[GitHub] [cxf-fediz] amergey opened a new pull request #54: Support for unsigned token

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf-fediz] amergey opened a new pull request #54: Support for unsigned token

GitBox

amergey opened a new pull request #54:
URL: https://github.com/apache/cxf-fediz/pull/54


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf-fediz] amergey commented on pull request #54: Support for unsigned token

GitBox

amergey commented on pull request #54:
URL: https://github.com/apache/cxf-fediz/pull/54#issuecomment-644625040


   > I think that "doNotEnforceAssertionsSigned" should only apply to encrypted assertions. I don't see a use-case for supporting unsigned and unencrypted assertions.
   
   Then maybe the doNotEnforceAssertionSigned in configuration is not necessary at all and replace its "logic" with checks to the token and disable assertion signature check when assertion is crypted and unsigned. What do you think ?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf-fediz] amergey edited a comment on pull request #54: Support for unsigned token

GitBox
In reply to this post by GitBox

amergey edited a comment on pull request #54:
URL: https://github.com/apache/cxf-fediz/pull/54#issuecomment-644625040


   > I think that "doNotEnforceAssertionsSigned" should only apply to encrypted assertions. I don't see a use-case for supporting unsigned and unencrypted assertions.
   
   Then maybe the doNotEnforceAssertionSigned in configuration is not necessary at all and replace its "logic" with checks to the token. Assertion signature check whould be disabled when it is crypted and unsigned. What do you think ?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf-fediz] coheigea commented on pull request #54: Support for unsigned token

GitBox
In reply to this post by GitBox

coheigea commented on pull request #54:
URL: https://github.com/apache/cxf-fediz/pull/54#issuecomment-644632720


   No, I still think we should always default to requiring a signed token, even if it's encrypted.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf-fediz] coheigea merged pull request #54: Support for unsigned token

GitBox
In reply to this post by GitBox

coheigea merged pull request #54:
URL: https://github.com/apache/cxf-fediz/pull/54


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]