Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

modified scope validator to not reply with all possible scopes for clien... #51

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants

...t when an invalid scope is submitted, added unit test for DefaultScopeValidator.java

Our security team recommended this change, to minimize potential for information leakage.

Igor von Nyssen modified scope validator to not reply with all possible scopes for cl…
…ient when an invalid scope is submitted, added unit test for DefaultScopeValidator.java
c6cf432
Owner

dsyer commented Oct 2, 2012

Please can you fill out the contributor's agreement (link in README)? Apologies if you already did it - I just need the confirmation number if you have it or want to do it again. Per the README it is good to have a JIRA ticket and a commit log that starts with the JIRA ID.

I see the dilemma. When creating a token I would want the response to be less verbose, but when using the token against a resource server mor information would be helpful and compliant with the spec. I'll rework it. I'm also tracking down a contributor agreement for Sony Network Entertainment.

Owner

dsyer commented Oct 11, 2012

I'm waiting for a contributor's agreement (apologies if you already did it) before we can really look at the patch. Also the ParametersValidator interface was merged into AuthorizationRequestManager for RC3, so you'll have to re-work it into the new framework. Please rebase onto master when you are done.

@dsyer dsyer added a commit that referenced this pull request Apr 12, 2013

@dsyer dsyer [gh-51]: added flag to DefaultAuthorizationEquestManager to hide vali…
…d scopes by default from client
88dea7e
Owner

dsyer commented Apr 12, 2013

I finally came round to your point of view (I was mistaking the use case for resource access, which is handled separately anyway). I added a flag to DefaultAuthorizationRequestFactory, with the default behaviour to not reveal the valid scopes. (See commit 88dea7e)

@dsyer dsyer closed this Apr 12, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment