New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minor access token jwt fixes #4333
Conversation
….getID() - remove unused bean oauthAccessTokenResponseGenerator - pass encodedAccessToken to the id token generator service since running encoder twice will result in different strings if jwt (ZonedDateTime.now())
…kenJwtBuilder in /register oidc.
… easily get it out in OidcAccessTokenResponseGenerator. Instead make encoder use a fixed date
Codecov Report
@@ Coverage Diff @@
## master #4333 +/- ##
=============================================
- Coverage 37.79% 11.58% -26.22%
+ Complexity 4560 1642 -2918
=============================================
Files 1666 1667 +1
Lines 37008 37012 +4
Branches 3417 3416 -1
=============================================
- Hits 13987 4287 -9700
- Misses 21601 32280 +10679
+ Partials 1420 445 -975
Continue to review full report at Codecov.
|
support/cas-server-support-oauth/src/main/java/org/apereo/cas/config/CasOAuthConfiguration.java
Show resolved
Hide resolved
LGTM. Tests however seem to be failing:
|
@mmoayyed thanks for the review. The test fails but now with the hashes being different. I think it's because the access token is encoded with encryption so the hash will be different every time we encode because of the nonce. Not sure how to get around this apart from passing the |
Thank you. I understand. As you point out, there is quite a bit involved and we are pretty close to the final release date. I wonder if this is low-impact enough that we might be able to punt to the next release? |
I take that back :) The date is set to be next Friday, and there should be plenty of time to review and make fixes to small measures. Thank you for taking care of this as much as you have. I'll set aside some to review more thoroughly this week. |
The verifyAccessTokenAsJwt() test is still failing for me (on my PR branch but also on master). Was it fixed? |
Not yet. I am working on it and should have it done by end of day. Changes are a bit more extensive than what I had hoped. @charlibot, other than the user info endpoints for oauth and oidc, are there any other areas you can think of where the encoded access token is passed that would need to be decoded and extracted? |
@mmoayyed I just did a quick search for
|
Thanks. Will probably have something semi-functional towards the weekend. |
Work is almost finalized with a whole batch of tests covering this bit. SNAPSHOTs published next week should start to support this. |
Found a couple more places where should return the
encodedAccessToken
instead of the ID. I'm not 100% sure about theUmaAuthorizationRequestEndpointController
though so let me know if I should remove this part.Also, the encoded access token is different for each
encode
sinceOAuth20JwtAccessTokenEncoder
usesZonedDateTime.now()
. This means the client checking the hash may see different results.I opted to pass the encoded access token toThis is now replaced withgenerateAccessTokenHash
to avoid this.authentication.getAuthenticationDate()
.