Multiple resource parameters cause MessageDecodingException
Basics
Logistics
Basics
Logistics
Description
Our custom logic implemented for seems to only work with a single resource parameter. For both authorization and token request parsing, Nimbus only allows resource parameter to contain multiple values: all the other (including any custom parameters) are allowed to have only one value. Otherwise Nimbus considers the message as invalid.
I’ll file a separate bug ticket to Nimbus, but we need to implement the support for non-URI resource values differently. Currently we internally manipulate the resource-parameter name into a custom one before handling it to Nimbus parser, but better solution seems to be that we prefix the resource-values so that they become URIs that are accepted by Nimbus.
Switched the approach of using custom parameter name for resource into using custom prefix for its values. The parameter values in authorization/authentication/token requests are now prefixed with urn:shibboleth.oidc.op.resource: before feeding for Nimbus to be parsed. That makes the values to fulfill the strict URI-requirement. The lookup functions remove the prefixes before returning the parameter values.
Our custom logic implemented for seems to only work with a single resource parameter. For both authorization and token request parsing, Nimbus only allows
resourceparameter to contain multiple values: all the other (including any custom parameters) are allowed to have only one value. Otherwise Nimbus considers the message as invalid.I’ll file a separate bug ticket to Nimbus, but we need to implement the support for non-URI resource values differently. Currently we internally manipulate the resource-parameter name into a custom one before handling it to Nimbus parser, but better solution seems to be that we prefix the resource-values so that they become URIs that are accepted by Nimbus.