Open rksk opened 3 years ago
mefarazath
commented
3 years ago @janakamarasena @senthalan Will we ever need to allow leading space or trailing in any request parameters in the /oauth2/token request?
I am thinking rather than handling this specifically for the password grant, to remove leading and trailing whitespaces on all grant type params. WDYT?
senthalan
commented
3 years ago @janakamarasena @senthalan Will we ever need to allow leading space or trailing in any request parameters in the /oauth2/token request?
I am thinking rather than handling this specifically for the password grant, to remove leading and trailing whitespaces on all grant type params. WDYT? +1
And I think it is better to handle trimming the space in the server-side as well. I hope this method will be used by all the authenticators which handler the username input.
janakamarasena
commented
3 years ago +1 for the suggestions. We shouldn't need leading or trailing whitespace.
chamathns
commented
3 years ago Migara Pramod will work on this.
Describe the issue: If we invoke the password grant with whitespaces at the beginning or the end, the
subof the issued id_token contains the same username with whitespace while the real user on the userstore does not have whitespace in the username.The same issue is existing in the basic authenticator and we have avoided it by trimming the username in the authentication endpoint.
How to reproduce:
subin id_tokne will contain the same username whitespacesExpected behavior: The
subshould contain the correct username on the userstoreEnvironment information