Created https://wso2.org/jira/browse/IDENTITY-5959 to track this.
Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature> On Thu, May 18, 2017 at 9:10 PM, Pushpalanka Jayawardhana <[email protected]> wrote: > Hi, > > On Thu, May 18, 2017 at 4:58 PM, Farasath Ahamed <[email protected]> > wrote: > >> Hi, >> >> With our current implementation, we check whether an OAuth app is active >> at [1]. This happens before we complete client authentication at [2]. >> >> Therefore even for an invalid client_id value, the error message that we >> would get will be "Oauth App is not in active state." which is not the >> expected behaviour. >> >> To fix this I see two options, >> >> 1. Handle the APP_STATE value being NULL (ie. no app was found for given >> consumer key) properly. APP_STATE column allows NULL as a value so we can't >> exactly say that APP_STATE == 'NULL' would imply that there is no app for a >> give consumer key >> > +1 for this approach. With this we can avoid some processing done in vain > and respond invalid requests much early. Saving NULL for APP_STATE seems > something we should investigate and fix. > >> >> 2. Move the APP_STATE validation logic to be done after [2] >> >> WDYT? >> >> [1] https://github.com/wso2-extensions/identity-inbound-auth >> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >> .endpoint/src/main/java/org/wso2/carbon/identity/oauth/ >> endpoint/token/OAuth2TokenEndpoint.java#L87-L97 >> >> [2] https://github.com/wso2-extensions/identity-inbound-auth >> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >> /src/main/java/org/wso2/carbon/identity/oauth2/token/AccessT >> okenIssuer.java#L168 >> >> Thanks, >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> > > > -- > Pushpalanka. > -- > Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). > Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ > Mobile: +94779716248 > Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p > ushpalanka/ | Twitter: @pushpalanka > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
