Skip to content

ID Token validation#203

Closed
arvindsinghtomar wants to merge 12 commits into
openid:masterfrom
GluuFederation:master
Closed

ID Token validation#203
arvindsinghtomar wants to merge 12 commits into
openid:masterfrom
GluuFederation:master

Conversation

@arvindsinghtomar

Copy link
Copy Markdown
Contributor

No description provided.

@codecov-io

codecov-io commented Mar 22, 2017

Copy link
Copy Markdown

Codecov Report

Merging #203 into master will decrease coverage by 5.37%.
The diff coverage is 0%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master     #203      +/-   ##
============================================
- Coverage     81.99%   76.62%   -5.38%     
+ Complexity      461      436      -25     
============================================
  Files            41       41              
  Lines          2227     2237      +10     
  Branches        215      216       +1     
============================================
- Hits           1826     1714     -112     
- Misses          318      444     +126     
+ Partials         83       79       -4
Impacted Files Coverage Δ Complexity Δ
library/java/net/openid/appauth/Utils.java 64.7% <0%> (-19.91%) 4 <0> (ø)
.../java/net/openid/appauth/AuthorizationService.java 56.85% <0%> (-18.65%) 11 <0> (-3)
library/java/net/openid/appauth/TokenResponse.java 68.29% <0%> (-24.74%) 3% <0%> (-4%)
library/java/net/openid/appauth/TokenRequest.java 66.66% <0%> (-20.38%) 6% <0%> (-2%)
...rary/java/net/openid/appauth/CodeVerifierUtil.java 58.62% <0%> (-6.9%) 8% <0%> (-2%)
.../java/net/openid/appauth/RegistrationResponse.java 86.95% <0%> (-4.22%) 8% <0%> (-1%)
...penid/appauth/AuthorizationManagementActivity.java 81.92% <0%> (-1.22%) 18% <0%> (-3%)
library/java/net/openid/appauth/AuthState.java 71.57% <0%> (ø) 78% <0%> (ø) ⬇️
...java/net/openid/appauth/AuthorizationResponse.java 77.11% <0%> (ø) 10% <0%> (ø) ⬇️
... and 8 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c640288...6aafff5. Read the comment docs.

@nynymike

Copy link
Copy Markdown

Hi guys. Please let Arvind know if there is anything we can do to get this right.

public static String decodeBase64urlNoPadding(String strEncoded)
throws UnsupportedEncodingException {
if (strEncoded != null) {
byte[] decodedBytes = Base64.decode(strEncoded, Base64.NO_PADDING);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure you need URL_SAFE too.

@iainmcgin

Copy link
Copy Markdown
Member

Just so you know I'm not ignoring this: I'll try and review thoroughly on Monday.

@iainmcgin iainmcgin left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the very long poll on the review; I've been stretched very thin lately.

mClientConfiguration.getConnectionBuilder()
.openConnection(uri);
conn.setRequestMethod("GET");
//conn.setDoOutput(true);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if these commented out code sections are not needed, just remove them.

//conn.setDoOutput(true);

is = new BufferedInputStream(conn.getInputStream());
// readStream(in);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above: remove if not needed.

JSONObject requiredJson = null;

try {
String[] split = mResponse.idToken.split("\\.");

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validate that there are exactly three sections before proceeding.

return;
}

Calendar calendar = Calendar.getInstance();

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also not convinced that you're gaining much from calendar beyond directly using the exp value. Code can probably just be:

long expirationTime = Long.parseLong(jsonObjectBody.getString("exp") * 1000L;
if (expirationTime > mClock.getCurrentTimeMillis()) { ... } else { ... }

@arvindsinghtomar

arvindsinghtomar commented Jul 20, 2017

Copy link
Copy Markdown
Contributor Author

@iainmcgin I have done changes you suggested in comment

@iainmcgin

Copy link
Copy Markdown
Member

Looks like you still have checkstyle warnings - please run ./gradlew checkand ensure that this builds successfully. Also, you could separate your README change for Gluu into a separate pull request, as it is generally unrelated to the rest of this change.

@ravibhojwani

Copy link
Copy Markdown

Aeternity are working some magic

arvindsinghtomar and others added 3 commits September 18, 2017 14:12
# Conflicts:
#	library/java/net/openid/appauth/AuthorizationService.java
# Conflicts:
#	library/java/net/openid/appauth/AuthorizationService.java
@arvindsinghtomar

Copy link
Copy Markdown
Contributor Author

@iainmcgin Now I have updated with the latest code, completed ./gradlew check and removed readme-gluu.md for now. Please review it.

@arvindsinghtomar

Copy link
Copy Markdown
Contributor Author

@iainmcgin please review my PR

@iainmcgin

Copy link
Copy Markdown
Member

Apologies, I've not had time to take a look yet.

@nynymike

Copy link
Copy Markdown

Thanks Iain! We really want to publish the Gluu README!

@iainmcgin

Copy link
Copy Markdown
Member

Closing as #385 provides our preferred approach to ID token structure validation, without the signature verification. We have decided against signature verification within the core library as it isn't required for tokens acquired through an authorization code flow.

@iainmcgin iainmcgin closed this Aug 7, 2018
@nynymike

nynymike commented Aug 8, 2018

Copy link
Copy Markdown

Nice! That makes sense, it's easier to see if the TLS certificate cn matches the iss. You can still validate the signature, which might be good for higher assurance use cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants