As per https://tools.ietf.org/html/rfc7662#section-2.2 the `sub` key should
identify the resource owner in oauth2 introspection responses.
This change adds support for the `sub` key and will allow the introspection
response of RFC-compliant servers to be parsed.
Will still try `user_id` first as to not break backward compatibility.
* mitre/master: (153 commits)
removed old document PDFs from repo
check for missing refresh token value on refresh, closes#1242
removed unused field from UI config bean
fixed client readme file
Updated copyrights
Corrected typo
fixed unit test for new default redirect behavior
set redirect URI matching to strict by default
escaped output values on approval page, closes#1111
added changelog file
[maven-release-plugin] prepare for next development iteration
[maven-release-plugin] prepare release mitreid-connect-1.3.1
downgrade mysql dependency to GA version
Removed double 'sure'
fixed discovery endpoint, closes#1230
Completed end session endpoint
end session endpoint
skeleton of end session endpoint, maybe need a change to user info lookup
Fix psql_database script, replace SERIAL with BIGSERIAL and fix ...
[maven-release-plugin] prepare for next development iteration
...
RandomValueStringGenerator default constructor creates a code of length six only. The RFC 6819 (OAuth 2.0 Threat Model and Security Considerations) suggests (5.1.4.2.2. Use High Entropy for Secrets) that secrets that aren't used by humans (e.g. client secrets or token handles) have a reasonable level of enthropy. They propose a token lengths of at least 128 bits. Since the RandomValueStringGenerator only uses case sensitive alpha numeric symbols, 22 symbols are needed to achieve an enthropy >=128 bits.
Mark Janssen