New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.15.x][ELY-2564] Add the ability to disable OIDC access token typ claim validation via a system property #1919
Conversation
…y parameter can be processed appropriately
…ials obtained from Basic auth
Method isAutodetectedBearerOnly() should be invoked after checking cached token. Invoking isAutodetectedBearerOnly() early will break every AJAX request that relies on HTTP session. A clear example is JSF Partial Request, it will never send the header "Authorization" neither the query parameter "auth". During the initial load of view the user was authenticated, then the token was stored in HTTP session, so, JSF Partial Request relies on HTTP session onwards. https://issues.redhat.com/browse/ELY-2487
Signed-off-by: Patrick Reinhart <patrick@reini.net>
http/oidc/src/main/java/org/wildfly/security/http/oidc/BasicAuthRequestAuthenticator.java
Show resolved
Hide resolved
@@ -241,4 +245,33 @@ public String getError() { | |||
} | |||
} | |||
|
|||
public static AccessAndIDTokenResponse getBearerToken(OidcClientConfiguration oidcClientConfiguration, String username, String password) throws Exception { | |||
AccessAndIDTokenResponse tokenResponse; | |||
HttpClient client = oidcClientConfiguration.getClient(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't checked object access in all the new methods but should we be having some Assert.checkNotNull calls for the mandatory parameters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is called from private API and will be called with valid parameters. In general though, it would probably be good to do a pass through these types of methods to add checkNotNull calls where appropriate. I'll add some good first issues for that I think.
@@ -0,0 +1,545 @@ | |||
/* | |||
* JBoss, Home of Professional Open Source. | |||
* Copyright 2022 Red Hat, Inc., and individual contributors |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2023?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file is part of the backported commits.
8a930f7
to
ac872f8
Compare
…idation via a system property
I've now added tests to this PR. |
https://issues.redhat.com/browse/ELY-2564
https://issues.redhat.com/browse/JBEAP-24829
Depends on #1917
Note: I am still working on the tests for this one but this can start to be reviewed in the meantime.