Skip to content
This repository has been archived by the owner on Jun 16, 2021. It is now read-only.

More Okta updates to TCK #330

Closed
wants to merge 6 commits into from
Closed

More Okta updates to TCK #330

wants to merge 6 commits into from

Conversation

nbarbettini
Copy link
Member

@nbarbettini nbarbettini commented Apr 20, 2017
edited
Loading

  • Fixed a lot of small issues.

  • Made the JWT support RSA (asymmetric) signed tokens, which is what Okta returns. The elegant solution would be to inspect the JWKS document on the Authorization Server's .well-known endpoint, but for now I just used a hack: you have to copy the key's modulus and exponent into the JWT_SIGNING_KEY_MOD and JWT_SIGNING_KEY_EXP env vars. If someone wants to make it better, be my guest 😄

@nbarbettini nbarbettini requested a review from bdemers April 20, 2017 18:12
@bdemers bdemers mentioned this pull request Apr 21, 2017
Open
bdemers
bdemers reviewed Apr 21, 2017
View reviewed changes
src/main/groovy/com/stormpath/tck/forgot/ChangePasswordIT.groovy
.when()
.post(ForgotRoute)
.then()
.statusCode(200)

// TODO - will need to make this configurable for Okta
String rawChangePasswordEmail = account.getEmail("stormpath.com")
String rawChangePasswordEmail = account.getEmail("okta.com")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This cannot be hard coded, the tests work against both stormpath and okta (and if sending verification emails through a non-okta domain the from from may be different) i.e. google forces the 'from' field to the sender.
(I hacked up a fix for this yesterday before seeing your PR

src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy
@@ -128,7 +128,7 @@ class Oauth2IT extends AbstractIT {
.extract()
.path("access_token")

assertTrue(JwtUtils.extractJwtClaim(accessToken, "sub") == account.href)
assertTrue(JwtUtils.extractJwtClaim(accessToken, "sub") == account.email)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be an href || email check ?

src/main/groovy/com/stormpath/tck/util/EnvUtils.groovy
facebookClientId = getVal("FACEBOOK_CLIENT_ID")
facebookClientSecret = getVal("FACEBOOK_CLIENT_SECRET")
if (jwtSigningKey == null || facebookClientId == null || facebookClientSecret == null) {
fail("JWT_SIGNING_KEY, FACEBOOK_CLIENT_ID and FACEBOOK_CLIENT_SECRET environment variables are required")
if (jwtSigningKeyModulus == null || jwtSigningKeyExponent == null || facebookClientId == null || facebookClientSecret == null) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should probably allow setting both. Or we could just set the keys endpoint and download the keys as needed?

@bdemers
Copy link
Contributor

bdemers commented Apr 21, 2017

Hey I didn't see this PR until last night, I pushed some changes #331, that should address a couple of the things I've mentioned (but leave a few other problems, like JWT validation)

I can take a shot a using the keys endpoint to validate the RSA key ( I have some similar code in the java SDK already).

@bdemers bdemers mentioned this pull request Apr 25, 2017
Merged
@bdemers bdemers self-assigned this Apr 25, 2017
@bdemers bdemers closed this in #332 Apr 28, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bdemers bdemers bdemers left review comments

Assignees

@bdemers bdemers

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nbarbettini @bdemers