cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider#decryptStateString decoded?
Date Fri, 13 Jan 2017 20:13:27 GMT
Hi Romain

I recall I was experimenting with this provider awhile back (as part of 
our internal demo, at the RP side), and it worked. But it was awhile 
since I looked at it.

The actual JwsUtils returns in this case a validated JWS sequence 
(headers+payload).

Oh, I see, that is diff provider, I was ref to the one used on the RP 
side, and you - to the session authenticity one. Might be a bug, will 
check on Mon

Thanks, Sergey
On 13/01/17 18:11, Romain Manni-Bucau wrote:
> In the mentionned method we have:
>
> stateString = JwsUtils.verify(jws, stateString).getUnsignedEncodedSequence();
>
>
> should we get:
>
> stateString = JwsUtils.verify(jws, stateString).getDecodedJwsPayload();
>
>
> ?
>
> Otherwise i don't see how the round trip can work
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau>
|
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Mime
View raw message