cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Commented] (CXF-7201) Incorrect JSON return in openId connect UserInfo when no signature or encryption
Date Fri, 30 Dec 2016 11:09:58 GMT


Sergey Beryozkin commented on CXF-7201:

Thanks for the patch - but it really works as expected, though I should've documented it better.


If UserInfo is returned in a clear form over HTTPs then it is serialized at a JAX-RS MessageBodyWriter
level. Your patch is technically OK, but I prefer, whenever possible, let the OIDC/OAuth2
responses flow via the JAX-RS response chains (example, may be someone will register ContainerResponseFilter
and augment UserInfo, etc...)

Please validate that registering a provider works for you  and if yes - resolve this issue,

> Incorrect JSON return in openId connect UserInfo when no signature or encryption
> --------------------------------------------------------------------------------
>                 Key: CXF-7201
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.1.9
>            Reporter: Jose Escobar
>            Priority: Minor
>              Labels: jwt, openid
> Hello,
> I'm using your tu publish an OpenId
connect UserInfo service. When returned JWT requires signature or encryption I get a correctly
formatted JWT, but when no signature or encryption is required, returned JSON is not correctly
> Problem occurs because on the second scenario, JSON marshal is done out of scope of cxf
jose jwt (by default json marshaller). On signature or encrypted JWT, JwtUtils.claimsToJson
is used and result is OK.
> I've resolve this using a custom UserInfoService. I'm going to send a pull request with
a fix hoping it could be useful.

This message was sent by Atlassian JIRA

View raw message