Karunaratne <[hidden email]>, Thanuja Jayasinghe <[hidden email]>


Hi,

I'm wondering when we issue oauth2 access tokens for SAML2.0-Bearer grant type, how we should provide user claims in ID-Token?

In prevailing implementation when building ID-Token we just get the user claims from the Assertion provided and include those in the ID-Token irrespective of the scope requested.

Ideally, it should be as same as the openid-connect standard, where we provide the user claims in ID-Token according to the requested scope. 

Then we can cache those user-attributes against the issued access token, to provide user-claims when 'userInfo' endpoint is called with the issued access token.

We can follow the same standard for Assertions Issued by the  WSO2-IS either for local users or for federated users because we know the user claim mapping in these cases.
But for the Assertions provided by some other Trusted IDP we can't follow this standard, simply because we don't know the user claim mapping.

Highly appreciate your help and suggestions.

Thanks and Best Regards!

--
Thilina Madumal
Software Engineer | WSO2
Mobile: <a href="tel:+94%2077%20767%201807" value="+94777671807" style="color:rgb(17,85,204)" target="_blank">+94 774553167






--
Thilina Madumal
Software Engineer | WSO2
Mobile: <a href="tel:+94%2077%20767%201807" value="+94777671807" style="color:rgb(17,85,204)" target="_blank">+94 774553167




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev