-
Notifications
You must be signed in to change notification settings - Fork 31
Conversation
@ziccardi @secondsun Would you mind taking a look? This adds At the moment it looks like the SDK user would provide the credential at login. In this case I'm kind of confused as at the moment Credential seems to be used as a container for the tokens when a user has already authenticated. I don't understand why/how a user would provide that information at login. Something tells me A call may be better to explain this. |
@aidenkeating The authentication is performed through the usage of an authentication chain that can be configured at runtime. |
public AbstractAuthenticator(final AuthServiceConfig config) { | ||
this.config = config; | ||
|
||
public AbstractAuthenticator(ServiceConfiguration serviceConfig) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make the parameter final
private AuthService(final AuthServiceConfig config) { | ||
public AuthService() {} | ||
|
||
public void bootstrap(MobileCore core, ServiceConfiguration serviceConfig) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make the params final
.toString(); | ||
} | ||
|
||
public static IntegrityCheckParameters deserialize(String serializedParams) throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make the param final
private String audience; | ||
private String publicKey; | ||
|
||
public IntegrityCheckParameters(String audience, String issuer, String publicKey) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make the params final
* @param jwtToken The JWT token to verify. | ||
* @return <code>true</code> if the token integrity is good. | ||
*/ | ||
public boolean verifyToken(String jwtToken) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make the param final
* @param audience - The expected Audience of the JWT | ||
* @return <code>true</code> if the token integrity is good. | ||
*/ | ||
public boolean verifyToken(String jwtToken, String publicKey, String issuer, String audience) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous comments
// Validate the JWT and process it to the Claims | ||
JwtClaims jwtClaims = jwtConsumer.processToClaims(jwtToken); | ||
verified = true; | ||
System.out.println("JWT Verified Successfully."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't use System.out
catch (InvalidJwtException e) | ||
{ | ||
// InvalidJwtException will be thrown, if the JWT failed processing or validation in anyway. | ||
System.out.println("JWT Validation Failed. " + e.getLocalizedMessage()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous comment
.toString(); | ||
} | ||
|
||
public static OIDCCredentials deserialize(String serializedCredential) throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make parameter final
public String serialize() throws JSONException { | ||
return new JSONObject() | ||
.put("authState", this.authState.jsonSerializeString()) | ||
.put("integrityCheck", this.integrityCheckParameters.serialize()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
integrityCheckParameters could be null
@aidenkeating Do you have a demo project that shows the code being used somewhere? |
@secondsun Not yet. I can implement it in https://github.com/feedhenry/mobile-security-android-template |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aidenkeating Mostly looks good, added a few changes. The most important one I think is changing the JSON exception to a more descriptive run time exception.
The general argument is that we aren't working on JSON at a conceptual level. We are using OIDC tokens and configurations instead. This means that JSONException is leaking internal information that is not relevant to the user's tasks. Because this information isn't relevant we end up with exceptions that aren't solvable by the user (see here throws JSONException being leaked everywhere)
auth/build.gradle
Outdated
targetCompatibility = "1.7" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove these two lines, they are already set above to 1.8
@@ -1,6 +1,7 @@ | |||
package org.aerogear.auth; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
packages need to be renamed to conform to https://github.com/aerogear/proposals/blob/master/sdks/SDK-naming.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@secondsun : just to be sure, should we rename it to org.aerogear.android.ags.auth
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ziccardi Yes
public boolean verifyToken(final String jwtToken, final String publicKey, final String issuer, final String audience) { | ||
// add the Begin/End tags to the public key generated from Keycloak | ||
String beginPublicKey = "-----BEGIN PUBLIC KEY-----"; | ||
String endPublicKey = "-----END PUBLIC KEY-----"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these should be private static final constant fields instead of local variables.
JwtClaims jwtClaims = jwtConsumer.processToClaims(jwtToken); | ||
return true; | ||
} catch (InvalidJwtException e) { | ||
e.printStackTrace(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now use Android's Log object instead of printing the stack trace.
@@ -67,8 +145,21 @@ public boolean isAuthorized() { | |||
* Returns stringified JSON for the OIDCCredential. | |||
* @return Stringified JSON OIDCCredential | |||
*/ | |||
public String serialise() { | |||
return this.authState.jsonSerializeString(); | |||
public String serialize() throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is serialize used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally I would remove the JSONException from the method declaration and rethrow it as a runtime exception and add that clue to the documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@secondsun serialize is used when persisting the auth state in the AuthStateManager.
return jsonCredential.toString(); | ||
} | ||
|
||
public static OIDCCredentials deserialize(final String serializedCredential) throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See above comments about JSONException.
@@ -39,11 +39,11 @@ public OIDCCredentials read() { | |||
* Saves a token | |||
* @param authState token to be saved | |||
*/ | |||
public synchronized void write(final OIDCCredentials authState) { | |||
public synchronized void write(final OIDCCredentials authState) throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like the name "write". I think save is more descriptive. Also if we wrap the JSONExceptions above we aren't "leaking" it here.
OIDCCredentials oidcCredentials = new OIDCCredentials(); | ||
assertFalse("Expect Token Validation with Tampered Refresh Token to Fail", oidcCredentials.verifyToken(TAMPERED_REFRESH_TOKEN, VALID_PUBLIC_KEY, VALID_ISSUER, VALID_AUDIENCE)); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could the repeated "OIDCCredentials oidcCredentials = new OIDCCredentials();" be in the setup block?
private AuthService(final AuthServiceConfig config) { | ||
public AuthService() {} | ||
|
||
public void bootstrap(final MobileCore core, final ServiceConfiguration serviceConfig) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When is the bootstrap called?
If we don't initialise the object inside the constructor, we should than throw an IllegalStateException if other methods are called before the bootstrap one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@secondsun Am I correct in saying the core will initialize and then call bootstrap on a ServiceModule?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
public IntegrityCheckParameters() {} | ||
|
||
public String getIssuer() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add some documentation here. What is the issuer?
return this.audience; | ||
} | ||
|
||
public String getPublicKey() { return this.publicKey; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this public key? What is the format it is returned? It is a DSA? RSA? or what?
.toString(); | ||
} | ||
|
||
public static IntegrityCheckParameters deserialize(final String serializedParams) throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this object supposed to be constructed only through this method? If yes, the constructor should be private
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No this will need to be constructed through the constructor when initially created at authentication time.
.toString(); | ||
} | ||
|
||
public static IntegrityCheckParameters deserialize(final String serializedParams) throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A null check should be added here
.setRequireSubject() // require the subject claim | ||
.setExpectedIssuer(issuer) // whom the JWT needs to have been issued by | ||
.setExpectedAudience(audience) // to whom the JWT is intended for | ||
.setVerificationKey(jwtPublicKey) // verify the signature with the public key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it ok to have a null jwtPublicKey
here? If it is not, make it final
and do not assign null
to it.
final PublicKey jwtPublicKey;
try {
jwtPublicKey = utils.fromPemEncoded(constructedPublicKey);
} catch (JoseException e) {
JwtClaims jwtClaims = jwtConsumer.processToClaims(jwtToken); | ||
return true; | ||
} catch (InvalidJwtException e) { | ||
e.printStackTrace(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we can safely return false
here, it would be better to use logger to log exceptions.
public String serialise() { | ||
return this.authState.jsonSerializeString(); | ||
public String serialize() throws JSONException { | ||
JSONObject jsonCredential = new JSONObject() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Every time a variable is not supposed to be assigned again, it should be declared as final.
return jsonCredential.toString(); | ||
} | ||
|
||
public static OIDCCredentials deserialize(final String serializedCredential) throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this object is supposed to be created only through this method, the constructor should be private.
if (authState == null) { | ||
clear(); | ||
} else { | ||
if(!prefs.edit().putString(KEY_STATE, authState.serialise()).commit()) { | ||
if(!prefs.edit().putString(KEY_STATE, authState.serialize()).commit()) { | ||
throw new IllegalStateException("Failed to update state from shared preferences"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it correct to throw an unchecked exception here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ziccardi Yes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, we should add @throws
to the javadocs
auth/build.gradle
Outdated
testImplementation 'org.mockito:mockito-core:2.10.0' | ||
testImplementation 'junit:junit:4.12' | ||
testImplementation "org.robolectric:robolectric:3.6.1" | ||
compile 'org.bitbucket.b_c:jose4j:0.6.3' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
compile is deprecated. replace with implementation and move above the test dependencies. Also can you include the dependency in the android bom https://github.com/aerogear/aerogear-parent/blob/master/aerogear-android-sdk-bom/pom.xml, passos is working on moving this to use a more managed system.
@@ -1,6 +1,7 @@ | |||
package org.aerogear.auth; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ziccardi Yes
String getIssuer(); | ||
String getPublicKey(); | ||
boolean isValid(); | ||
String serialize() throws JSONException; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nix the exception
*/ | ||
public String getPublicKey() { return this.publicKey; } | ||
|
||
public String serialize() throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code will never throw a JSON exception, best not to declare it.
* Return json representation of the parameters | ||
* @return json string representation of parameters | ||
*/ | ||
public static IntegrityCheckParameters deserialize(final String serializedParams) throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kill the exception.
If you have to throw a checked exception (pro tip, you don't), make it more specific to the task at hand. For instance if there is no "issuer" property on the object then throwing as JSON exception is less useful than throwing a new IllegalArgumentException with a useful message.
Also, add that the object needs to be a json object with those parameters in the header.
Also also, if all we are doing is storing this in shared preferences can we make it a parcelable instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@secondsun I'm not sure I understand how parcelable would help here?
|
||
public OIDCCredentials() { | ||
this.authState = new AuthState(); | ||
public OIDCCredentials(final String serialisedCredential, final IIntegrityCheckParameters integrityCheckParameters) throws JSONException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kill the JSONException. Add javadocs.
if (authState == null) { | ||
clear(); | ||
} else { | ||
if(!prefs.edit().putString(KEY_STATE, authState.serialise()).commit()) { | ||
if(!prefs.edit().putString(KEY_STATE, authState.serialize()).commit()) { | ||
throw new IllegalStateException("Failed to update state from shared preferences"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, we should add @throws
to the javadocs
@ziccardi @secondsun Mind taking another look? |
protected AuthServiceConfig getConfig() { | ||
return config; | ||
} | ||
public ServiceConfiguration getServiceConfig() { return this.serviceConfig; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is ServiceConfiguration an immutable object?
If it is not, different threads could change the content of the ServiceConfiguration
object, thus changing the internal state of the Authenticator without any control by the latter, making it crash prone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not too familiar with any core stuff. @secondsun would you have an answer to this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ServiceConfiguration is meant to be immutable. If it isn't then feel free to make it so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have made this change in a separate PR. Don't want this one to bloat much more. https://github.com/aerogear/aerogear-android-sdk/pull/24/files
|
||
public class IntegrityCheckParameters implements IIntegrityCheckParameters { | ||
|
||
private String issuer; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make these final
* @return <code>true</code> if the token integrity is good. | ||
*/ | ||
public boolean verifyToken(final String jwtToken) { | ||
final String issuer = integrityCheckParameters.getIssuer(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no added value in using variables to store the values here.
jwtPublicKey = utils.fromPemEncoded(constructedPublicKey); | ||
} catch (JoseException e) { | ||
Log.e(TAG, e.getMessage(), e); | ||
throw new RuntimeException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use a more specific exception. In this case, if the parameters are not correct, an IllegalArgumentException could be the right one.
