Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple response_type values #38

Merged
merged 8 commits into from
Nov 30, 2016
Merged

Support multiple response_type values #38

merged 8 commits into from
Nov 30, 2016

Conversation

lbalmaceda
Copy link
Contributor

WebAuthProvider can now handle multiple response_type values as per https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations.

Posible values are:

  • ResponseType.CODE
  • ResponseType.ID_TOKEN
  • ResponseType.TOKEN

i.e.:

int type = ResponseType.CODE | ResponseType.ID_TOKEN;
WebAuthProvider.init(account)
    .withResponseType(type)
    .start(activity, callback);

@lbalmaceda lbalmaceda force-pushed the resp-type-idtoken branch 4 times, most recently from cef8bfd to 780349d Compare November 23, 2016 18:39
hzalaz
hzalaz suggested changes Nov 25, 2016
View reviewed changes
auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.java
this.state = UUID.randomUUID().toString();
this.scope = null;
withResponseType(ResponseType.CODE);
withState(UUID.randomUUID().toString());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use SecureRandom

auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.java
}

/**
* Use a custom nonce in the requests
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Specify a custom nonce value to avoid replay attacks. It will be sent in the auth request that will be returned back as a claim in the id_token

auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.java
*/
public Builder withResponseType(@ResponseType int type) {
StringBuilder sb = new StringBuilder();
if ((type & ResponseType.CODE) != 0) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be (type & ResponseType.CODE) == ResponseType.CODE

auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.java
try {
final JWT idToken = new JWT(token);
final Claim nonceClaim = idToken.getClaim(KEY_NONCE);
return !(nonceClaim == null || !nonce.equals(nonceClaim.asString()));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we avoid the double negation?

auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.java
queryParameters.put(KEY_RESPONSE_TYPE, RESPONSE_TYPE_TOKEN);

if (!getResponseType().contains(RESPONSE_TYPE_ID_TOKEN)) {
queryParameters.remove(KEY_NONCE);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should only do this if we generated the nonce, if the user provided one we should still send it

@lbalmaceda lbalmaceda force-pushed the resp-type-idtoken branch 2 times, most recently from 1997f3a to ad79347 Compare November 25, 2016 18:11
@hzalaz hzalaz added this to the 1.2.0 milestone Nov 29, 2016
@hzalaz hzalaz merged commit fd24f9d into master Nov 30, 2016
@hzalaz hzalaz deleted the resp-type-idtoken branch November 30, 2016 00:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hzalaz hzalaz hzalaz approved these changes

Assignees

@hzalaz hzalaz

Labels
CH: Added
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lbalmaceda @hzalaz