Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: only use allowed characters in error_description #526

Merged
merged 6 commits into from
Nov 4, 2020
Merged

fix: only use allowed characters in error_description #526

merged 6 commits into from
Nov 4, 2020

Conversation

aeneasr
Copy link
Member

@aeneasr aeneasr commented Nov 4, 2020

Replace LF and quotes with . and ' to match allowed and recommended character set defined in various RFCs.

Closes #525

Related issue

Proposed changes

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added necessary documentation within the code base (if appropriate).

Further comments

@aeneasr
fix: only use allowed characters in error_description
811e5e2 
Replace LF and quotes with `.` and `'` to match allowed and recommended character set defined in various RFCs.

Closes #525
@aeneasr aeneasr added corp/m3 Up for M3 at Ory Corp. blocking Blocks milestones or other issues or pulls. bug Something is not working. labels Nov 4, 2020
@aeneasr aeneasr self-assigned this Nov 4, 2020
@aeneasr
fix: allow all request object algs when client value is unset
02c3af5 
Allows all request object signing algorithms when the client has not explicitly allowed a certain algorithm. This follows the spec:

> *request_object_signing_alg - OPTIONAL. JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
@aeneasr
fix: use state from request object
3f824e1 
Resolves failing OIDC conformity test "oidcc-request-uri-unsigned".
mitar
mitar reviewed Nov 4, 2020
View reviewed changes
authorize_request_handler.go Outdated Show resolved Hide resolved
mitar
mitar reviewed Nov 4, 2020
View reviewed changes
errors.go Show resolved Hide resolved
@aeneasr aeneasr mentioned this pull request Nov 4, 2020
Closed
@aeneasr aeneasr merged commit 6d2092d into master Nov 4, 2020
aeneasr added a commit that referenced this pull request Nov 4, 2020
@aeneasr
fix: prevent debug details from leaking during key lookup
c0598fb 
See #526 (comment)
@aeneasr aeneasr deleted the fix-error-conformity branch November 4, 2020 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mitar mitar mitar left review comments

Assignees

@aeneasr aeneasr

Labels
blocking Blocks milestones or other issues or pulls. bug Something is not working. corp/m3 Up for M3 at Ory Corp.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Non-conformant error responses
2 participants
@aeneasr @mitar