[GitHub] [james-project] vttranlina commented on a diff in pull request #1340: James 3755 OIDC check token by user info

[GitBox <gi...@apache.org>]

vttranlina commented on code in PR #1340:
URL: https://github.com/apache/james-project/pull/1340#discussion_r1037771559


##########
protocols/api/src/main/java/org/apache/james/protocols/api/OidcSASLConfiguration.java:
##########
@@ -43,9 +43,16 @@ public static OidcSASLConfiguration parse(HierarchicalConfiguration<ImmutableNod
         Preconditions.checkNotNull(scope, "`scope` property need to be specified inside the oidc tag");
 
         String introspectionUrl = configuration.getString("introspection.url", null);
+        String userInfoUrl = configuration.getString("userinfo.url", null);
+
+        Preconditions.checkArgument(userInfoUrl == null
+                || userInfoUrl.startsWith("http://127.0.0.1")

Review Comment:
   `"http://127.0.0.1"` just for test
   
   Normally, the userInfo endpoint should support TLS 
   ```
   Communication with the UserInfo Endpoint MUST utilize TLS. See Section 16.17 for more information on using TLS. 
   (https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
   ```
   
   but if it is a "internal request", should we accept HTTP?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org