Skip to content
This repository was archived by the owner on Jun 16, 2021. It is now read-only.

More Okta updates to TCK#330

Closed
nbarbettini wants to merge 6 commits into
masterfrom
nate-okta-updates
Closed

More Okta updates to TCK#330
nbarbettini wants to merge 6 commits into
masterfrom
nate-okta-updates

Conversation

@nbarbettini

@nbarbettini nbarbettini commented Apr 20, 2017

Copy link
Copy Markdown
Member
  • Fixed a lot of small issues.

  • Made the JWT support RSA (asymmetric) signed tokens, which is what Okta returns. The elegant solution would be to inspect the JWKS document on the Authorization Server's .well-known endpoint, but for now I just used a hack: you have to copy the key's modulus and exponent into the JWT_SIGNING_KEY_MOD and JWT_SIGNING_KEY_EXP env vars. If someone wants to make it better, be my guest 😄


// TODO - will need to make this configurable for Okta
String rawChangePasswordEmail = account.getEmail("stormpath.com")
String rawChangePasswordEmail = account.getEmail("okta.com")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This cannot be hard coded, the tests work against both stormpath and okta (and if sending verification emails through a non-okta domain the from from may be different) i.e. google forces the 'from' field to the sender.
(I hacked up a fix for this yesterday before seeing your PR

.path("access_token")

assertTrue(JwtUtils.extractJwtClaim(accessToken, "sub") == account.href)
assertTrue(JwtUtils.extractJwtClaim(accessToken, "sub") == account.email)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be an href || email check ?

facebookClientSecret = getVal("FACEBOOK_CLIENT_SECRET")
if (jwtSigningKey == null || facebookClientId == null || facebookClientSecret == null) {
fail("JWT_SIGNING_KEY, FACEBOOK_CLIENT_ID and FACEBOOK_CLIENT_SECRET environment variables are required")
if (jwtSigningKeyModulus == null || jwtSigningKeyExponent == null || facebookClientId == null || facebookClientSecret == null) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should probably allow setting both. Or we could just set the keys endpoint and download the keys as needed?

@bdemers

bdemers commented Apr 21, 2017

Copy link
Copy Markdown
Contributor

Hey I didn't see this PR until last night, I pushed some changes #331, that should address a couple of the things I've mentioned (but leave a few other problems, like JWT validation)

I can take a shot a using the keys endpoint to validate the RSA key ( I have some similar code in the java SDK already).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants