rombert commented on code in PR #44:
URL:
https://github.com/apache/sling-org-apache-sling-auth-oauth-client/pull/44#discussion_r2959049213
##########
src/main/java/org/apache/sling/auth/oauth_client/impl/SlingUserInfoProcessorImpl.java:
##########
@@ -181,6 +180,21 @@ public SlingUserInfoProcessorImpl(
OAuthTokenStore.PROPERTY_NAME_REFRESH_TOKEN);
}
+ // Store the ID Token for logout (id_token_hint at IdP
end_session_endpoint)
+ // SECURITY NOTE: The ID token is encrypted before storage but
increases the attack surface.
+ // Ensure proper access controls on user profile storage and rotation
of encryption keys.
+ String idToken = tokens.idToken();
+ if (storeIdToken && idToken != null && !idToken.isEmpty()) {
+ try {
+
credentials.setAttribute(OAuthTokenStore.PROPERTY_NAME_ID_TOKEN,
cryptoService.encrypt(idToken));
Review Comment:
Can you please add a comment explaining that in this class? Can be a
follow-up PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
