cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jose Escobar (JIRA)" <>
Subject [jira] [Commented] (CXF-7201) Incorrect JSON return in openId connect UserInfo when no signature or encryption
Date Fri, 30 Dec 2016 12:06:58 GMT


Jose Escobar commented on CXF-7201:

Hello Sergey,

As I can see there isn't a specific provider that use JwtTokenReaderWriter, so maybe will
be useful if cxf includes one on jose.jwt packages (maybe I just can't found it). 

I get the point about let the UserInfo object flow, but if signature or encryption are used,
response is also a String and can't be easily readed by filters.

In our particular case we also have a problem because we are using <bean class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>
as json provider in our jaxrs:server. We have one server with all serviceBeans we want to
secure with oAuth2, and some of them use JacksonJsonProvider.

So for us is better to extend AbstractOAuthServerJoseJwtProducer in a custom UserInfoService
that always return Strings. Also I understand your point of view and maybe is better to response
with UserInfo object for general cases (delegate crypto in a filter etc...)

I was really excited about have some lines commited on CXF :P Maybe next time.

Thank you very much!

> Incorrect JSON return in openId connect UserInfo when no signature or encryption
> --------------------------------------------------------------------------------
>                 Key: CXF-7201
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.1.9
>            Reporter: Jose Escobar
>            Priority: Minor
>              Labels: jwt, openid
> Hello,
> I'm using your tu publish an OpenId
connect UserInfo service. When returned JWT requires signature or encryption I get a correctly
formatted JWT, but when no signature or encryption is required, returned JSON is not correctly
> Problem occurs because on the second scenario, JSON marshal is done out of scope of cxf
jose jwt (by default json marshaller). On signature or encrypted JWT, JwtUtils.claimsToJson
is used and result is OK.
> I've resolve this using a custom UserInfoService. I'm going to send a pull request with
a fix hoping it could be useful.

This message was sent by Atlassian JIRA

View raw message