-
Notifications
You must be signed in to change notification settings - Fork 1k
Implement ID Token validation according to OIDC spec #385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
iainmcgin
merged 13 commits into
openid:master
from
oyvindrobertsen:idtoken-verification
Aug 10, 2018
Merged
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
06a3d1c
fix: move google() to top of repositories list
ad64a89
feat: Add nonce to AuthorizationRequest
c73985a
feat: include nonce when serializing AuthorizationRequests
9f117d4
feat: parse and validate ID Token on TokenResponse
a8503d2
fix: bugs in ID Token validation
fbb274b
fix: lint errors
90e1ac4
test: add test for token request with nonce checking
063e51c
chore: minor changes to comments according to PR feedback
9d9cf74
fix: correct test for nonce validation, improve test for ID Token par…
91dc403
test: better coverage for ID Token parsing
169e3d6
chore: remove unused verifyNonce method
8c2fa9d
kaizen: move validation logic to IdToken class
78a5d40
Revert unintentional copyright year bump
oyvindrobertsen File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -34,6 +34,7 @@ | |
| import net.openid.appauth.AuthorizationException.RegistrationRequestErrors; | ||
| import net.openid.appauth.AuthorizationException.TokenRequestErrors; | ||
|
|
||
| import net.openid.appauth.IdToken.IdTokenException; | ||
| import net.openid.appauth.browser.BrowserDescriptor; | ||
| import net.openid.appauth.browser.BrowserSelector; | ||
| import net.openid.appauth.browser.CustomTabManager; | ||
|
|
@@ -315,6 +316,7 @@ public void performTokenRequest( | |
| request, | ||
| clientAuthentication, | ||
| mClientConfiguration.getConnectionBuilder(), | ||
| SystemClock.INSTANCE, | ||
| callback) | ||
| .execute(); | ||
| } | ||
|
|
@@ -386,20 +388,24 @@ private Intent prepareAuthorizationRequestIntent( | |
|
|
||
| private static class TokenRequestTask | ||
| extends AsyncTask<Void, Void, JSONObject> { | ||
|
|
||
| private TokenRequest mRequest; | ||
| private ClientAuthentication mClientAuthentication; | ||
| private final ConnectionBuilder mConnectionBuilder; | ||
| private TokenResponseCallback mCallback; | ||
| private Clock mClock; | ||
|
|
||
| private AuthorizationException mException; | ||
|
|
||
| TokenRequestTask(TokenRequest request, | ||
| @NonNull ClientAuthentication clientAuthentication, | ||
| @NonNull ConnectionBuilder connectionBuilder, | ||
| Clock clock, | ||
| TokenResponseCallback callback) { | ||
| mRequest = request; | ||
| mClientAuthentication = clientAuthentication; | ||
| mConnectionBuilder = connectionBuilder; | ||
| mClock = clock; | ||
| mCallback = callback; | ||
| } | ||
|
|
||
|
|
@@ -495,6 +501,25 @@ protected void onPostExecute(JSONObject json) { | |
| return; | ||
| } | ||
|
|
||
| if (response.idToken != null) { | ||
| IdToken idToken; | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could you move all of this validation logic in a utility method within the IdToken class? I think that will help to keep all of the parsing and validation logic in one place. |
||
| try { | ||
| idToken = IdToken.from(response.idToken); | ||
| } catch (IdTokenException | JSONException ex) { | ||
| mCallback.onTokenRequestCompleted(null, | ||
| AuthorizationException.fromTemplate( | ||
| GeneralErrors.ID_TOKEN_PARSING_ERROR, | ||
| ex)); | ||
| return; | ||
| } | ||
|
|
||
| try { | ||
| idToken.validate(mRequest, mClock); | ||
| } catch (AuthorizationException ex) { | ||
| mCallback.onTokenRequestCompleted(null, ex); | ||
| return; | ||
| } | ||
| } | ||
| Logger.debug("Token exchange with %s completed", | ||
| mRequest.configuration.tokenEndpoint); | ||
| mCallback.onTokenRequestCompleted(response, null); | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is weird. From a fresh clone of the repo, I was unable to get the project to build (either through
./gradlew assembleor through Android Studio, both with the same error message:It looks like gradle doesn't move on to the next repos in the list after not finding the package on jcenter. Moving the google repo first fixes the issue. This may be a problem with my environment, and if it is, this commit can be removed from the PR, but I wanted to include it just to potentially figure out what the issue is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What OS are you building on? I've seen some build issues recently that are platform-specific; so much for Gradle hiding platform details. The build definitions for AppAuth are starting to show their age, I should really take some time to overhaul them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MacOS.
FWIW, I've had to order repositories in the same way in the application where I'm using AppAuth.