Add support for resource parameter #888
Conversation
| @@ -0,0 +1,32 @@ | |||
| /** | |||
| * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021 | |||
There was a problem hiding this comment.
At least for new files, let's use the right year(s). In this case it would just be 2024.
There was a problem hiding this comment.
Ok, maybe we can add a PR which updates all the licenses, otherwise the workflow would fail here https://github.com/indigo-iam/iam/blob/master/.github/workflows/maven.yml#L27.
iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/IamOAuth2RequestFactory.java
Outdated
Show resolved
Hide resolved
| new URL(url).toURI(); | ||
| return true; | ||
| } catch (MalformedURLException | URISyntaxException e) { | ||
| throw new InvalidResourceError("Not a valid URI: " + url); |
There was a problem hiding this comment.
In case of an exception, it's not clear to me at what level the exception is caught; in other words, does the whole request fail? just the setting of the audience? if resource is invalid, shall we (re)consider the aud parameter instead?
There was a problem hiding this comment.
can you add some tests for these cases, please?
There was a problem hiding this comment.
If the "resource" is not a valid URI, the whole request fails (see tests https://github.com/indigo-iam/iam/blob/issue-381/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/ResourceIndicatorTests.java).
At least this is my interpretation of the specification, which states
If the authorization server fails to parse the provided value(s) or does not consider the resource(s) acceptable, it should reject the request with an error response using the error code invalid_target as the value of the error parameter and can provide additional information regarding the reasons for the error using the error_description.
iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/IamOAuth2RequestFactory.java
Outdated
Show resolved
Hide resolved
| final String audience = authentication.getOAuth2Request() | ||
| .getRefreshTokenRequest() | ||
| .getRequestParameters() | ||
| .get(RESOURCE); |
There was a problem hiding this comment.
This was already computed in the if. Can we reuse that value?
There was a problem hiding this comment.
In case refreshTokenRequest is null, refreshTokenRequest.getRequestParameters() would return a NullPointerException.
|
Following RFC8707, during an OAuth request the client may indicate a resource parameter, which is the target service to which access is being requested (MUST be an absolute URI). The value of the resource parameter is returned as aud claim in the JWT.
In case both
audienceandresourceare provided, only the resource parameter will be included in the token (as aud claim).