[mitreid-connect] Storage of Tokens in DB [I]

Chris Hutton chris.hutton at callsign.com
Tue Dec 13 06:54:03 EST 2016 

Yes,  from your link

"It sounds like we are generating the client's secret, and that needs to
be passed on to the client after it is generated (and this is the ONLY
time we need the plaintext). If so, then would it work to just notify
the client about the secret (using some secure means) after it's
generated, but before it is stored & encoded?"

Seems to confirm the investigation I was doing.

Dominik Schmich wrote:
>
> Classification: *For internal use only*
>
> Ahh, got it J
>
>  
>
> I guess it can be related to
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/55
> aswell.
>
>  
>
> Beste Grüße / Kind regards,
> Dominik Schmich
>
> *From:*Chris Hutton [mailto:chris.hutton at callsign.com]
> *Sent:* Dienstag, 13. Dezember 2016 12:17
> *To:* Dominik Schmich <dominik.schmich at db.com>
> *Cc:* jricher at mit.edu; mitreid-connect at mit.edu
> *Subject:* Re: [mitreid-connect] Storage of Tokens in DB [I]
>
>  
>
> Hi Dominik,
>
> It was more of a theoretical solution rather than a branch on GitHub.
> We have implemented our own OAuth2TokenRepository and this seems to be
> one level higher up the code calling stack
>
> Dominik Schmich wrote:
>
>     Classification: *For internal use only*
>
>     Hi Chris,
>
>      
>
>     can you point me to „your proposed solution“? I didn’t find it J
>
>      
>
>     Beste Grüße / Kind regards,
>     Dominik Schmich
>
>     *From:*Chris Hutton [mailto:chris.hutton at callsign.com]
>     *Sent:* Dienstag, 13. Dezember 2016 12:04
>     *To:* Dominik Schmich <dominik.schmich at db.com>
>     <mailto:dominik.schmich at db.com>
>     *Cc:* jricher at mit.edu <mailto:jricher at mit.edu>;
>     mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>     *Subject:* Re: [mitreid-connect] Storage of Tokens in DB [I]
>
>      
>
>     It seems that you could can pass a JTI or hashed value into the
>     DefaultOAuth2ProviderTokenService (OAuth2TokenEntityService)
>     before it calls the JpaOAuth2TokenRepository (OAuth2TokenRepository).
>
>     There are a couple of methods to watch out for:
>     - OAuth2TokenRepository#getAccessTokenByValue
>     - OAuth2TokenRepository#getRefreshTokenByValue
>     With both these methods in my proposed solution, the parameter
>     would become the hashed value or JTI.
>
>     There are a number of methods in the /tokens api that expose the
>     token object for example TokenAPI#getAccessTokenById using
>     m.put(JsonEntityView.ENTITY, token); however I don't think
>     external API clients use the token value.
>
>     -- 
>     Chris Hutton
>
>     Head of Development
>
>     Callsign Inc.
>
>     [C] chris <https://get.callsign.com/chris>
>
>
>
>     ---------------------------------------------------------------
>     This message
>     was pgp signed but couldn't be verified successfully. Typically
>     this is caused
>     because Deutsche Bank hasn't yet trusted the PGP key of the sender.
>
>
>
>     ---
>     Die Europäische Kommission hat unter
>     http://ec.europa.eu/consumers/odr/ eine Europäische
>     Online-Streitbeilegungsplattform (OS-Plattform) errichtet. Die
>     OS-Plattform kann ein Verbraucher für die außergerichtliche
>     Beilegung einer Streitigkeit aus Online-Verträgen mit einem in der
>     EU niedergelassenen Unternehmen nutzen.
>
>     Informationen (einschließlich Pflichtangaben) zu einzelnen,
>     innerhalb der EU tätigen Gesellschaften und Zweigniederlassungen
>     des Konzerns Deutsche Bank finden Sie unter
>     https://www.deutsche-bank.de/Pflichtangaben. Diese E-Mail enthält
>     vertrauliche und/ oder rechtlich geschützte Informationen. Wenn
>     Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
>     erhalten haben, informieren Sie bitte sofort den Absender und
>     vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die
>     unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
>
>     The European Commission has established a European online dispute
>     resolution platform (OS platform) under
>     http://ec.europa.eu/consumers/odr/. The OS platform can be used by
>     a consumer for the extra-judicial settlement of a dispute of
>     online contracts with a provider established in the EU companies.
>
>     Please refer to https://www.db.com/disclosures for information
>     (including mandatory corporate particulars) on selected Deutsche
>     Bank branches and group companies registered or incorporated in
>     the European Union. This e-mail may contain confidential and/or
>     privileged information. If you are not the intended recipient (or
>     have received this e-mail in error) please notify the sender
>     immediately and delete this e-mail. Any unauthorized copying,
>     disclosure or distribution of the material in this e-mail is
>     strictly forbidden.
>
>  
>
> -- 
> Chris Hutton
>
> Head of Development
>
> Callsign Inc.
>
> [C] chris <https://get.callsign.com/chris>
>
>
>
> --------------------------------------------------------------- This
> message
> was pgp signed but couldn't be verified successfully. Typically this
> is caused
> because Deutsche Bank hasn't yet trusted the PGP key of the sender.
>
>
>
> ---
> Die Europäische Kommission hat unter
> http://ec.europa.eu/consumers/odr/ eine Europäische
> Online-Streitbeilegungsplattform (OS-Plattform) errichtet. Die
> OS-Plattform kann ein Verbraucher für die außergerichtliche Beilegung
> einer Streitigkeit aus Online-Verträgen mit einem in der EU
> niedergelassenen Unternehmen nutzen.
>
> Informationen (einschließlich Pflichtangaben) zu einzelnen, innerhalb
> der EU tätigen Gesellschaften und Zweigniederlassungen des Konzerns
> Deutsche Bank finden Sie unter
> https://www.deutsche-bank.de/Pflichtangaben. Diese E-Mail enthält
> vertrauliche und/ oder rechtlich geschützte Informationen. Wenn Sie
> nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
> haben, informieren Sie bitte sofort den Absender und vernichten Sie
> diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe
> dieser E-Mail ist nicht gestattet.
>
> The European Commission has established a European online dispute
> resolution platform (OS platform) under
> http://ec.europa.eu/consumers/odr/. The OS platform can be used by a
> consumer for the extra-judicial settlement of a dispute of online
> contracts with a provider established in the EU companies.
>
> Please refer to https://www.db.com/disclosures for information
> (including mandatory corporate particulars) on selected Deutsche Bank
> branches and group companies registered or incorporated in the
> European Union. This e-mail may contain confidential and/or privileged
> information. If you are not the intended recipient (or have received
> this e-mail in error) please notify the sender immediately and delete
> this e-mail. Any unauthorized copying, disclosure or distribution of
> the material in this e-mail is strictly forbidden.

-- 
Chris Hutton
Head of Development
Callsign Inc.
[C] chris <https://get.callsign.com/chris>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161213/2070f104/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 906 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161213/2070f104/attachment-0001.bin

More information about the mitreid-connect mailing list