On Fri, May 19, 2017 at 3:35 PM, Farasath Ahamed <[email protected]> wrote:
> Created https://wso2.org/jira/browse/IDENTITY-5959 to track this. > > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > On Thu, May 18, 2017 at 9:10 PM, Pushpalanka Jayawardhana <[email protected]> > wrote: > >> Hi, >> >> On Thu, May 18, 2017 at 4:58 PM, Farasath Ahamed <[email protected]> >> wrote: >> >>> Hi, >>> >>> With our current implementation, we check whether an OAuth app is active >>> at [1]. This happens before we complete client authentication at [2]. >>> >>> Therefore even for an invalid client_id value, the error message that we >>> would get will be "Oauth App is not in active state." which is not the >>> expected behaviour. >>> >>> To fix this I see two options, >>> >>> 1. Handle the APP_STATE value being NULL (ie. no app was found for given >>> consumer key) properly. APP_STATE column allows NULL as a value so we can't >>> exactly say that APP_STATE == 'NULL' would imply that there is no app for a >>> give consumer key >>> >> +1. Thanks Isura. > +1 for this approach. With this we can avoid some processing done in vain >> and respond invalid requests much early. Saving NULL for APP_STATE seems >> something we should investigate and fix. >> >>> >>> 2. Move the APP_STATE validation logic to be done after [2] >>> >>> WDYT? >>> >>> [1] https://github.com/wso2-extensions/identity-inbound-auth >>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >>> .endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpo >>> int/token/OAuth2TokenEndpoint.java#L87-L97 >>> >>> [2] https://github.com/wso2-extensions/identity-inbound-auth >>> -oauth/blob/master/components/org.wso2.carbon.identity.oauth >>> /src/main/java/org/wso2/carbon/identity/oauth2/token/AccessT >>> okenIssuer.java#L168 >>> >>> Thanks, >>> Farasath Ahamed >>> Software Engineer, WSO2 Inc.; http://wso2.com >>> Mobile: +94777603866 >>> Blog: blog.farazath.com >>> Twitter: @farazath619 <https://twitter.com/farazath619> >>> <http://wso2.com/signature> >>> >>> >>> >> >> >> -- >> Pushpalanka. >> -- >> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >> Mobile: +94779716248 >> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p >> ushpalanka/ | Twitter: @pushpalanka >> >> > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Isura Dilhara Karunaratne* Senior Software Engineer | WSO2 Email: [email protected] Mob : +94 772 254 810 <+94%2077%20225%204810> Blog : http://isurad.blogspot.com/
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
