Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-841

Force users to opt in to accepting unsigned tokens from providers in SG's provider config.

    XMLWordPrintable

Details

    • New Feature
    • Resolution: Fixed
    • Critical
    • 3.0
    • None
    • SyncGateway
    • Security Level: Public
    • None
    • CBG Sprint 57
    • 3

    Description

      We've got a lot of cloned code in auth/oidc.go that's just to support the ability to verify a trusted JWT token without doing signature validation, which we're doing from the refresh and callback handlers. This is required (at least for backward compatibility), but as per the OIDC spec it's not valid for providers to return unsigned certificates in those situations.

      Enable default to the normal signed verification path, and force users to opt in to accepting unsigned tokens from providers in SG's provider config.

      Attachments

        Activity

          People

            sarath.kumarsivan Sarath Kumar Sivan (Inactive)
            sarath.kumarsivan Sarath Kumar Sivan (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              PagerDuty