From 71a55eae4d2874080e25c3f9b646f7fbd4767612 Mon Sep 17 00:00:00 2001 From: Daniel Kleveros Date: Sun, 24 Sep 2023 19:51:35 -0700 Subject: [PATCH 1/9] adding handling for bearer tokens --- .../server/plugins/pfedsso/SsoClient.java | 8 ++--- .../server/plugins/pfedsso/SsoHandler.java | 35 +++++++++++++++---- 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java index 5e4f83dc82..ed53348bc8 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java @@ -126,9 +126,9 @@ public String getTokenSigningKey() throws IOException { } } - public Profile getUserProfile(String refreshToken) throws IOException { + public Profile getUserProfileFromRefreshToken(String refreshToken) throws IOException { Token token = getTokenByRefreshToken(refreshToken); - return getProfile(token); + return getProfile(token.accessToken()); } private Token getToken(String urlParameters) throws IOException { @@ -178,7 +178,7 @@ private void postRequest(HttpURLConnection con, String urlParameters) throws IOE } } - private Profile getProfile(Token token) throws IOException { + public Profile getProfile(String accessToken) throws IOException { if (cfg.getUserInfoEndpointUrl() == null) { return null; } @@ -186,7 +186,7 @@ private Profile getProfile(Token token) throws IOException { try { URL url = new URL(cfg.getUserInfoEndpointUrl()); con = (HttpURLConnection) url.openConnection(); - String authzHeaderValue = String.format("Bearer %s", token.accessToken()); + String authzHeaderValue = String.format("Bearer %s", accessToken); con.setRequestProperty(HttpHeaders.AUTHORIZATION, authzHeaderValue); con.setRequestProperty(HttpHeaders.CONTENT_TYPE, CONTENT_TYPE_HEADER); con.setRequestMethod("GET"); diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java index f7aaa47d2a..8c1df8c17c 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java @@ -56,29 +56,34 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r HttpServletRequest req = WebUtils.toHttp(request); - String token = SsoCookies.getTokenCookie(req); - if (token == null) { + String bearerToken = extractTokenFromRequest(req); + String incomingToken = bearerToken != null ? bearerToken : SsoCookies.getTokenCookie(req); + + if (incomingToken == null) { return null; } - String login = jwtAuthenticator.validateTokenAndGetLogin(token); + //TODO: If token comes in from bearer token, then this should be an access_token. + // Use this directly to get the user profile i.e. ssoClient.getProfile(accessToken); + + String login = jwtAuthenticator.validateTokenAndGetLogin(incomingToken); if (login == null) { return null; } - String[] as = parseDomain(login); + String[] as = parseDomain(login); //TODO: Can we not get this info from userInfo endpoint? i.e. SsoClient.Profile - String refreshToken = SsoCookies.getRefreshCookie(req); - // get userprofile send the response as null if refreshToken is expired or used SsoClient.Profile profile; try { - profile = ssoClient.getUserProfile(refreshToken); + profile = bearerToken != null ? ssoClient.getProfile(bearerToken) : ssoClient.getUserProfileFromRefreshToken(incomingToken); + } catch (IOException e) { return null; } if (profile == null) { return null; } + //TODO: User name and domain should be returned by the userInfo endpoint(profile) "sub". Do we really need these two? as[0], as[1] return new SsoToken(as[0], as[1], profile.displayName(), profile.mail(), profile.userPrincipalName(), profile.nameInNamespace(), profile.groups()); } @@ -112,4 +117,20 @@ private String[] parseDomain(String s) { String domain = s.substring(pos + 1); return new String[]{username, domain}; } + + private String extractTokenFromRequest(HttpServletRequest request) { + final String value = request.getHeader("Authorization"); + + if (value == null || !value.toLowerCase().startsWith("bearer")) { + return null; + } + + String[] parts = value.split(" "); + + if (parts.length < 2) { + return null; + } + + return parts[1].trim(); + } } From f8283c49877953f5a77d488599ba3f7c59178afb Mon Sep 17 00:00:00 2001 From: Daniel Kleveros Date: Sun, 24 Sep 2023 20:11:11 -0700 Subject: [PATCH 2/9] Removing comments --- .../concord/server/plugins/pfedsso/SsoHandler.java | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java index 8c1df8c17c..7a68af83d4 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java @@ -63,15 +63,12 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r return null; } - //TODO: If token comes in from bearer token, then this should be an access_token. - // Use this directly to get the user profile i.e. ssoClient.getProfile(accessToken); - String login = jwtAuthenticator.validateTokenAndGetLogin(incomingToken); if (login == null) { return null; } - String[] as = parseDomain(login); //TODO: Can