syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Obtain JWT token
Date Tue, 13 Jun 2017 15:58:09 GMT
I'll look into adding some tests as well.

Colm.

On Tue, Jun 13, 2017 at 4:53 PM, Sergey Beryozkin <sberyozkin@gmail.com>
wrote:

> Hi Francesco
> On 13/06/17 16:28, Francesco Chicchiriccò wrote:
>
>> On 13/06/2017 17:25, Colm O hEigeartaigh wrote:
>>
>>> Thanks Francesco, I will take care of that.
>>>
>>
>> Cool :-)
>>
>> Another question - do we have tests (e.g. bad signature, untrusted
>>> signature, token expired etc.)?
>>>
>>
>> No, we don't have specific tests for that: since we're using CXF
>> libraries for parse and generation, I thought it was not necessary,
>>
>
> JWT token is simply a JSON object where each top-level property is called
> a 'claim' :-) and given that CXF JOSE (and other JOSE) libraries protect
> the arbitrary format payloads, it does not specifically validate the expiry
> date, only that the signature or encryption has been done right.
> The expiry dates are checked in scope of the higher-level applications
> which use JWT, in OIDC for example, so indeed, as Colm indicated, it can be
> a good idea to test that for example, a JWT token used in scope of Syncope
> flows is not effective after it has expired, etc
>
> Thanks, Sergey
>
> but feel free to add.
>>
>> Regards.
>>
>> On Tue, Jun 13, 2017 at 4:21 PM, Francesco Chicchiriccò <
>>> ilgrosso@apache.org> wrote:
>>>
>>> On 13/06/2017 17:17, Colm O hEigeartaigh wrote:
>>>>
>>>> Hi all,
>>>>>
>>>>> The docs state that "X-Syncope-Token is returned on response to
>>>>> successful
>>>>> authentication
>>>>> <https://syncope.apache.org/docs/reference-guide.html#rest-
>>>>> authentication-and-authorization>,
>>>>> and contains the unique signed JSON Web Token
>>>>> <https://en.wikipedia.org/wiki/JSON_Web_Token> identifying the
>>>>> authenticated user".
>>>>>
>>>>> However with, e.g. curl -I -u alice:security
>>>>> http://localhost:8080/syncope/rest/users/self I don't see the
>>>>> X-Syncope-Token header being returned (Syncope 2.0.4-SNAPSHOT).
>>>>>
>>>>> Do I need to explicitly configure returning the token or am I missing
>>>>> something else?
>>>>>
>>>>> The endpoint for obtaining the JWT is
>>>>
>>>> POST /accessTokens/login
>>>>
>>>> Maybe it is an idea to add an example to that section in the docs.
>>>>
>>>> Regards.
>>>>
>>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message