Improve OIDC compliance #265
Conversation
lbalmaceda
force-pushed
the
oidc-compliance
branch
from
429671d
to
24729be
Compare
lbalmaceda
force-pushed
the
oidc-compliance
branch
from
a7418c4
to
eb66f48
Compare
| @@ -1,16 +0,0 @@ | |||
| { | |||
There was a problem hiding this comment.
renamed to rsa_jwks.json
|
|
||
| import java.util.concurrent.Callable; | ||
|
|
||
| public class MockAuthCallback implements AuthCallback { |
There was a problem hiding this comment.
belongs to the test folder. Helps assert async results
| import static org.hamcrest.Matchers.notNullValue; | ||
| import static org.hamcrest.Matchers.nullValue; | ||
|
|
||
| public class AuthCallbackMatcher extends BaseMatcher<AuthCallback> { |
There was a problem hiding this comment.
belongs to the test folder. Helps assert async results
| "343064304897328574182258821353161480771090757577522755330350956839942443917109665602066633259326057104246834759269337437620283600011255" + | ||
| "336891753201992873507788546321379785324808697815139356191481700515096717744643081207558743005545844515461091232322385145532862505800570" + | ||
| "17053908908888974416937916517307412534155165744508160026990874221314025481541880285443289277406354687335857437573080004037"; | ||
| private static final String EXPECTED_RSA_MODULUS = "2327856100899355911632462598898247024131242" + |
There was a problem hiding this comment.
updated to match the new RSA keys for the test resources
| assertThat(merged.getType(), is(codeCredentials.getType())); | ||
| assertThat(merged.getRefreshToken(), is(codeCredentials.getRefreshToken())); | ||
| assertThat(merged.getExpiresIn(), is(codeCredentials.getExpiresIn())); | ||
| Credentials frontChannelCredentials = new Credentials("urlId", "urlAccess", "urlType", null, expiresAt, "urlScope"); |
There was a problem hiding this comment.
basically changed the logic so the preferred credentials are:
- id token from the front channel, when available
- remaining things from the back channel
| @@ -128,40 +136,115 @@ boolean resume(AuthorizeResult result) { | |||
| try { | |||
| assertNoError(values.get(KEY_ERROR), values.get(KEY_ERROR_DESCRIPTION)); | |||
| assertValidState(parameters.get(KEY_STATE), values.get(KEY_STATE)); | |||
| if (parameters.containsKey(KEY_RESPONSE_TYPE) && parameters.get(KEY_RESPONSE_TYPE).contains(RESPONSE_TYPE_ID_TOKEN)) { | |||
There was a problem hiding this comment.
nonce check moved into ID token verification logic
| final Credentials frontChannelCredentials = new Credentials(values.get(KEY_ID_TOKEN), values.get(KEY_ACCESS_TOKEN), values.get(KEY_TOKEN_TYPE), values.get(KEY_REFRESH_TOKEN), expiresAt, values.get(KEY_SCOPE)); | ||
| boolean frontChannelIdTokenExpected = parameters.containsKey(KEY_RESPONSE_TYPE) && parameters.get(KEY_RESPONSE_TYPE).contains(RESPONSE_TYPE_ID_TOKEN); | ||
|
|
||
| if (frontChannelIdTokenExpected) { |
There was a problem hiding this comment.
always verify the front-channel ID token first, if present. Also, prefer this one over the one received on the back channel (if there is one)
| /** | ||
| * Token signature verifier for HS256 algorithms. | ||
| */ | ||
| class SymmetricSignatureVerifier extends SignatureVerifier { |
There was a problem hiding this comment.
Kept for similarity across implementations. But could remove this class if the main class is declared non-abstract and already implements "doing nothing". Asymmetric could subclass it and implement the new behavior, like today.
There was a problem hiding this comment.
I would suggest omitting it. Creates a bit of confusion having it (IMHO)
There was a problem hiding this comment.
@damieng what's your take here? I know for .net you've added a NoSignatureVerifier that extends/implements SignatureVerifier. Should we keep this but rename it as yours, or remove it?
|
|
||
| @Test | ||
| public void shouldHaveValidNonce() { | ||
| OAuthManager.assertValidNonce("1234567890", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJub25jZSI6IjEyMzQ1Njc4OTAifQ.oUb6xFIEPJQrFbel_Js4SaOwpFfM_kxHxI7xDOHgghk"); |
There was a problem hiding this comment.
This static method was removed. But the scenario is covered in WebAuthProviderTest
lbalmaceda
force-pushed
the
oidc-compliance
branch
from
890a52e
to
7afe4b7
Compare
There was a problem hiding this comment.
A few questions/comments.
My main concern with this PR is all the extra work done in the callback. Is all that necessary to add ID token validation? Particularly when we really should be pushing developers towards response_type=code here. Feels like a lot of work for situations that we should, at some point, disable.
auth0/src/main/java/com/auth0/android/provider/AsymmetricSignatureVerifier.java
Show resolved
Hide resolved
| /** | ||
| * Token signature verifier for HS256 algorithms. | ||
| */ | ||
| class SymmetricSignatureVerifier extends SignatureVerifier { |
There was a problem hiding this comment.
I would suggest omitting it. Creates a bit of confusion having it (IMHO)
auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.java
Outdated
Show resolved
Hide resolved
auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.java
Outdated
Show resolved
Hide resolved
Changes
This update improves the SDK support for OpenID Connect. In particular, it modifies the sign-in verification phase by substituting backchannel based checks with id_token validation where possible.
Testing
This PR contains some unit tests and integration tests to prove the logic is in place for the different authentication scenarios. Additional unit tests on a separate PR will complement the token verification logic.
This change adds unit test coverage
This change adds integration test coverage
This change has been tested on the latest version of the platform/language or why not
Checklist
I have read the Auth0 general contribution guidelines
I have read the Auth0 Code of Conduct
All existing and new tests complete without errors