we not get this info from userInfo endpoint? i.e. SsoClient.Profile + String[] as = parseDomain(login); SsoClient.Profile profile; try { @@ -83,7 +80,6 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r if (profile == null) { return null; } - //TODO: User name and domain should be returned by the userInfo endpoint(profile) "sub". Do we really need these two? as[0], as[1] return new SsoToken(as[0], as[1], profile.displayName(), profile.mail(), profile.userPrincipalName(), profile.nameInNamespace(), profile.groups()); } From e2ebca6ac5cad1328d03657be45fe545148ac787 Mon Sep 17 00:00:00 2001 From: Daniel Kleveros Date: Sun, 24 Sep 2023 21:38:54 -0700 Subject: [PATCH 3/9] using sub from profile instead of token --- .../plugins/pfedsso/JwtAuthenticator.java | 17 +----------- .../server/plugins/pfedsso/SsoClient.java | 5 +++- .../server/plugins/pfedsso/SsoHandler.java | 26 ++++++++++--------- 3 files changed, 19 insertions(+), 29 deletions(-) diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java index 754400733f..7e6acc80ab 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java @@ -113,22 +113,7 @@ public boolean isTokenValid(String token, String nonce) { } } - /** - * Validates the token and returns the corresponding user login. - * - * @param token the JWT - * @return corresponding user login or null if the JWT is invalid - */ - public String validateTokenAndGetLogin(String token) { - Map claims = validateTokenAndGetClaims(token); - if (claims == null) { - return null; - } - return (String) claims.get("sub"); - } - - private Map validateTokenAndGetClaims(String token) { - + public Map validateTokenAndGetClaims(String token) { try { JWT jwt = validateToken(token); if (jwt == null) { diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java index ed53348bc8..f07a303527 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java @@ -126,7 +126,7 @@ public String getTokenSigningKey() throws IOException { } } - public Profile getUserProfileFromRefreshToken(String refreshToken) throws IOException { + public Profile getUserProfileByRefreshToken(String refreshToken) throws IOException { Token token = getTokenByRefreshToken(refreshToken); return getProfile(token.accessToken()); } @@ -240,6 +240,9 @@ public interface Token { @JsonIgnoreProperties(ignoreUnknown = true) public interface Profile { + @JsonProperty("sub") + String sub(); + @JsonProperty("sAMAccountName") String userId(); diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java index 7a68af83d4..fe2b5a1a54 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java @@ -57,30 +57,32 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r HttpServletRequest req = WebUtils.toHttp(request); String bearerToken = extractTokenFromRequest(req); - String incomingToken = bearerToken != null ? bearerToken : SsoCookies.getTokenCookie(req); + String token = bearerToken != null ? bearerToken : SsoCookies.getTokenCookie(req); - if (incomingToken == null) { + if (token == null) { return null; } - String login = jwtAuthenticator.validateTokenAndGetLogin(incomingToken); - if (login == null) { + if (!jwtAuthenticator.isTokenValid(token)) { return null; } - String[] as = parseDomain(login); - - SsoClient.Profile profile; try { - profile = bearerToken != null ? ssoClient.getProfile(bearerToken) : ssoClient.getUserProfileFromRefreshToken(incomingToken); + SsoClient.Profile profile = bearerToken != null ? ssoClient.getProfile(bearerToken) : + ssoClient.getUserProfileByRefreshToken(SsoCookies.getRefreshCookie(req)); + + if (profile == null) { + return null; + } + + String[] as = parseDomain(profile.sub()); + + return new SsoToken(as[0], as[1], profile.displayName(), profile.mail(), profile.userPrincipalName(), profile.nameInNamespace(), profile.groups()); } catch (IOException e) { + return null; } - if (profile == null) { - return null; - } - return new SsoToken(as[0], as[1], profile.displayName(), profile.mail(), profile.userPrincipalName(), profile.nameInNamespace(), profile.groups()); } @Override From de362e6b551a96fde7262ddd2e2c9ab3fc159d88 Mon Sep 17 00:00:00 2001 From: Daniel Kleveros Date: Mon, 25 Sep 2023 10:00:32 -0700 Subject: [PATCH 4/9] Cleaning up --- .../walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java | 1 - 1 file changed, 1 deletion(-) diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java index fe2b5a1a54..fbc86e84fe 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java @@ -80,7 +80,6 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r return new SsoToken(as[0], as[1], profile.displayName(), profile.mail(), profile.userPrincipalName(), profile.nameInNamespace(), profile.groups()); } catch (IOException e) { - return null; } } From