Soffit data model, Bearer token can overflow buffer

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Soffit data model, Bearer token can overflow buffer

Lauren Anderson

I don’t know if the Soffit data model is being used with the new web tokens being developed by others, but we’ve run into a problem with the Bearer token occasionally becoming too large and overflowing the buffer because the memberOf list in the attributes for some users has a lot of PAGS groups from the group membership store (in our case, Active Directory).

 

I think it would be better to keep the JWT relatively small. Looking at the code that builds the Authorization Header JWT, it includes username, attributes, groups, and expires. We can use calls to uPortal REST APIs to get username and attributes:

 

group-rest-controller: /groups

 

people-rest-controller: /people/{username}.json

 

We could just remove attributes and groups or maybe modify attributes to skip the memberOf attribute because it can get pretty big. What do you think?

 

 

Lauren

 

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.
Reply | Threaded
Open this post in threaded view
|

Re: Soffit data model, Bearer token can overflow buffer

Christian Murphy
What version of uPortal is being run?
There were some improvements to soffits that came in uPortal 5.1.0, that may help resolve the issue.

Best Regards,

Christian Murphy

On Thu, Nov 1, 2018 at 2:39 PM Lauren Anderson <[hidden email]> wrote:

I don’t know if the Soffit data model is being used with the new web tokens being developed by others, but we’ve run into a problem with the Bearer token occasionally becoming too large and overflowing the buffer because the memberOf list in the attributes for some users has a lot of PAGS groups from the group membership store (in our case, Active Directory).

 

I think it would be better to keep the JWT relatively small. Looking at the code that builds the Authorization Header JWT, it includes username, attributes, groups, and expires. We can use calls to uPortal REST APIs to get username and attributes:

 

group-rest-controller: /groups

 

people-rest-controller: /people/{username}.json

 

We could just remove attributes and groups or maybe modify attributes to skip the memberOf attribute because it can get pretty big. What do you think?

 

 

Lauren

 

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.
Reply | Threaded
Open this post in threaded view
|

Re: Soffit data model, Bearer token can overflow buffer

Lauren Anderson

Sorry, my reply was probably confusing. We’re using 5.3.1 and we’re including the Bearer in the JWT, but all we need is the username. It might be helpful to allow finer control of the Bearer token. Username should probably always be included but maybe allow excluding user attributes or group affiliations. If no one else is requesting this, maybe no big deal.

 

Lauren

 

From: <[hidden email]> on behalf of Christian Murphy <[hidden email]>
Date: Thursday, November 1, 2018 at 3:59 PM
To: "[hidden email]" <[hidden email]>
Subject: Re: [uportal-dev] Soffit data model, Bearer token can overflow buffer

 

What version of uPortal is being run?

There were some improvements to soffits that came in uPortal 5.1.0, that may help resolve the issue.

 

Best Regards,

 

Christian Murphy

 

On Thu, Nov 1, 2018 at 2:39 PM Lauren Anderson <[hidden email]> wrote:

I don’t know if the Soffit data model is being used with the new web tokens being developed by others, but we’ve run into a problem with the Bearer token occasionally becoming too large and overflowing the buffer because the memberOf list in the attributes for some users has a lot of PAGS groups from the group membership store (in our case, Active Directory).

 

I think it would be better to keep the JWT relatively small. Looking at the code that builds the Authorization Header JWT, it includes username, attributes, groups, and expires. We can use calls to uPortal REST APIs to get username and attributes:

 

group-rest-controller: /groups

 

people-rest-controller: /people/{username}.json

 

We could just remove attributes and groups or maybe modify attributes to skip the memberOf attribute because it can get pretty big. What do you think?

 

 

Lauren

 

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.
Reply | Threaded
Open this post in threaded view
|

Re: Soffit data model, Bearer token can overflow buffer

Christian Murphy
It may be worth checking out the /v5-1/userinfo endpoint.
The userinfo endpoint is being leveraged by the uPortal webcomponents and the new form builder microservice for uPortal.
It's more flexible in terms of what custom claims can be added and includes the ability to filter user groups.

There was some informal discussion of making the userinfo endpoint the new base for soffits, not sure on the current status of that.

Best Regards,

Christian Murphy

On Fri, Nov 2, 2018 at 9:07 AM Lauren Anderson <[hidden email]> wrote:

Sorry, my reply was probably confusing. We’re using 5.3.1 and we’re including the Bearer in the JWT, but all we need is the username. It might be helpful to allow finer control of the Bearer token. Username should probably always be included but maybe allow excluding user attributes or group affiliations. If no one else is requesting this, maybe no big deal.

 

Lauren

 

From: <[hidden email]> on behalf of Christian Murphy <[hidden email]>
Date: Thursday, November 1, 2018 at 3:59 PM
To: "[hidden email]" <[hidden email]>
Subject: Re: [uportal-dev] Soffit data model, Bearer token can overflow buffer

 

What version of uPortal is being run?

There were some improvements to soffits that came in uPortal 5.1.0, that may help resolve the issue.

 

Best Regards,

 

Christian Murphy

 

On Thu, Nov 1, 2018 at 2:39 PM Lauren Anderson <[hidden email]> wrote:

I don’t know if the Soffit data model is being used with the new web tokens being developed by others, but we’ve run into a problem with the Bearer token occasionally becoming too large and overflowing the buffer because the memberOf list in the attributes for some users has a lot of PAGS groups from the group membership store (in our case, Active Directory).

 

I think it would be better to keep the JWT relatively small. Looking at the code that builds the Authorization Header JWT, it includes username, attributes, groups, and expires. We can use calls to uPortal REST APIs to get username and attributes:

 

group-rest-controller: /groups

 

people-rest-controller: /people/{username}.json

 

We could just remove attributes and groups or maybe modify attributes to skip the memberOf attribute because it can get pretty big. What do you think?

 

 

Lauren

 

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.