From ba00c08461cff937db5600217d17e92bacb1d5d4 Mon Sep 17 00:00:00 2001 From: Peter Chen Date: Fri, 22 Mar 2024 14:43:28 -0700 Subject: [PATCH 1/2] fix doc: the default value of token_format in token request - experiments show that UAA returns JWTs when token_format is not specified, regardless of what the value of uaa.yml `jwt.token.revocable` (for non-default zones, `config.tokenPolicy.jwtRevocable`) is. - the code does read `jwt.token.revocable` when generating tokens (https://github.com/cloudfoundry/uaa/blob/9e9874075ab284aa7d23d14a01168c61dcafdc39/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java#L618), but it does not impact the generated token's format. Co-authored-by: Peter Chen --- .../org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java index 2989bc2ac54..160544589cb 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java @@ -104,7 +104,7 @@ class TokenEndpointDocs extends AbstractTokenMockMvcTests { private final ParameterDescriptor clientIdParameter = parameterWithName(CLIENT_ID).optional(null).type(STRING).description("A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header or as part of the client_assertion."); private final ParameterDescriptor clientSecretParameter = parameterWithName("client_secret").optional(null).type(STRING).description("The [secret passphrase configured](#change-secret) for the OAuth client. Optional if it is passed as part of the Basic Authorization header or if client_assertion is sent as part of private_key_jwt authentication."); - private final ParameterDescriptor opaqueFormatParameter = parameterWithName(REQUEST_TOKEN_FORMAT).optional(null).type(STRING).description("Can be set to `" + OPAQUE.getStringValue() + "` to retrieve an opaque token or to `" + JWT.getStringValue() + "` to retrieve a JWT token. Please refer to the Revoke Tokens endpoint doc for information about the revocability of opaque vs. jwt tokens. If not set the zone setting config.tokenPolicy.jwtRevocable is used."); + private final ParameterDescriptor opaqueFormatParameter = parameterWithName(REQUEST_TOKEN_FORMAT).optional("jwt").type(STRING).description("Can be set to `" + OPAQUE.getStringValue() + "` to retrieve an opaque token or to `" + JWT.getStringValue() + "` to retrieve a JWT token. Please refer to the Revoke Tokens endpoint doc for information about the revocability of opaque vs. jwt tokens."); private final ParameterDescriptor scopeParameter = parameterWithName(SCOPE).optional(null).type(STRING).description("The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have."); private final ParameterDescriptor loginHintParameter = parameterWithName("login_hint").optional(null).type(STRING).description("UAA 75.5.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field `origin` with value as `origin_key` of an identity provider. Note that this identity provider must support the grant type `password`."); private final ParameterDescriptor codeVerifier = parameterWithName(PkceValidationService.CODE_VERIFIER).description("UAA 75.5.0 [PKCE](https://tools.ietf.org/html/rfc7636) Code Verifier. A `code_verifier` parameter must be provided if a `code_challenge` parameter was present in the previous call to `/oauth/authorize`. The `code_verifier` must match the used `code_challenge` (according to the selected `code_challenge_method`)").attributes(key("constraints").value("Optional"), key("type").value(STRING)); From e891c0930ab8dc230fe4808f2cea53a014452986 Mon Sep 17 00:00:00 2001 From: Peter Chen Date: Fri, 22 Mar 2024 14:56:43 -0700 Subject: [PATCH 2/2] fix doc: user token grant response - clarify that this field is always null (instead of explaining a lot about the various formats of the access token when no access token will be returned) Co-authored-by: Peter Chen --- .../org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java index 160544589cb..8880b985511 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java @@ -382,7 +382,7 @@ void getTokenUsingUserTokenGrant() throws Exception { ); Snippet responseFields = responseFields( - accessTokenFieldDescriptor, + fieldWithPath("access_token").description("This field is always `null`."), tokenTypeFieldDescriptor, expiresInFieldDescriptor, scopeFieldDescriptorWhenUserToken,