Support custom SSLSocketFactory in DefaultResourceRetriever
Issue #301
resolved
We need to develop a resource server using wso2 as openId connect provider and are using the nimbus-jose-jwt-7.0.jar Wso2 have a known issue with certfificate. https://docs.wso2.com/display/IS530/FAQ#FAQ-WhydoIgetthejavax.net.ssl.SSLHandshakeExceptionwhenrunningthesamples? The workaround they provide is to import the certificate in java cacerts. But we cannot ask our customers to do that, we need to be able to use the certificate when load resources without prior manual steps
Currently, our code is failing in DefaultResourceRetriever.retrieveResource(URL url) with error "com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
It will be nice to have the possibility to attach to connection from retrieveResource a SSLSocketFactory so that we can explicitly trust the faulty certificate
Comments (10)
-
-
- changed title to Support custom SSLSocketFactory in DefaultResourceRetriever
-
Hello *,
as we would like to benefit from this little improvement too, I would like to make a pull request to provide a small patch which should fix this issue.
Therefore it would be nice to grant me the required privileges on your project so I can invoke a pull request.
Best regards
Imre
-
Hi Imre,
Thanks in advance for this.
PRs should be allowed, we’ve received PRs in the past without granting write privileges.
https://bitbucket.org/connect2id/nimbus-jose-jwt/pull-requests/
https://www.atlassian.com/git/tutorials/making-a-pull-request
If there’s difficulty submitting you can also file a patch file here and we’ll merge it.
Cheers,
-
- attached DefaultResourceRetriever.java
-
Dear Yavor,
as I have still some trouble to create my PR due to some configuration issues on my machine. I would like to provide our piece of code as attached. It would be nice if you can merge it as mentinoned before.
Please note: I tried to provide some test caseses too, when I realized that Jaddler gives currently no support for mocking SSL/TLS connections. Therefore I have sadly no testcases on the provided code changes. Nevertheless this piece of code is running in our environment encapsulated in a extended class version of
DefaultResourceRetrieverand it does the job in our case. Maybe it would be easier to provide a testcase with a different mocking API which is able to mock SSL/TLS connections, but therfore I would have to change a bunch of your dependencies and I am currently not sure if it is worth it. As I have no idea of your internal project requirements.Best regards
Imre
PS: Please let me know if you have any issues or I can help you in any way and thanks in advance for your kind support!
-
Thanks Imre, we’ll review it.
Jadler is indeed limited to plain HTTP.
-
- changed status to resolved
Merged in 8b82ba2, released as v9.2.
Note, it will take some time for this to become a dep in the OIDC SDK.
-
Dear Vladimir,
first of all I am happy to see as you merged our patch into your codebase!
Thanks a lot you are all doing a great and important job!
-
You’re welcome, happy coding :)
- Log in to comment
Would you be interested in submitting a patch? :)