Re: [Dev] [IS][OAuth] Token Response request validation

[Isura Karunaratne]

Hi Danushka,

Other than the responseType validation *validateAccessDelegation *method does
the OAuth callback handles invocation. OAuth callback handler is an
extension point that can be used to validate the access based on

   - AuthenticatedUser
   - Consumer Key
   - Scopes
   - ResponseType


We can register new CallBackHandlers based on the requirements and
configure it in identity.xml file

  <OAuthCallbackHandlers>
            <OAuthCallbackHandler
Class="org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler"/>
        </OAuthCallbackHandlers>

Thanks
Isura.

On Thu, Nov 2, 2017 at 2:54 PM, Danushka Fernando <danush...@wso2.com>
wrote:

> Hi All
> When access token, id token, auth code or open id token is requested, it
> will go through AuthorizationHandlerManager[1] class to authorize the
> client. There are three authorization steps [2].
>
>    1. First check is isAuthorized check. Here it checks whether its
>    requesting a token or a code and according to that it will check implicit
>    or code grant types are allowed for the application and returns true of
>    false.[3]
>    2. Second check is validateAccessDelegation check. Here also it checks
>    the request type and will check allowance of implicit or code grant types
>    and returns true or false.[4]
>    3. Third is scope validation
>
> So according to this analysis both check #1 and #2 are doing the same
> thing and I don't see a way of check #1 getting passed and check #2 getting
> failed. Please correct me if I am wrong.
>
> If this is correct shall we do the necessary adjustment to reduce the
> complexity of the code?
>
>
> [1] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/
> AuthorizationHandlerManager.java
> [2] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/
> AuthorizationHandlerManager.java#L100-L123
> [3] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/
> oauth2/authz/handlers/AbstractResponseTypeHandler.java#L128-L165
> [4] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/
> oauth2/authz/handlers/AbstractResponseTypeHandler.java#L66-L104
>
> Thanks & Regards
> Danushka Fernando
> Associate Tech Lead
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729 <+94%2071%20633%202729>
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev