Hi, On Thu, May 18, 2017 at 4:58 PM, Farasath Ahamed <[email protected]> wrote:
> Hi, > > With our current implementation, we check whether an OAuth app is active > at [1]. This happens before we complete client authentication at [2]. > > Therefore even for an invalid client_id value, the error message that we > would get will be "Oauth App is not in active state." which is not the > expected behaviour. > > To fix this I see two options, > > 1. Handle the APP_STATE value being NULL (ie. no app was found for given > consumer key) properly. APP_STATE column allows NULL as a value so we can't > exactly say that APP_STATE == 'NULL' would imply that there is no app for a > give consumer key > +1 for this approach. With this we can avoid some processing done in vain and respond invalid requests much early. Saving NULL for APP_STATE seems something we should investigate and fix. > > 2. Move the APP_STATE validation logic to be done after [2] > > WDYT? > > [1] https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/master/components/org.wso2.carbon. > identity.oauth.endpoint/src/main/java/org/wso2/carbon/ > identity/oauth/endpoint/token/OAuth2TokenEndpoint.java#L87-L97 > > [2] https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/master/components/org.wso2.carbon. > identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/ > AccessTokenIssuer.java#L168 > > Thanks, > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
