Improved OIDC compliance by lbalmaceda · Pull Request #43 · auth0/auth0-java-mvc-common

lbalmaceda · 2019-10-22T21:27:10Z

Changes

This update improves the SDK support for OpenID Connect. In particular, it modifies the sign in verification phase by substituting backchannel based checks with id_token validation where possible.

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

This change adds test coverage
This change has been tested on the latest version of Java or why not

Checklist

I have read the Auth0 general contribution guidelines
I have read the Auth0 Code of Conduct
All existing and new tests complete without errors

joshcanhelp

Adding as a comment so I'm not a blocker. Feel free to resolve any questions I'm asking that are handled (no need for an explanation, I'll assume "yes, that's fine").

In general, I would suggest moving anything in the RequestProcessor that's not specific to the ID token validation into a new PR.

Co-Authored-By: Josh Cunningham <josh.cunningham@auth0.com>

lbalmaceda · 2019-10-25T20:54:48Z

LGTM!

joshcanhelp

🎉 🎉 🎉

gkwang

Small nit, but otherwise lgtm.

lbalmaceda and others added 13 commits October 10, 2019 17:55

pp improving the oidc conformance

e40d4a2

add tests for the AuthenticationController and RequestProcessor

c13deb2

Add tests for signature verification and claims checks

3ef44d5

remove unnecessary tests

924c04c

add missing tests

ada6b43

add max_age and fix exception types

97d1ec7

fix exception handling

b085309

update readme and docs

81365d3

add signature verifier implementation that skips signature check

a33a39c

address todos

a148226

more todo fixes - do not need to set timeZone for calendar

95f5ba3

improve compatibility by skipping signature check on code flows

c4568eb

run inspections

2ba222d

lbalmaceda added the large Large review label Oct 22, 2019

lbalmaceda added this to the v1-Next milestone Oct 22, 2019

lbalmaceda requested a review from a team October 22, 2019 21:27

lbalmaceda added the CH: Security label Oct 22, 2019

small cleanups

f8a60f4

joshcanhelp reviewed Oct 23, 2019

View reviewed changes

jimmyjames and others added 7 commits October 24, 2019 07:09

Add more tests for IdTokenVerifier

39aaf2c

Add test for jwk key retrieval failure

37f03c0

don't try to use refresh token on front channel, add tests

754a789

Update README.md

e540e40

Co-Authored-By: Josh Cunningham <josh.cunningham@auth0.com>

Update README.md

9240311

Co-Authored-By: Josh Cunningham <josh.cunningham@auth0.com>

Modify exception messages per review feeeback

666c9f5

README updates

148279c

lbalmaceda commented Oct 25, 2019

View reviewed changes

Comment thread README.md Outdated

Comment thread README.md Outdated

lbalmaceda and others added 3 commits October 25, 2019 15:08

rename leeway references to clock-skew

653a7fc

Update src/main/java/com/auth0/AuthenticationController.java

4b1dae9

Co-Authored-By: Josh Cunningham <josh.cunningham@auth0.com>

Update src/main/java/com/auth0/AuthenticationController.java

1dc1780

Co-Authored-By: Josh Cunningham <josh.cunningham@auth0.com>

jimmyjames and others added 5 commits October 25, 2019 13:39

Update src/main/java/com/auth0/AuthenticationController.java

8281ed9

Co-Authored-By: Josh Cunningham <josh.cunningham@auth0.com>

chore PR comments

006a59a

chore jim comments

7328b06

Apply suggestions from code review

58d553a

Co-Authored-By: Josh Cunningham <josh.cunningham@auth0.com>

Updated exception messages per review feedback

81e45b0

joshcanhelp reviewed Oct 25, 2019

View reviewed changes

Comment thread README.md

Initialize issuer from domain before sending to verification options

2ee06e4

joshcanhelp approved these changes Oct 25, 2019

View reviewed changes

Merge branch 'master' into oidc-improves

0ccdce7