[jira] [Commented] (CXF-7201) Incorrect JSON return in openId connect UserInfo when no signature or encryption

Fri, 30 Dec 2016 04:07:30 -0800 

    [ 
https://issues.apache.org/jira/browse/CXF-7201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15787553#comment-15787553
 ] 

Jose Escobar commented on CXF-7201:
-----------------------------------

Hello Sergey,

As I can see there isn't a specific provider that use JwtTokenReaderWriter, so 
maybe will be useful if cxf includes one on jose.jwt packages (maybe I just 
can't found it). 

I get the point about let the UserInfo object flow, but if signature or 
encryption are used, response is also a String and can't be easily readed by 
filters.

In our particular case we also have a problem because we are using <bean 
class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/> as json provider 
in our jaxrs:server. We have one server with all serviceBeans we want to secure 
with oAuth2, and some of them use JacksonJsonProvider.

So for us is better to extend AbstractOAuthServerJoseJwtProducer in a custom 
UserInfoService that always return Strings. Also I understand your point of 
view and maybe is better to response with UserInfo object for general cases 
(delegate crypto in a filter etc...)

I was really excited about have some lines commited on CXF :P Maybe next time.

Thank you very much!

> Incorrect JSON return in openId connect UserInfo when no signature or 
> encryption
> --------------------------------------------------------------------------------
>
>                 Key: CXF-7201
>                 URL: https://issues.apache.org/jira/browse/CXF-7201
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.1.9
>            Reporter: Jose Escobar
>            Priority: Minor
>              Labels: jwt, openid
>
> Hello,
> I'm using your org.apache.cxf.rs.security.oidc.idp.UserInfoService tu publish 
> an OpenId connect UserInfo service. When returned JWT requires signature or 
> encryption I get a correctly formatted JWT, but when no signature or 
> encryption is required, returned JSON is not correctly formatted. 
> Problem occurs because on the second scenario, JSON marshal is done out of 
> scope of cxf jose jwt (by default json marshaller). On signature or encrypted 
> JWT, JwtUtils.claimsToJson is used and result is OK.
> I've resolve this using a custom UserInfoService. I'm going to send a pull 
> request with a fix hoping it could be useful.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to