cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider#decryptStateString decoded?
Date Mon, 16 Jan 2017 12:01:38 GMT
Just fixed it

Thanks, Sergey
On 13/01/17 22:04, Romain Manni-Bucau wrote:
> Pushed this fix in meecrowave oauth2. Happy to remove this hack with 3.1.10
> ;)
>
>
> Le 13 janv. 2017 21:13, "Sergey Beryozkin" <sberyozkin@gmail.com> a écrit :
>
>> Hi Romain
>>
>> I recall I was experimenting with this provider awhile back (as part of
>> our internal demo, at the RP side), and it worked. But it was awhile since
>> I looked at it.
>>
>> The actual JwsUtils returns in this case a validated JWS sequence
>> (headers+payload).
>>
>> Oh, I see, that is diff provider, I was ref to the one used on the RP
>> side, and you - to the session authenticity one. Might be a bug, will check
>> on Mon
>>
>> Thanks, Sergey
>> On 13/01/17 18:11, Romain Manni-Bucau wrote:
>>
>>> In the mentionned method we have:
>>>
>>> stateString = JwsUtils.verify(jws, stateString).getUnsignedEncode
>>> dSequence();
>>>
>>>
>>> should we get:
>>>
>>> stateString = JwsUtils.verify(jws, stateString).getDecodedJwsPayload();
>>>
>>>
>>> ?
>>>
>>> Otherwise i don't see how the round trip can work
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>
>>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Mime
View raw message