nscendoni commented on code in PR #15:
URL:
https://github.com/apache/sling-org-apache-sling-auth-oauth-client/pull/15#discussion_r2102790255
##########
src/main/java/org/apache/sling/auth/oauth_client/impl/OidcAuthenticationHandler.java:
##########
@@ -187,32 +198,40 @@ public AuthenticationInfo extractCredentials(@NotNull
HttpServletRequest request
return authInfo;
}
- //The request is not authenticated.
- // 1. Check if the State cookie match with the state in the request
received from the idp
+ //The request is not authenticated.
+ // 1. Extract nonce cookie and state cookie from the request
StringBuffer requestURL = request.getRequestURL();
if ( request.getQueryString() != null )
requestURL.append('?').append(request.getQueryString());
Optional<OAuthState> clientState; //state returned by the idp in the
redirect request
String authCode; //authorization code returned by the idp in the
redirect request
Cookie stateCookie;
+ Cookie nonceCookie;
Review Comment:
I'm currently working on this. I'll push a PR with a refactoring to work
with single cookie.
##########
src/main/java/org/apache/sling/auth/oauth_client/impl/OidcAuthenticationHandler.java:
##########
@@ -187,32 +198,40 @@ public AuthenticationInfo extractCredentials(@NotNull
HttpServletRequest request
return authInfo;
}
- //The request is not authenticated.
- // 1. Check if the State cookie match with the state in the request
received from the idp
+ //The request is not authenticated.
+ // 1. Extract nonce cookie and state cookie from the request
StringBuffer requestURL = request.getRequestURL();
if ( request.getQueryString() != null )
requestURL.append('?').append(request.getQueryString());
Optional<OAuthState> clientState; //state returned by the idp in the
redirect request
String authCode; //authorization code returned by the idp in the
redirect request
Cookie stateCookie;
+ Cookie nonceCookie;
Review Comment:
@rombert @anchela
Currently in oauth flow we send several information in the state:
- perRequestKey (random value to be verified)
- connectionName
- redirect
The perRequestKey is also sent in one encrypted cookie to be verified for
CSRF protection.
During OIDC authentication flow, additional information (nonce and code
verifier) are sent into separated cookies.
If you agree we may send a single json encrypted cookie with all the
information required by both the flows, and send only the perRequestKey in the
state.
##########
src/main/java/org/apache/sling/auth/oauth_client/ClientConnection.java:
##########
@@ -34,4 +35,10 @@ public interface ClientConnection {
* @return the name of the connection
*/
@NotNull String name();
+ String clientId();
Review Comment:
The issue was that after refactoring for java 11, the pipeline failed
because there was too much code duplicated in `OAuthConnectionImpl` and
`OidcConnectionImpl`. I had to refactor these class to inherit some code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
