[mitreid-connect] Storage of Tokens in DB [I]

Tue Dec 13 06:19:40 EST 2016

Classification: For internal use only
Ahh, got it :)

I guess it can be related to https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/55 aswell.

Beste Grüße / Kind regards,
Dominik Schmich
From: Chris Hutton [mailto:chris.hutton at callsign.com]
Sent: Dienstag, 13. Dezember 2016 12:17
To: Dominik Schmich <dominik.schmich at db.com>
Cc: jricher at mit.edu; mitreid-connect at mit.edu
Subject: Re: [mitreid-connect] Storage of Tokens in DB [I]

Hi Dominik,

It was more of a theoretical solution rather than a branch on GitHub. We have implemented our own OAuth2TokenRepository and this seems to be one level higher up the code calling stack

Dominik Schmich wrote:

Classification: For internal use only
Hi Chris,

can you point me to "your proposed solution"? I didn't find it :)

Beste Grüße / Kind regards,
Dominik Schmich
From: Chris Hutton [mailto:chris.hutton at callsign.com]
Sent: Dienstag, 13. Dezember 2016 12:04
To: Dominik Schmich <dominik.schmich at db.com><mailto:dominik.schmich at db.com>
Cc: jricher at mit.edu<mailto:jricher at mit.edu>; mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] Storage of Tokens in DB [I]

It seems that you could can pass a JTI or hashed value into the DefaultOAuth2ProviderTokenService (OAuth2TokenEntityService) before it calls the JpaOAuth2TokenRepository (OAuth2TokenRepository).

There are a couple of methods to watch out for:
- OAuth2TokenRepository#getAccessTokenByValue
- OAuth2TokenRepository#getRefreshTokenByValue
With both these methods in my proposed solution, the parameter would become the hashed value or JTI.

There are a number of methods in the /tokens api that expose the token object for example TokenAPI#getAccessTokenById using m.put(JsonEntityView.ENTITY, token); however I don't think external API clients use the token value.
--
Chris Hutton
Head of Development
Callsign Inc.
[C] chris<https://get.callsign.com/chris>

--------------------------------------------------------------- This message
was pgp signed but couldn't be verified successfully. Typically this is caused
because Deutsche Bank hasn't yet trusted the PGP key of the sender.

---
Die Europäische Kommission hat unter http://ec.europa.eu/consumers/odr/ eine Europäische Online-Streitbeilegungsplattform (OS-Plattform) errichtet. Die OS-Plattform kann ein Verbraucher für die außergerichtliche Beilegung einer Streitigkeit aus Online-Verträgen mit einem in der EU niedergelassenen Unternehmen nutzen.

Informationen (einschließlich Pflichtangaben) zu einzelnen, innerhalb der EU tätigen Gesellschaften und Zweigniederlassungen des Konzerns Deutsche Bank finden Sie unter https://www.deutsche-bank.de/Pflichtangaben. Diese E-Mail enthält vertrauliche und/ oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

The European Commission has established a European online dispute resolution platform (OS platform) under http://ec.europa.eu/consumers/odr/. The OS platform can be used by a consumer for the extra-judicial settlement of a dispute of online contracts with a provider established in the EU companies.

Please refer to https://www.db.com/disclosures for information (including mandatory corporate particulars) on selected Deutsche Bank branches and group companies registered or incorporated in the European Union. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

--
Chris Hutton
Head of Development
Callsign Inc.
[C] chris<https://get.callsign.com/chris>

--------------------------------------------------------------- This message
was pgp signed but couldn't be verified successfully. Typically this is caused
because Deutsche Bank hasn't yet trusted the PGP key of the sender.

---
Die Europäische Kommission hat unter http://ec.europa.eu/consumers/odr/ eine Europäische Online-Streitbeilegungsplattform (OS-Plattform) errichtet. Die OS-Plattform kann ein Verbraucher für die außergerichtliche Beilegung einer Streitigkeit aus Online-Verträgen mit einem in der EU niedergelassenen Unternehmen nutzen.

Informationen (einschließlich Pflichtangaben) zu einzelnen, innerhalb der EU tätigen Gesellschaften und Zweigniederlassungen des Konzerns Deutsche Bank finden Sie unter https://www.deutsche-bank.de/Pflichtangaben. Diese E-Mail enthält vertrauliche und/ oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

The European Commission has established a European online dispute resolution platform (OS platform) under http://ec.europa.eu/consumers/odr/. The OS platform can be used by a consumer for the extra-judicial settlement of a dispute of online contracts with a provider established in the EU companies.

Please refer to https://www.db.com/disclosures for information (including mandatory corporate particulars) on selected Deutsche Bank branches and group companies registered or incorporated in the European Union. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161213/8b340332/attachment.html