b7825a1bc6d17523649177ce193748924757c424 Mon Sep 17 00:00:00 2001 From: Daniel Kleveros Date: Fri, 6 Oct 2023 15:17:24 -0700 Subject: [PATCH 5/9] adding config for bearerToken --- .../src/main/resources/concord-server.conf | 13 ++++++++- .../plugins/pfedsso/SsoConfiguration.java | 29 +++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/server/dist/src/main/resources/concord-server.conf b/server/dist/src/main/resources/concord-server.conf index fe0db4b7fb..1ed96599e0 100644 --- a/server/dist/src/main/resources/concord-server.conf +++ b/server/dist/src/main/resources/concord-server.conf @@ -533,6 +533,17 @@ concord-server { pfed { enabled = false priority = 0 + + bearerToken { + # enable bearer tokens + enableBearerTokens = true + + # allow all clientIds + allowAllClientIds = false + + # list of allowed pingfed clientids for bearer tokens + allowedClientIds = ["clientId1", "clientId2"] + } } authEndpointUrl = "http://auth.example.com/authorize" tokenEndpointUrl = "http://auth.example.com/token" @@ -549,7 +560,7 @@ concord-server { # enable to validate token signature tokenSignatureValidation = false - + # JSON as a string #tokenEncryptionKey = "{}" diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoConfiguration.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoConfiguration.java index 2514ccc426..ae3ddc1d83 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoConfiguration.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoConfiguration.java @@ -26,6 +26,10 @@ import javax.inject.Inject; import java.io.Serializable; import java.time.Duration; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; public class SsoConfiguration implements Serializable { @@ -63,6 +67,14 @@ public class SsoConfiguration implements Serializable { @Config("sso.clientSecret") private String clientSecret; + @Inject + @Config("sso.pfed.bearerToken.enableBearerTokens") + private boolean enableBearerTokens; + + @Inject + @Config("sso.pfed.bearerToken.allowAllClientIds") + private boolean allowAllClientIds; + @Inject @Nullable @Config("sso.tokenSigningKey") @@ -103,6 +115,10 @@ public class SsoConfiguration implements Serializable { @Config("sso.autoCreateUsers") private boolean autoCreateUsers; + @Inject + @Config("sso.pfed.bearerToken.allowedClientIds") + private Set allowedClientIds; + public boolean isAutoCreateUsers() { return autoCreateUsers; } @@ -135,6 +151,14 @@ public String getClientSecret() { return clientSecret; } + public boolean getEnableBearerTokens() { + return enableBearerTokens; + } + + public boolean getAllowAllClientIds() { + return allowAllClientIds; + } + public String getTokenEncryptionKey() { return tokenEncryptionKey; } @@ -170,4 +194,9 @@ public boolean isTokenSignatureValidation() { public String getUserInfoEndpointUrl() { return userInfoEndpointUrl; } + + public Set getAllowedClientIds() { + return allowedClientIds; + } + } From 52188024a6f2a56a1361235e23b3562b5fd4b96a Mon Sep 17 00:00:00 2001 From: Daniel Kleveros Date: Fri, 6 Oct 2023 16:18:07 -0700 Subject: [PATCH 6/9] Adding logic for bearer token config and allowlist --- .../server/plugins/pfedsso/JwtAuthenticator.java | 16 +++++++++++++--- .../server/plugins/pfedsso/SsoAuthFilter.java | 2 +- .../server/plugins/pfedsso/SsoHandler.java | 6 ++++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java index 7e6acc80ab..e723755552 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java @@ -39,6 +39,7 @@ import java.util.Date; import java.util.HashMap; import java.util.Map; +import java.util.Set; public class JwtAuthenticator { @@ -78,8 +79,8 @@ public JwtAuthenticator(SsoConfiguration cfg, SsoClient ssoClient) { * @param token the JWT * @return true if token valid and not expired */ - public boolean isTokenValid(String token) { - return isTokenValid(token, null); + public boolean isTokenValid(String token, boolean restrictOnClientId) { + return isTokenValid(token, null, restrictOnClientId); } /** @@ -89,13 +90,22 @@ public boolean isTokenValid(String token) { * @param nonce nonce * @return true if token valid, correct nonce and not expired */ - public boolean isTokenValid(String token, String nonce) { + public boolean isTokenValid(String token, String nonce, boolean restrictOnClientId) { try { Map claims = validateTokenAndGetClaims(token); if (claims == null) { return false; } + if (restrictOnClientId) { + Set allowedClientIds = cfg.getAllowedClientIds(); + String clientId = (String) claims.get("client_id"); + if(!allowedClientIds.contains(clientId)) { + log.warn("isTokenValid ['{}', '{}'] -> clientId not in allowed list for bearer tokens", token, clientId); + return false; + } + } + if (nonce == null) { return true; } diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoAuthFilter.