Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
Description:
In order to validate the request object signature, WSO2 IS currently uses the certificate from client trust store. We need to be able to upload the certificate from UI at service provider creation and enforce signature validation.
Currently, this validates the signature only if the JWS is signed and if it's the plain request object then it doesn't try to validate the request object validator. At service provider creation, it should be possible to define the certificate to be used in request object validation and indicate whether signature validation, encryption is mandatory.
omindu
commented
6 years ago
Description: In order to validate the request object signature, WSO2 IS currently uses the certificate from client trust store. We need to be able to upload the certificate from UI at service provider creation and enforce signature validation. Currently, this validates the signature only if the JWS is signed and if it's the plain request object then it doesn't try to validate the request object validator. At service provider creation, it should be possible to define the certificate to be used in request object validation and indicate whether signature validation, encryption is mandatory.
Suggested Labels: Type/Improvement
Suggested Assignees: @rushmin
Affected Product Version: WSO2IS as KM 5.3.0