<html><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Yes, from your link<br>
<br>
"It sounds like we are generating the client's secret, and that needs to
be passed on to the client after it is generated (and this is the ONLY
time we need the plaintext). If so, then would it work to just notify
the client about the secret (using some secure means) after it's
generated, but before it is stored & encoded?"<br>
<br>
Seems to confirm the investigation I was doing.<br>
<br>
<span>Dominik Schmich wrote:</span><br>
<blockquote
cite="mid:BC07D7EA39C6184BA034EA776CB2C46D013767F2@UCDEDC1PWXMR007.de.db.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p><span style="font-size:10.0pt;font-family:"Arial Unicode
MS",sans-serif">Classification:
<b>For internal use only</b></span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">Ahh, got it
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D;mso-fareast-language:EN-US">J</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">I guess it can be related to
<a moz-do-not-send="true"
href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/55">
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/55</a>
aswell.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">Beste
Grüße / Kind regards,<br>
Dominik Schmich</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm
0cm 0cm">
<p class="MsoNormal"><a moz-do-not-send="true"
name="_____replyseparator"></a><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
lang="EN-US">
Chris Hutton [<a class="moz-txt-link-freetext" href="mailto:chris.hutton@callsign.com">mailto:chris.hutton@callsign.com</a>] <br>
<b>Sent:</b> Dienstag, 13. Dezember 2016 12:17<br>
<b>To:</b> Dominik Schmich <a class="moz-txt-link-rfc2396E" href="mailto:dominik.schmich@db.com"><dominik.schmich@db.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:jricher@mit.edu">jricher@mit.edu</a>; <a class="moz-txt-link-abbreviated" href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><br>
<b>Subject:</b> Re: [mitreid-connect] Storage of Tokens in DB [I]<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Dominik,<br>
<br>
It was more of a theoretical solution rather than a branch on GitHub. We
have implemented our own OAuth2TokenRepository and this seems to be one
level higher up the code calling stack<br>
<br>
Dominik Schmich wrote:<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><p><span
style="font-size:10.0pt">Classification: <b>For internal use only</b></span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Hi
Chris,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">can you point me to „your proposed solution“? I didn’t
find it
</span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">J</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;text-autospace:none"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">Beste
Grüße / Kind regards,<br>
Dominik Schmich</span><o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm
0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
lang="EN-US"> Chris Hutton [<a moz-do-not-send="true"
href="mailto:chris.hutton@callsign.com">mailto:chris.hutton@callsign.com</a>]
<br>
<b>Sent:</b> Dienstag, 13. Dezember 2016 12:04<br>
<b>To:</b> Dominik Schmich <a moz-do-not-send="true"
href="mailto:dominik.schmich@db.com"><dominik.schmich@db.com></a><br>
<b>Cc:</b> <a moz-do-not-send="true" href="mailto:jricher@mit.edu">jricher@mit.edu</a>;
<a moz-do-not-send="true" href="mailto:mitreid-connect@mit.edu">
mitreid-connect@mit.edu</a><br>
<b>Subject:</b> Re: [mitreid-connect] Storage of Tokens in DB [I]</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">It seems that you
could can pass a JTI or hashed value into the
DefaultOAuth2ProviderTokenService (OAuth2TokenEntityService) before it
calls the JpaOAuth2TokenRepository (OAuth2TokenRepository).
<br>
<br>
There are a couple of methods to watch out for:<br>
- OAuth2TokenRepository#getAccessTokenByValue<br>
- OAuth2TokenRepository#getRefreshTokenByValue<br>
With both these methods in my proposed solution, the parameter would
become the hashed value or JTI.<br>
<br>
There are a number of methods in the /tokens api that expose the token
object for example TokenAPI#getAccessTokenById using
m.put(JsonEntityView.ENTITY, token); however I don't think external API
clients use the token value.<o:p></o:p></p>
<div>
<p class="MsoNormal">-- <br>
Chris Hutton <o:p></o:p></p>
<div>
<p class="MsoNormal">Head of Development<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Callsign Inc.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[C] <a moz-do-not-send="true"
href="https://get.callsign.com/chris">chris</a><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
--------------------------------------------------------------- This
message<br>
was pgp signed but couldn't be verified successfully. Typically this is
caused<br>
because Deutsche Bank hasn't yet trusted the PGP key of the sender.<o:p></o:p></p>
<p class="MsoNormal"><br>
<span style="font-family:"Arial",sans-serif"><br>
---<br>
Die Europäische Kommission hat unter <a moz-do-not-send="true"
href="http://ec.europa.eu/consumers/odr/">
http://ec.europa.eu/consumers/odr/</a> eine Europäische
Online-Streitbeilegungsplattform (OS-Plattform) errichtet. Die
OS-Plattform kann ein Verbraucher für die außergerichtliche Beilegung
einer Streitigkeit aus Online-Verträgen mit einem in der EU
niedergelassenen
Unternehmen nutzen.<br>
<br>
Informationen (einschließlich Pflichtangaben) zu einzelnen, innerhalb
der EU tätigen Gesellschaften und Zweigniederlassungen des Konzerns
Deutsche Bank finden Sie unter
<a moz-do-not-send="true"
href="https://www.deutsche-bank.de/Pflichtangaben">https://www.deutsche-bank.de/Pflichtangaben</a>.
