Uploaded image for project: 'Commons'
  1. Commons
  2. COMMONS-329

PropertyResolverSecretStore cannot be used to verify HMAC-signed ID Tokens

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 24.0.0, 23.1.1
    • 24.0.0, 23.1.2
    • Secrets
    • CTSNEX Sprint 29, CTSNEX Sprint 30

      Description

      HMAC-signed ID tokens do not have a key ID (see OPENAM-5697), and so when trying to verify an incoming ID token, all valid secrets must be checked to see if they can verify the token. However, the implementation of PropertyResolverSecretStore#getValid(Purpose) always returns am empty stream, even when the purpose has an active secret for the purpose label.

      The getValid method should be properly implemented to return either a stream of the active secret, if one exists, or an empty stream if not.

        Attachments

          Activity

            People

            Unassigned Unassigned
            jamesphillpotts James Phillpotts
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: