Explicit SSL support for non-servlet requests
HTTPRequest does not provide a means of setting SSL context or otherwise configuring for SSL outbound calls to the OP (at least not for non-servlet-based usage). The only way to achieve right now is to use HttpsUrlConnection's global default SSL socket factory, which is not acceptable if this code will be used outside of a vacuum.
Seeing as SSL is a requirement for the underlying OAuth2 spec, this seems like a REALLY big oversight.
Comments (8)
-
-
Without thoroughly reviewing the APIs, I hesitate, but off the top of my head, adding the following to HTTPRequest seems simple enough:
public HttpsURLConnection toHttpsURLConnection(SSLSocketFactory)
or
public HttpsURLConnection toHttpsURLConnection(SSLContext)
-
Thanks for getting back. We'll try to implement something along this lines. Stay tuned.
-
- changed status to open
-
Adds default & instance SSLSocketFactory and HostnameVerifier support to
HTTPRequest
, commit 5b4d2b9. -
- changed status to resolved
Hi Donald,
Explicit SSL support is now part of v4.17:
http://search.maven.org/#artifactdetails|com.nimbusds|oauth2-oidc-sdk|4.17|jar
-
Great! Thanks for the quick turnover.
-
You're welcome. If you find other problematic areas, let us know so we can continue improving the SDK.
- Log in to comment
This makes sense. Have you got any suggestion how the SSL context setting should look like?