Diese E-Mail enthält vertrauliche und/ oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail irrtümlich erhalten
haben, informieren Sie bitte sofort den Absender und vernichten Sie
diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe
dieser E-Mail ist nicht gestattet.<br>
<br>
The European Commission has established a European online dispute
resolution platform (OS platform) under
<a moz-do-not-send="true" href="http://ec.europa.eu/consumers/odr/">http://ec.europa.eu/consumers/odr/</a>.
The OS platform can be used by a consumer for the extra-judicial
settlement of a dispute of online contracts with a provider established
in the EU companies.<br>
<br>
Please refer to <a moz-do-not-send="true"
href="https://www.db.com/disclosures">https://www.db.com/disclosures</a>
for information (including mandatory corporate particulars) on selected
Deutsche Bank branches and group companies registered or incorporated
in the European Union.
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution
of the material in this e-mail is strictly forbidden.</span><o:p></o:p></p></blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">-- <br>
Chris Hutton <o:p></o:p></p>
<div>
<p class="MsoNormal">Head of Development<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Callsign Inc.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[C] <a moz-do-not-send="true"
href="https://get.callsign.com/chris">chris</a><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
--------------------------------------------------------------- This
message<br>
was pgp signed but couldn't be verified successfully. Typically this is
caused<br>
because Deutsche Bank hasn't yet trusted the PGP key of the sender.<o:p></o:p></p>
</div>
<br>
<font color="Black" face="Arial" size="3"><br>
---<br>
Die Europäische Kommission hat unter <a class="moz-txt-link-freetext" href="http://ec.europa.eu/consumers/odr/">http://ec.europa.eu/consumers/odr/</a>
eine Europäische Online-Streitbeilegungsplattform (OS-Plattform)
errichtet. Die OS-Plattform kann ein Verbraucher für die
außergerichtliche Beilegung einer Streitigkeit aus Online-Verträgen
mit einem in der EU niedergelassenen Unternehmen nutzen.<br>
<br>
Informationen (einschließlich Pflichtangaben) zu einzelnen, innerhalb
der EU tätigen Gesellschaften und Zweigniederlassungen des Konzerns
Deutsche Bank finden Sie unter
<a class="moz-txt-link-freetext" href="https://www.deutsche-bank.de/Pflichtangaben">https://www.deutsche-bank.de/Pflichtangaben</a>. Diese E-Mail enthält
vertrauliche und/ oder
rechtlich geschützte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren
Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
E-Mail ist nicht gestattet.<br>
<br>
The European Commission has established a European online dispute
resolution platform (OS platform) under
<a class="moz-txt-link-freetext" href="http://ec.europa.eu/consumers/odr/">http://ec.europa.eu/consumers/odr/</a>. The OS platform can be used by a
consumer for the extra-judicial settlement of a dispute of online
contracts with a
provider established in the EU companies.<br>
<br>
Please refer to <a class="moz-txt-link-freetext" href="https://www.db.com/disclosures">https://www.db.com/disclosures</a> for information
(including mandatory corporate particulars) on selected Deutsche Bank
branches and group companies registered or incorporated in the European
Union. This e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or have received
this e-mail in error) please notify the sender immediately and delete
this e-mail. Any unauthorized copying, disclosure or distribution of the
material in this e-mail is strictly forbidden.<br>
</font></blockquote>
<br>
<div class="moz-signature">-- <br>Chris Hutton
<div>Head of Development</div>
<div>Callsign Inc.</div>
<div>[C] <a href="https://get.callsign.com/chris">chris</a><br>
</div>
</div>
</body></html>