} | ||
return jsonCredential.toString(); | ||
} catch(JSONException e) { | ||
throw new RuntimeException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous comment
final IntegrityCheckParameters icParams = IntegrityCheckParameters.deserialize(serializedIntegrityChecks); | ||
return new OIDCCredentials(serializedAuthState, icParams); | ||
} catch(JSONException e) { | ||
throw new RuntimeException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous comment
cfd6483
to
a8ea23c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking better, I found a stub method and most of my comments are minor doc and annotation tweaks.
auth/build.gradle
Outdated
testImplementation 'org.mockito:mockito-core:2.10.0' | ||
testImplementation 'junit:junit:4.12' | ||
testImplementation "org.robolectric:robolectric:3.6.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll need to rebase on master and add these dependencies to the aerogear-android-sdk-bom. @danielpassos Can show you how.
protected AuthServiceConfig getConfig() { | ||
return config; | ||
} | ||
public ServiceConfiguration getServiceConfig() { return this.serviceConfig; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ServiceConfiguration is meant to be immutable. If it isn't then feel free to make it so.
String getIssuer(); | ||
String getPublicKey(); | ||
boolean isValid(); | ||
String serialize(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think JavaDocs are needed? The properties and things look self explanatory to me, but if there are any weirdnesses or edge cases to be aware of (like what does isValid check to validate) then I would want them added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you're right about isValid requiring some docs here. For the others I don't think so, they're self explanatory I think.
import org.json.JSONException; | ||
import org.json.JSONObject; | ||
|
||
public class IntegrityCheckParameters implements IIntegrityCheckParameters { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the methods you implement you need to add the @Override
annotation.
|
||
/** | ||
* Return json representation of the parameters | ||
* @return json string representation of parameters |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add @throws to describe why the runtime exception may be thrown.
/** | ||
* Credentials for OIDC based authentication | ||
*/ | ||
public class OIDCCredentials implements ICredential { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add @Override
where appropriate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ICredential
is just empty at the moment.
* @param serialisedCredential JSON string representation of the authState field produced by | ||
* {@link #deserialize(String)}. | ||
* @param integrityCheckParameters Integrity check parameters for the token. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add @throws to describe the runtime exception to the javadoc
} | ||
} | ||
|
||
public static OIDCCredentials deserialize(final String serializedCredential) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
javadocs.
* @throws AuthenticationException | ||
*/ | ||
public boolean renew() throws AuthenticationException { | ||
throw new IllegalStateException("Not yet implemented"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need implementation :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure why this is showing up as changed, but the renew was there before this PR and I think it's outside the scope of this PR. I think its implementation is kind of dependent on knowing how login will work.
} | ||
|
||
/** | ||
* Saves a token | ||
* @param authState token to be saved | ||
* @throws IllegalArgumentException |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be illegal state exception?
7bae221
to
b22559e
Compare
@secondsun Dependencies were added in this PR, waiting on a new release now. Have made a temporary commit that will fail so I don't forget |
42a2d13
to
33d9f97
Compare
private static final String STORE_NAME = "org.aerogear.android.auth.AuthState"; | ||
private static final String KEY_STATE = "state"; | ||
|
||
private final SharedPreferences prefs; | ||
|
||
public AuthStateManager(final Context context) { | ||
private AuthStateManager(final Context context) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if Singleton's are suppose to have parameters? This way couldn't the singleton be instantiated multiple times which defeats the purpose?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Private constructor and prefs is a final variable. IN this case it isn't bad because the references set up aren't mutable. However I am generally -1 to static singletons because they have annoying behaviors when you are testing that you have to code around.
33d9f97
to
3abae5d
Compare
*/ | ||
public synchronized void clear() { | ||
if (!prefs.edit().remove(KEY_STATE).commit()) { | ||
throw new IllegalStateException("Failed to clear state from shared preferences"); | ||
} | ||
} | ||
|
||
public static AuthStateManager getInstance(final Context context) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rachael-oregan To respond to this comment 260a5b3#r166298337 yeah I'm not sure the best way to approach this. I don't think providing a 'setter' of any kind is a good idea as then context could change if the setter is called multiple times. This can't be initialized multiple times but I can see the awkwardness of it.
