cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider#decryptStateString decoded?
Date Fri, 13 Jan 2017 22:04:19 GMT
Pushed this fix in meecrowave oauth2. Happy to remove this hack with 3.1.10
;)


Le 13 janv. 2017 21:13, "Sergey Beryozkin" <sberyozkin@gmail.com> a écrit :

> Hi Romain
>
> I recall I was experimenting with this provider awhile back (as part of
> our internal demo, at the RP side), and it worked. But it was awhile since
> I looked at it.
>
> The actual JwsUtils returns in this case a validated JWS sequence
> (headers+payload).
>
> Oh, I see, that is diff provider, I was ref to the one used on the RP
> side, and you - to the session authenticity one. Might be a bug, will check
> on Mon
>
> Thanks, Sergey
> On 13/01/17 18:11, Romain Manni-Bucau wrote:
>
>> In the mentionned method we have:
>>
>> stateString = JwsUtils.verify(jws, stateString).getUnsignedEncode
>> dSequence();
>>
>>
>> should we get:
>>
>> stateString = JwsUtils.verify(jws, stateString).getDecodedJwsPayload();
>>
>>
>> ?
>>
>> Otherwise i don't see how the round trip can work
>>
>> Romain Manni-Bucau
>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message