-
Notifications
You must be signed in to change notification settings - Fork 721
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update playground app to support ID Token encryption #2313
Conversation
|
||
ServletOutputStream out = response.getOutputStream(); | ||
|
||
if (idToken.equals("") || privateKeyString.equals("")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When the id_token is empty this will return "Client private key cannot be empty!".
Better to do separate checks or change the error message to say "Client private key and id_token cannot be empty!"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll do separate checks.
json.put(entry.getKey(), entry.getValue()); | ||
} | ||
|
||
out.print(json.toString()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here we are sending the payload of the JWT.
What about the JWT header? Shouldn't we display it as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we can. But the header comes as an object. We'll have to build a JSON with info we need to display.
try { | ||
name = SignedJWT.parse(idToken).getJWTClaimsSet().getSubject(); | ||
} catch (Exception e) { | ||
//ignore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we at least log the exception?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was already there before me. What should be the best way? Can we log them since this is a jsp?
|
||
jwt.decrypt(decrypter); | ||
|
||
return jwt; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this method, actually what is happening is returning a decrypted jwt.
But the return type is set to 'EncryptedJWT'. What is actually happening(decrypting) and the retrun value(Encrypted) seems contradictory.
Can you please explain this behavior? or can we fix it properly to match the flow.
@@ -307,24 +459,24 @@ | |||
|
|||
<tr> | |||
<td><label>Client Id : </label></td> | |||
<td><input type="text" id="consumerKey" name="consumerKey" value="<%=consumerKey%>" style="width:350px"></td> | |||
<td><input type="text" id="consumerKey" name="consumerKey" value="<%=consumerKey%>" style="width:450px"></td> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shall we use Encode.forHtmlAttribute(consumerKey)?
@@ -440,21 +592,21 @@ | |||
</tr> | |||
<tr> | |||
<td>Callback URL :</td> | |||
<td><input type="text" id="callbackurl" name="callbackurl" value="<%=callbackUrl%>" style="width:350px"></td> | |||
<td><input type="text" id="callbackurl" name="callbackurl" value="<%=callbackUrl%>" style="width:450px"></td> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets use Encode.forHtmlAttribute(callbackUrl) to prevent possible XSS attacks
</tr> | ||
<tr> | ||
<td>Access Token Endpoint :</td> | ||
<td><input type="text" id="accessEndpoint" name="accessEndpoint" value="<%=accessTokenEndpoint%>" style="width:350px"></td> | ||
<td><input type="text" id="accessEndpoint" name="accessEndpoint" value="<%=accessTokenEndpoint%>" style="width:450px"></td> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shall we use Encode.forHtmlAttribute()?
</tr> | ||
<tr> | ||
<td><label>Client Secret : </label></td> | ||
<td><input type="password" id="consumerSecret" name="consumerSecret" value="<%=consumerSecret%>" style="width:350px"> | ||
<td><input type="password" id="consumerSecret" name="consumerSecret" value="<%=consumerSecret%>" style="width:450px"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets enncode the input to prevent security threats.
Proposed changes in this pull request
In reference to wso2/product-is#2336
When should this PR be merged
No dependencies. We can merge this ASAP.
Follow up actions
N/A
Checklist (for reviewing)
General
Functionality
Code
Tests
Security
Documentation