cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Commented] (CXF-7201) Incorrect JSON return in openId connect UserInfo when no signature or encryption
Date Fri, 30 Dec 2016 12:22:58 GMT


Sergey Beryozkin commented on CXF-7201:

Have a look please at the link I included in the my previous comment, it points to a line
declaring this provider, it is in rt/rs/extensions/providers. In Fediz OIDC UserInfo is also
returned in a clear form over HTTPS. 
I agree about a non-clear form and String, I've been also considering for a while to let JAXRS
JOSE out interceptors to take care of signing/encrypring UserInfo on the fly so that the service
code does not even deal with it - just did not get to it and it is probably a bit too late
That said, let me apply your patch anyway but make its 'in place' serialization optional -
may be that will help you apply Jackson (in our experience it is a bit verbose with respect
to reporting the properties as nulls, and does not really work well if the untyped properties
are added). 

> Incorrect JSON return in openId connect UserInfo when no signature or encryption
> --------------------------------------------------------------------------------
>                 Key: CXF-7201
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.1.9
>            Reporter: Jose Escobar
>            Priority: Minor
>              Labels: jwt, openid
> Hello,
> I'm using your tu publish an OpenId
connect UserInfo service. When returned JWT requires signature or encryption I get a correctly
formatted JWT, but when no signature or encryption is required, returned JSON is not correctly
> Problem occurs because on the second scenario, JSON marshal is done out of scope of cxf
jose jwt (by default json marshaller). On signature or encrypted JWT, JwtUtils.claimsToJson
is used and result is OK.
> I've resolve this using a custom UserInfoService. I'm going to send a pull request with
a fix hoping it could be useful.

This message was sent by Atlassian JIRA

View raw message