cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-7201) Incorrect JSON return in openId connect UserInfo when no signature or encryption
Date Fri, 30 Dec 2016 11:09:58 GMT

    [ https://issues.apache.org/jira/browse/CXF-7201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15787472#comment-15787472
] 

Sergey Beryozkin commented on CXF-7201:
---------------------------------------

Thanks for the patch - but it really works as expected, though I should've documented it better.

See
https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L124

If UserInfo is returned in a clear form over HTTPs then it is serialized at a JAX-RS MessageBodyWriter
level. Your patch is technically OK, but I prefer, whenever possible, let the OIDC/OAuth2
responses flow via the JAX-RS response chains (example, may be someone will register ContainerResponseFilter
and augment UserInfo, etc...)

Please validate that registering a provider works for you  and if yes - resolve this issue,
thanks   

> Incorrect JSON return in openId connect UserInfo when no signature or encryption
> --------------------------------------------------------------------------------
>
>                 Key: CXF-7201
>                 URL: https://issues.apache.org/jira/browse/CXF-7201
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.1.9
>            Reporter: Jose Escobar
>            Priority: Minor
>              Labels: jwt, openid
>
> Hello,
> I'm using your org.apache.cxf.rs.security.oidc.idp.UserInfoService tu publish an OpenId
connect UserInfo service. When returned JWT requires signature or encryption I get a correctly
formatted JWT, but when no signature or encryption is required, returned JSON is not correctly
formatted. 
> Problem occurs because on the second scenario, JSON marshal is done out of scope of cxf
jose jwt (by default json marshaller). On signature or encrypted JWT, JwtUtils.claimsToJson
is used and result is OK.
> I've resolve this using a custom UserInfoService. I'm going to send a pull request with
a fix hoping it could be useful.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message