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoAuthFilter.java index 2d9051dee6..ddc7c13e1f 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoAuthFilter.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoAuthFilter.java @@ -66,7 +66,7 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F if (token != null) { if (refreshToken == null){ - boolean isValid = jwtAuthenticator.isTokenValid(token); + boolean isValid = jwtAuthenticator.isTokenValid(token, false); if (isValid) { log.info("doFilter -> found valid token in cookies, redirect to '{}'", from); redirectHelper.sendRedirect(response, from); diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java index fbc86e84fe..a7136495ae 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java @@ -56,14 +56,16 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r HttpServletRequest req = WebUtils.toHttp(request); - String bearerToken = extractTokenFromRequest(req); + String bearerToken = cfg.getEnableBearerTokens() ? extractTokenFromRequest(req) : null; String token = bearerToken != null ? bearerToken : SsoCookies.getTokenCookie(req); if (token == null) { return null; } - if (!jwtAuthenticator.isTokenValid(token)) { + boolean restrictOnClientId = (bearerToken != null) && (!cfg.getAllowAllClientIds()); + + if (!jwtAuthenticator.isTokenValid(token, restrictOnClientId)) { return null; } From ed731ed889f9bd2c0f8596070bf8abd352741d4c Mon Sep 17 00:00:00 2001 From: Daniel Kleveros Date: Tue, 10 Oct 2023 14:15:29 -0700 Subject: [PATCH 7/9] using list --- .../concord/server/plugins/pfedsso/JwtAuthenticator.java | 7 ++----- .../concord/server/plugins/pfedsso/SsoConfiguration.java | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java index e723755552..8fc050e622 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java @@ -36,10 +36,7 @@ import javax.inject.Inject; import java.io.IOException; import java.text.ParseException; -import java.util.Date; -import java.util.HashMap; -import java.util.Map; -import java.util.Set; +import java.util.*; public class JwtAuthenticator { @@ -98,7 +95,7 @@ public boolean isTokenValid(String token, String nonce, boolean restrictOnClient } if (restrictOnClientId) { - Set allowedClientIds = cfg.getAllowedClientIds(); + List allowedClientIds = cfg.getAllowedClientIds(); String clientId = (String) claims.get("client_id"); if(!allowedClientIds.contains(clientId)) { log.warn("isTokenValid ['{}', '{}'] -> clientId not in allowed list for bearer tokens", token, clientId); diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoConfiguration.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoConfiguration.java index ae3ddc1d83..880e3fce09 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoConfiguration.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoConfiguration.java @@ -117,7 +117,7 @@ public class SsoConfiguration implements Serializable { @Inject @Config("sso.pfed.bearerToken.allowedClientIds") - private Set allowedClientIds; + private List allowedClientIds; public boolean isAutoCreateUsers() { return autoCreateUsers; @@ -195,7 +195,7 @@ public String getUserInfoEndpointUrl() { return userInfoEndpointUrl; } - public Set getAllowedClientIds() { + public List getAllowedClientIds() { return allowedClientIds; } From 1eef9f5aaebe2ef56813d8e3931a2df1a06f4b1d Mon Sep 17 00:00:00 2001 From: Daniel Kleveros Date: Wed, 11 Oct 2023 21:23:02 -0700 Subject: [PATCH 8/9] Imports tidy up --- .../concord/server/plugins/pfedsso/JwtAuthenticator.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java index 8fc050e622..63753fee7a 100644 --- a/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java +++ b/server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java @@ -36,7 +36,11 @@ import javax.inject.Inject; import java.io.IOException; import java.text.ParseException; -import java.util.*; +import java.util.Date; +import java.util.HashMap; +import java.util.Map; +import java.util.List; + public class JwtAuthenticator { From 658078083185b233bcfdf7048c8769bf7436a91f Mon Sep 17 00:00:00 2001 From: Daniel Kleveros Date: Fri, 13 Oct 2023 15:35:44 -0700 Subject: [PATCH 9/9] setting default enableBearerTokens to false --- server/dist/src/main/resources/concord-server.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/dist/src/main/resources/concord-server.conf b/server/dist/src/main/resources/concord-server.conf index 1ed96599e0..e7b0b231ed 100644 --- a/server/dist/src/main/resources/concord-server.conf +++ b/server/dist/src/main/resources/concord-server.conf @@ -536,7 +536,7 @@ concord-server { bearerToken { # enable bearer tokens - enableBearerTokens = true + enableBearerTokens = false # allow all clientIds allowAllClientIds = false