This way context is bound to whatever is provided first, instead of being able to be set multiple times.
There's also the option of providing context on each function call I guess.
Perhaps @ziccardi or @secondsun have a more informed view on how to approach this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aidenkeating Just a proposal: we could add a bootstrap
method with package level visibility. It could then be called from the bootstrap
method of the AuthService. This way other classes will see only a getInstance
with no parameters. WDYT?
@@ -75,7 +79,7 @@ public void setAuthenticatorChain(AuthenticationChain newChain) { | |||
public static synchronized AuthService getInstance() { | |||
if (INSTANCE == null) { | |||
// FIXME: load the configurations from core and pass it here | |||
INSTANCE = new AuthService(null); | |||
INSTANCE = new AuthService(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should NOT be using singletons. References to services should be fetch through the mobile core and not plucked from the ether.
See https://github.com/aerogear/proposals/blob/master/android-sdk/README.md#referencing-a-service
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I don't think this is used anyway, doesn't seem to be referenced anywhere. Must have been left over. Will remove
08467bd
to
8456248
Compare
@secondsun @ziccardi Removed unused singleton stuff and updated the android sdk bom stuff. Tests have started to pass again. |
a67a626
to
252808c
Compare
@secondsun Would you mind taking a look? One question, we currently have the auth module typed as |
@aidenkeating Keycloak Service is a temporary one, It was to help us in the core PoC and going to be removed |
@danielpassos @ziccardi @secondsun Would you mind taking a look? I think this is ready to merge |
252808c
to
63ad9bb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a couple of comments
* @return <code>true</code> if user is authorized and token is not expired. | ||
*/ | ||
public boolean checkValidAuth() { | ||
return isAuthorized() && getNeedsRenewal(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't be return isAuthorized() && !getNeedsRenewal();
?
*/ | ||
public synchronized void clear() { | ||
if (!prefs.edit().remove(KEY_STATE).commit()) { | ||
throw new IllegalStateException("Failed to clear state from shared preferences"); | ||
} | ||
} | ||
|
||
public static AuthStateManager getInstance(final Context context) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aidenkeating Just a proposal: we could add a bootstrap
method with package level visibility. It could then be called from the bootstrap
method of the AuthService. This way other classes will see only a getInstance
with no parameters. WDYT?
@ziccardi @danielpassos Mind taking a look? Have move the AuthStateManager out to the |
* Authentication service singleton. | ||
*/ | ||
private static AuthService INSTANCE; | ||
public class AuthService implements ServiceModule { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I presume this won't compile because its not implementing the methods from ServiceModule
right?
Also how is the AuthService object got now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is. Well CircleCI tests are passing. Jenkins is failing because the gradle daemon decided to go ahead and stop.
The ServiceModule interface has changed in this PR #22
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah right cool, thanks for explaining
@wtrocki Would you mind taking a look? I think this is ready to merge. Don't want this PR to bloat too much more. Jenkins appears to be failing because of an internal issue |
Changes were applied
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Adjustments can be done later stage
I have spent some time checking changes on local machine. Really good job @aidenkeating |
I didn't have time to review it, I was about to start now but it's already merged. I didn't test it but I have 2 comments about this PR:
|
@danielpassos The package name was to address this comment #21 (comment) and this proposal https://github.com/aerogear/proposals/blob/master/sdks/SDK-naming.md#proposed-solution |
Motivation
JIRA: https://issues.jboss.org/browse/AGDROID-686
Description
Function to Verify JWT Tokens (Access, Identity, Refresh) using a Keycloak Realm Public Key before they are used as part of client side access control decisions.
Provide the configuration from the JSON mobile configuration to the OIDCCredentials.
Tested successfully with both valid & tampered Access/Identity tokens. Identity Brokering originated tokens can also be validated.
Progress