- changed status to open
OIDCClient parse method causes potential problems when using the same object during encryption
In the class com.nimbusds.openid.connect.sdk.rp.OIDCClient, the method with the following signature: public static OIDCClientMetadata parse(final JSONObject jsonObject) throws ParseException { creates a new EncryptionMethod object when parsing the OIDCClient metadata attributes "request_object_encryption_enc", "id_token_encrypted_response_enc", and "userinfo_encrypted_response_enc". This creates a problem if the same object is reused during an encryption flow since the cekBitLength value inside the EncryptionMethod class is set to a default value of 0.
Suggest to use the EncryptionMethod.parse(String s) method on the value derived from the OIDCClient metadata first, and if returns null, then create a new EncryptionMethod object.
Comments (5)
-
-
Thanks for the detailed report. We'll look at this now.
-
The bug has been confirmed, see commit 567b17e.
-
The bug got fixes in commit cb8e69c.
Expect a new SDK release to Maven Central later today.
Thanks for contributing!
-
- changed status to resolved
The fix was released as 4.13 to Maven Central (alongside other things).
Happy coding!
- Log in to comment