ID Token validation#203
Conversation
Codecov Report
@@ Coverage Diff @@
## master #203 +/- ##
============================================
- Coverage 81.99% 76.62% -5.38%
+ Complexity 461 436 -25
============================================
Files 41 41
Lines 2227 2237 +10
Branches 215 216 +1
============================================
- Hits 1826 1714 -112
- Misses 318 444 +126
+ Partials 83 79 -4
Continue to review full report at Codecov.
|
|
Hi guys. Please let Arvind know if there is anything we can do to get this right. |
| public static String decodeBase64urlNoPadding(String strEncoded) | ||
| throws UnsupportedEncodingException { | ||
| if (strEncoded != null) { | ||
| byte[] decodedBytes = Base64.decode(strEncoded, Base64.NO_PADDING); |
There was a problem hiding this comment.
I'm pretty sure you need URL_SAFE too.
|
Just so you know I'm not ignoring this: I'll try and review thoroughly on Monday. |
iainmcgin
left a comment
There was a problem hiding this comment.
Sorry for the very long poll on the review; I've been stretched very thin lately.
| mClientConfiguration.getConnectionBuilder() | ||
| .openConnection(uri); | ||
| conn.setRequestMethod("GET"); | ||
| //conn.setDoOutput(true); |
There was a problem hiding this comment.
if these commented out code sections are not needed, just remove them.
| //conn.setDoOutput(true); | ||
|
|
||
| is = new BufferedInputStream(conn.getInputStream()); | ||
| // readStream(in); |
There was a problem hiding this comment.
Same as above: remove if not needed.
| JSONObject requiredJson = null; | ||
|
|
||
| try { | ||
| String[] split = mResponse.idToken.split("\\."); |
There was a problem hiding this comment.
Validate that there are exactly three sections before proceeding.
| return; | ||
| } | ||
|
|
||
| Calendar calendar = Calendar.getInstance(); |
There was a problem hiding this comment.
I'm also not convinced that you're gaining much from calendar beyond directly using the exp value. Code can probably just be:
long expirationTime = Long.parseLong(jsonObjectBody.getString("exp") * 1000L;
if (expirationTime > mClock.getCurrentTimeMillis()) { ... } else { ... }|
@iainmcgin I have done changes you suggested in comment |
|
Looks like you still have checkstyle warnings - please run |
|
Aeternity are working some magic |
# Conflicts: # library/java/net/openid/appauth/AuthorizationService.java
# Conflicts: # library/java/net/openid/appauth/AuthorizationService.java
|
@iainmcgin Now I have updated with the latest code, completed ./gradlew check and removed readme-gluu.md for now. Please review it. |
|
@iainmcgin please review my PR |
|
Apologies, I've not had time to take a look yet. |
|
Thanks Iain! We really want to publish the Gluu README! |
|
Closing as #385 provides our preferred approach to ID token structure validation, without the signature verification. We have decided against signature verification within the core library as it isn't required for tokens acquired through an authorization code flow. |
|
Nice! That makes sense, it's easier to see if the TLS certificate |
No description provided.