Hi, If the APP_STATE value is NULL we can say that the a valid OAuth client could not be found. Based on this we have done the fix as below.
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/368 Thanks, Hasanthi Dissanayake Software Engineer | WSO2 E: hasan...@wso2.com M :0718407133| http://wso2.com <http://wso2.com/> On Thu, May 25, 2017 at 11:52 AM, Isura Karunaratne <is...@wso2.com> wrote: > > On Fri, May 19, 2017 at 3:35 PM, Farasath Ahamed <farasa...@wso2.com> > wrote: > >> Created https://wso2.org/jira/browse/IDENTITY-5959 to track this. >> >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> On Thu, May 18, 2017 at 9:10 PM, Pushpalanka Jayawardhana <la...@wso2.com >> > wrote: >> >>> Hi, >>> >>> On Thu, May 18, 2017 at 4:58 PM, Farasath Ahamed <farasa...@wso2.com> >>> wrote: >>> >>>> Hi, >>>> >>>> With our current implementation, we check whether an OAuth app is >>>> active at [1]. This happens before we complete client authentication at >>>> [2]. >>>> >>>> Therefore even for an invalid client_id value, the error message that >>>> we would get will be "Oauth App is not in active state." which is not >>>> the expected behaviour. >>>> >>>> To fix this I see two options, >>>> >>>> 1. Handle the APP_STATE value being NULL (ie. no app was found for >>>> given consumer key) properly. APP_STATE column allows NULL as a value so we >>>> can't exactly say that APP_STATE == 'NULL' would imply that there is no app >>>> for a give consumer key >>>> >>> +1. > > Thanks > Isura. > >> +1 for this approach. With this we can avoid some processing done in vain >>> and respond invalid requests much early. Saving NULL for APP_STATE seems >>> something we should investigate and fix. >>> >>>> >>>> 2. Move the APP_STATE validation logic to be done after [2] >>>> >>>> WDYT? >>>> >>>> [1] https://github.com/wso2-extensions/identity-inbound-auth >>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >>>> .endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpo >>>> int/token/OAuth2TokenEndpoint.java#L87-L97 >>>> >>>> [2] https://github.com/wso2-extensions/identity-inbound-auth >>>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >>>> /src/main/java/org/wso2/carbon/identity/oauth2/token/AccessT >>>> okenIssuer.java#L168 >>>> >>>> Thanks, >>>> Farasath Ahamed >>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> <http://wso2.com/signature> >>>> >>>> >>>> >>> >>> >>> -- >>> Pushpalanka. >>> -- >>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>> Mobile: +94779716248 >>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >>> ushpalanka/ | Twitter: @pushpalanka >>> >>> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > > *Isura Dilhara Karunaratne* > Senior Software Engineer | WSO2 > Email: is...@wso2.com > Mob : +94 772 254 810 <+94%2077%20225%204810> > Blog : http://isurad.blogspot.com/ > > > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev