[1.15.x][ELY-2564] Add the ability to disable OIDC access token typ claim validation via a system property #1919
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…y parameter can be processed appropriately
…ials obtained from Basic auth
Method isAutodetectedBearerOnly() should be invoked after checking cached token. Invoking isAutodetectedBearerOnly() early will break every AJAX request that relies on HTTP session. A clear example is JSF Partial Request, it will never send the header "Authorization" neither the query parameter "auth". During the initial load of view the user was authenticated, then the token was stored in HTTP session, so, JSF Partial Request relies on HTTP session onwards. https://issues.redhat.com/browse/ELY-2487
Signed-off-by: Patrick Reinhart <patrick@reini.net>
darranl
reviewed
Jun 14, 2023
http/oidc/src/main/java/org/wildfly/security/http/oidc/BasicAuthRequestAuthenticator.java
Show resolved
Hide resolved
darranl
reviewed
Jun 14, 2023
| @@ -241,4 +245,33 @@ public String getError() { | |||
| } | |||
| } | |||
|
|
|||
| public static AccessAndIDTokenResponse getBearerToken(OidcClientConfiguration oidcClientConfiguration, String username, String password) throws Exception { | |||
| AccessAndIDTokenResponse tokenResponse; | |||
| HttpClient client = oidcClientConfiguration.getClient(); | |||
There was a problem hiding this comment.
I haven't checked object access in all the new methods but should we be having some Assert.checkNotNull calls for the mandatory parameters?
There was a problem hiding this comment.
This is called from private API and will be called with valid parameters. In general though, it would probably be good to do a pass through these types of methods to add checkNotNull calls where appropriate. I'll add some good first issues for that I think.
darranl
reviewed
Jun 14, 2023
| @@ -0,0 +1,545 @@ | |||
| /* | |||
| * JBoss, Home of Professional Open Source. | |||
| * Copyright 2022 Red Hat, Inc., and individual contributors | |||
There was a problem hiding this comment.
This file is part of the backported commits.
darranl
approved these changes
Jun 14, 2023
fjuma
force-pushed
the
ELY-2564-1.15.x
branch
2 times, most recently
from
8a930f7
to
ac872f8
Compare
…idation via a system property
|
I've now added tests to this PR. |
Skyllarr
approved these changes
Jun 14, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://issues.redhat.com/browse/ELY-2564
https://issues.redhat.com/browse/JBEAP-24829
Depends on #1917
Note: I am still working on the tests for this one but this can start to be reviewed in the meantime.