Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Allows configuring MinParameterEntropy #461

Merged
merged 1 commit into from
Aug 21, 2020
Merged

feat: Allows configuring MinParameterEntropy #461

merged 1 commit into from
Aug 21, 2020

Conversation

mitar
Copy link
Contributor

@mitar mitar commented Aug 13, 2020

Related issue

Fixes #267.

Proposed changes

Added MinParameterEntropy to compose.Config and fosite.Fosite (and few other structs) which then controls the minimal length of the parameters which should have entropy.

Checklist

  • I have read the contributing guidelines
  • I have read the security policy
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation within the code base (if appropriate)

Further comments

There are quite a few extra changes to tests to make it a bit easier to control this config variable. I somehow disliked the idea of the global state between various test cases and that previous test case's MinParameterEntropy value would influence later ones. So I made functions to create new instances of objects as needed.

mitar
mitar commented Aug 13, 2020
View reviewed changes
errors.go
@@ -111,7 +111,7 @@ var (
}
ErrInsufficientEntropy = &RFC6749Error{
Name: errInsufficientEntropyName,
Description: fmt.Sprintf("The request used a security parameter (e.g., anti-replay, anti-csrf) with insufficient entropy (minimum of %d characters)", MinParameterEntropy),
Description: "The request used a security parameter (e.g., anti-replay, anti-csrf) with insufficient entropy",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not necessary to have the minimal length here because we pass a similar message (with minimal length) as a hint as well.

@mitar mitar mentioned this pull request Aug 13, 2020
Closed
@aeneasr aeneasr merged commit 2c793e6 into ory:master Aug 21, 2020
@mitar mitar deleted the config-min-entropy branch August 21, 2020 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

State parameter length issue when working with spring security oauth2
2 participants
@mitar @aeneasr