rombert commented on code in PR #15:
URL:
https://github.com/apache/sling-org-apache-sling-auth-oauth-client/pull/15#discussion_r2109590620
##########
src/main/java/org/apache/sling/auth/oauth_client/impl/OidcAuthenticationHandler.java:
##########
@@ -187,32 +198,40 @@ public AuthenticationInfo extractCredentials(@NotNull
HttpServletRequest request
return authInfo;
}
- //The request is not authenticated.
- // 1. Check if the State cookie match with the state in the request
received from the idp
+ //The request is not authenticated.
+ // 1. Extract nonce cookie and state cookie from the request
StringBuffer requestURL = request.getRequestURL();
if ( request.getQueryString() != null )
requestURL.append('?').append(request.getQueryString());
Optional<OAuthState> clientState; //state returned by the idp in the
redirect request
String authCode; //authorization code returned by the idp in the
redirect request
Cookie stateCookie;
+ Cookie nonceCookie;
Review Comment:
If we are sure we can fit within 4096 byes I would suggest that we keep one
cookie, this should make the payload smaller and the code easier to understand.
I am not sure if it makes sense to have different coookie names for the
OAuth servlets vs the Authentication Handler, to simplify the code. Just an
idea, not a suggestion :-)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
